Risk-Based Authentication

With risk-based authentication, characteristics are mapped and weighed with which it is determined which minimum authentication means are needed before a user gains access to the desired information.

Risk-based authentication makes authentication a multi-factor affair. Authentication proves that users are who they say they are. Three traditional factors are identified: what you know, what you have, and what you are. But nowadays new technology and information services can add context factors making it possible to derive location, behaviour and risk.

The interpretation of precisely what authentication is has become a relevant question given that the definition is no longer explicit. Therefore the value of each factor must also be measured. It all comes together now in an often static policy that is no longer tenable. The answer is found in risk-based authentication.
Hence it is a non-static authentication system which looks at the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. This risk profile is then used to determine the complexity of the challenge. Consequently, higher risk profiles lead to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. The application is allowed to challenge the user for additional credentials only when the risk level is appropriate.

A ‘means of strong authentication’ is usually reverted to when access is needed to information where great risk is involved. But the static checking between username and password or a strong means of authentication is no longer sufficient.

Enforcing the correct authentication depends on many characteristics such as where the user is located, what device is being used and what information the person wants to use. This involves the extent to which these characteristics or a combination of the characteristics are trustworthy, namely, to what extent is it ‘normal’ or ‘suspect’ behaviour. What risks arise when we give a user with these characteristics access to information?
With risk-based authentication, these characteristics are identified and weighed. Intelligent algorithms determine the minimum required means of authentication before a user with such characteristics receives access to the desired information. This may be determined beforehand, but it is also possible during a transaction using a so-called ‘step up’ or re-authentication.

RBAC ensures that managers can request rights for their employees in a straightforward manner and that auditors can see the consequences at a glance. The link to IT and actual business operations makes the organisation of rights management more flexible, efficient, effective and safer.

Although it may seem obvious to opt for RBAC, there is a lot involved. What is the impact of this choice? Where do you need to start? Does RBAC fit in your organisation? Or is there another choice? How should the roles model be set up? Should it be based on job function and business structure (top-down) or current employee IT rights (bottom-up)? And once the model is in place, how is it then maintained?

Red5 has the answers to all these questions and many more.

Our services include