Top
image credit: Pixabay

Understanding Risk-Based Authentication: Main Benefits and Drawbacks

March 31, 2022

Category:

Now more than ever, companies have digital assets to protect and more users who need to access them from different places. Credential-based threats make it difficult to secure these valuable resources while making them easily accessible to those who legitimately need them. To achieve and maintain this balance, Risk-Based Authentication (RBA) is needed, which makes it possible to base authentication requirements and access decisions on the level of risk posed by an access request. Simply put, the higher the risk, the higher the level of access. Understanding how risk-based authentication works, its main benefits, and drawbacks, could prove crucial for your business. 

A variety of tools for risk assessment

Risk-Based Authentication (RBA) is a non-static security measure designed to strengthen password-based authentication. RBA monitors additional implicit features during password entry, such as device or geolocation information, and requests additional authentication layers if a certain risk level is detected. RBA offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks.

Knowing the context of an access request—who is making it, from what device, from where, and other contextual information—is key to determining the level of risk associated with the request. Behavioral analytics, anomaly detection and related technologies play an important role in this process by uncovering the relevant context for an access attempt. This context makes it possible to quickly and easily assess the associated risk and establish a basis for raising the bar on access security.

Machine learning for continuous improvement

Technology that can characterize behavior and assess risk is good, but technology that can learn from those experiences and apply that new knowledge to future assessments is even better. Machine learning capabilities mean that when an access request comes in, the technology will retain the relevant details of the request. This information can then become part of a growing knowledge base that will be used for comparison and evaluation as future requests come in.

Once it is clear that the risk of an access request is high enough to justify further authentication, the next challenge is to ensure that the means of authentication are strict enough to reject someone or something that should not have access, but not so strict that, for the legitimate user, authentication is cumbersome. Users need to be able to choose from a variety of strong authentication methods to make the switch to an additional authentication factor as simple as possible.

Choosing the right Risk-Based Authentication Solution

A top RBA solution should provide robust technology and the capabilities needed for frictionless risk-based authentication. These technologies could include:

  • The ability to quickly connect to a threat detection system and access real-time data. This could provide valuable insights for a better risk assessment. 
  • Rigorous data analysis and interpretation, resulting in dynamic, real-time risk scoring.
  • Continuous improvement in risk assessment and decision making based on machine learning.

Main Benefits And Drawbacks

According to a study, Google, Facebook, LinkedIn, Amazon, and GOG.com were among the early adopters of Risk-Based Authentication, already using it on a fairly large scale in 2018. However, security experts don’t recommend immediately changing the authentication processes. Carefully balance the benefits and the drawbacks and make a smart decision for your team or your business.

Main benefits associated with Risk-Based Authentication include:

  • Mitigating data breaches. Hacks can be incredibly expensive. In 2019, financial corporation Capital One suffered a data breach that affected 100 million credit card applications, 140,000 Social Security numbers and 80,000 bank account numbers. 
  • Widespread use. Nowadays, plenty of government agencies and popular online platforms use RBA. Chances are, consumers have either heard about this technique or used it in the past, so it shouldn’t come as a surprise for them.
  • Compliance and law. Many companies, including those active in the banking sector, must demonstrate that they meet stringent rules regarding safety. Adopting a RBA solution can help any business to be compliant with the current regulations and requirements.

Potential drawbacks to consider when deploying a Risk-Based Authentication solution include:

  • Deployment planning and budgeting. Deploying the RBA solution could prove a challenging endeavor. First you must develop, test and deploy the system, then ensure your project has a predictable budget. 
  • A delicate balance is needed. If you set up your system improperly, you could lock users out of the resources they need to access. If you implement inaccurate rules, you could let everyone in. Security experts even warn that some users may resent your security measures and you may hear complaints from people who can’t access their apps or their digital assets.

Risk-Based Authentication (RBA) is becoming more and more important in the process of strengthening password-based authentication without affecting the user interface. Before you decide to adopt an RBA solution, carefully discuss the benefits and drawbacks with your team.