One of the most important security domains is Access Management. There have been continuous innovations in the field of access authentication: login ID, password, secure token, personal identification number (PIN), one- time password token (OTP token) or a smartphone with an OTP app, biometric, etc.
As businesses move to cloud, increase use of BYOD, and continue to onboard more mobile and remote employees, third-party contractors, business partners, and external users, the number of users needing access to information assets has grown exponentially. This also exposes the organization to more risks and expanded attack surface and creates new attack vectors for introducers and cybercriminals with the addition of new vulnerabilities.
The more and more organizations continue to consider risk-based authentication an adaptive methodology compare to static traditional multi-factor authentication methods.
This article is more useful for auditors, risk management professionals, information security managers and staff, operations personnel, chief auditors, business managers, and legal counsel.
Basis of Risk-Based Authentication
The idea of risk-based authentication involves comparing the risk score of a user with the risk score of an asset. If the user’s risk score exceeds the system risk threshold that the user is trying to access, then the user is provided with authentication options appropriate to the level of risk. This could result in a request to submit additional verification such as an SMS code, additional challenge questions or biometric. If the user risk score is too high and asset contains highly confidential information, then access request may be rejected outright.
User Risk Score
The risk score determines the validity of the login access request and decides whether it’s legitimate or fraudulent. The risk levels are established based on login device, user identity, typical login time, IP address, geographic location, usage profile, or other personal factors associated with the job such as job level, role, etc. The administrator could determine the static risk level for a user based on the above factors and make use of adaptive authentication whereby the system learns the typical activities of the user based on the behavior. The combination of the two could be used to set user risk levels.
Systems Risk Score
The risk thresholds for individual systems are established by considering various factors including data classification parameters, the sensitivity of the information stored, the likely impact of breach on information system confidentiality, integrity, and availability, etc. The system’s housing confidential financial information or intellectual property data, for example, will have a low-risk threshold.
Comparing User Risk Profile with System Threshold
User with a high-risk score will not be able to access systems with low-risk threshold or user will be presented with the additional authentication challenges to access the system. The established risk threshold stops the user with high risk from accessing systems that could cause more damage to the organization.
The diagram below is useful in understanding the logic.
| Diagram of risk-based authentication | ||
| User Risk Profile | System Threshold | Pass/Fail |
| Medium Medium Low | Pass Pass Fail |
Risk-based Authentication – Part I
User Risk Profile System Threshold Pass/Fail
Medium Pass
Medium Pass
Low Fail