Risk-Based Authentication Part I
Direct answer: Risk-based authentication is an adaptive access method that compares the risk level of a login attempt with the acceptable risk threshold of the target system, then allows access, asks for stronger verification, or denies access.
One of the most important security domains is Access Management. There have been continuous innovations in the field of access authentication: login ID, password, secure token, personal identification number (PIN), one- time password token (OTP token) or a smartphone with an OTP app, biometric, etc.
As businesses move to cloud, increase use of BYOD, and continue to onboard more mobile and remote employees, third-party contractors, business partners, and external users, the number of users needing access to information assets has grown exponentially. This also exposes the organization to more risks and expanded attack surface and creates new attack vectors for introducers and cybercriminals with the addition of new vulnerabilities.
As organizations modernize access controls, risk-based authentication is increasingly treated as an adaptive methodology compared with static, traditional multi-factor authentication methods.
This article is more useful for auditors, risk management professionals, information security managers and staff, operations personnel, chief auditors, business managers, and legal counsel.
What is risk-based authentication and why is it used?
The idea of risk-based authentication involves comparing the risk score of a user with the risk score of an asset. If the user's risk score exceeds the system risk threshold that the user is trying to access, then the user is provided with authentication options appropriate to the level of risk. This could result in a request to submit additional verification such as an SMS code, additional challenge questions or biometric. If the user risk score is too high and asset contains highly confidential information, then access request may be rejected outright.
How is a user risk score evaluated?
The risk score determines the validity of the login access request and decides whether it's legitimate or fraudulent. The risk levels are established based on login device, user identity, typical login time, IP address, geographic location, usage profile, or other personal factors associated with the job such as job level, role, etc. The administrator could determine the static risk level for a user based on the above factors and make use of adaptive authentication whereby the system learns the typical activities of the user based on the behavior. The combination of the two could be used to set user risk levels.
What is a system risk threshold?
The risk thresholds for individual systems are established by considering various factors including data classification parameters, the sensitivity of the information stored, and the likely impact of breach on information system confidentiality, integrity, and availability. Systems housing confidential financial information or intellectual property data, for example, should have a low-risk threshold.
How do user risk and system threshold work together?
A user with a high-risk score may not be able to access systems with a low-risk threshold, or the user may be presented with additional authentication challenges to access the system. The established risk threshold helps prevent high-risk users from accessing systems where compromise could cause greater damage to the organization.
What does the risk-based authentication diagram show?
The original model (Source: G2Crowd) illustrates how outcomes change when user context risk is matched against system threshold levels.
- When user context aligns with medium threshold: Pass
- When user context remains within acceptable threshold: Pass
- When risk exceeds a low threshold: Fail
Key Takeaways
- Risk-based authentication is adaptive and context-aware, unlike static access methods.
- User risk score is influenced by device, identity, location, time, behavior, and role context.
- System thresholds should reflect data sensitivity and business impact.
- When user risk exceeds threshold, organizations should apply step-up controls or block access.
Related Resources
Related Posts
NIST Implementation
Learn a practical NIST implementation approach: key standards, eight implementation stages, and high-level guidance to prioritize controls and reduce rework.
Read More
Prevention, Detection, and Recovery from Cyberattacks Part III
Explore Zero Trust as a practical model for modern security, including enabling technologies and adoption considerations.
Read More
Key Risk indicator & Key Performance Indicators Part I
An introduction to KRIs and KPIs with practical framing for risk scoring, prioritization, and management reporting.
Read More
GRC Insights That Matter
Exclusive updates on governance, risk, compliance, privacy, and audits — straight from industry experts.