Risk-based authentication explained

In authentication, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on^[1]) of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles leads to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. Risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate.^{[2] [3]} The point is that user validation accuracy is improved without inconveniencing a user,^[4] and risk-based authentication is used by major companies.^[5]

Criticism

• The system that computes the risk profile has to be diligently maintained and updated as new threats emerge. Improper configuration may lead to unauthorized access.^[6]
• The user's connection profile (e.g. IP Geolocation, connection type, keystroke dynamics, user behaviour) has to be detected and used to compute the risk profile. Lack of proper detection may lead to unauthorized access.

Notes and References

1. Book: Wiefling. Stephan. Dürmuth. Markus. Lo Iacono. Luigi. Financial Cryptography and Data Security . What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics . 2021-01-26. https://fc21.ifca.ai/papers/60.pdf. FC '21. 12675 . 361–381 . 10.1007/978-3-662-64331-0_19 . 2101.10681 . 978-3-662-64330-3 . 231709486 .
2. Web site: Information website on Risk-based Authentication. Wiefling. Stephan. Lo Iacono. Luigi. Risk-based Authentication. en. 2019-04-29. Dürmuth. Markus.
3. Book: Wiefling. Stephan. Lo Iacono. Luigi. Dürmuth. Markus. ICT Systems Security and Privacy Protection . Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild . 2019. Dhillon. Gurpreet. Karlsson. Fredrik. Hedström. Karin. Zúquete. André. https://nbn-resolving.org/urn:nbn:de:hbz:832-epub4-13694. IFIP Advances in Information and Communication Technology. 562. en. Springer International Publishing. 134–148. 10.1007/978-3-030-22312-0_10. 2003.07622. 9783030223120. 189926752 .
4. Book: Wiefling. Stephan. Dürmuth. Markus. Lo Iacono. Luigi. Annual Computer Security Applications Conference . More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication . 2020-12-07. https://nbn-resolving.org/urn:nbn:de:hbz:1044-opus-50707. ACSAC '20. Austin, USA. Association for Computing Machinery. 203–218. 10.1145/3427228.3427243. 2010.00339. 978-1-4503-8858-0. free.
5. Web site: Who uses RBA? We found evidence that Google, Facebook, LinkedIn, Amazon and GOG.com are using it.. Wiefling. Stephan. Lo Iacono. Luigi. Risk-based Authentication. en. 2019-04-29. Dürmuth. Markus.
6. Book: Borky . John M. . 2019 . Effective Model-Based Systems Engineering . 345–404 . Borky . John M. . 2023-08-28 . Cham . Springer International Publishing . en . 10.1007/978-3-319-95669-5_10 . 978-3-319-95669-5 . 7122347 . Bradley . Thomas H. . Protecting Information with Cybersecurity . Bradley . Thomas H..