A risk based authentication process will monitor the connection profile of users including behaviours, favoured devices and IP geolocation. Monitoring these behaviours will alert the system if a user deviates from the norm – insisting they offer further credentials before they are granted access.
Perhaps the most commonplace customer-focussed use of risk based authentication is implemented by banks when users attempt to access their account from overseas. This deviation from normal behaviour may be as innocent as a family holiday, but it will alert the bank of unusual behaviour who will in turn attempt to contact the user before processing the request.
Helping to detect attempted hacks from around the globe, risk based authentication addresses the threats to both the user and the system. Just the IP geolocation can indicate foul play during a sign on attempt – this CyberCrime Threat Map from ThreatMetrix demonstrates the recognised hack attempts from around the world.
The main challenge for many systems implementing risk based authentication is balancing security with usability. An overzealous risk based authentication process will inhibit usability – requesting additional credentials for even the slightest deviation from normal activity, potentially compromising the customer journey and increase the drop-off rate.
But at the other end of the scale, a lacklustre approach to the process could leave the system exposed to threats of hacks and cyber-attacks.
Risk based authentication can be categorised in two distinct groups – user-dependent or transaction-dependent. A user-dependent system employs the same process for a user for every session – providing a more consistent customer journey, whereas a transaction-dependent system may request different authentication processes depending on the risk potential of the transaction.
Creating a scale of the risk potential of the user’s action can help create a usable yet secure risk based authentication – with sensitive and high risk actions such as the transfer of funds more likely to necessitate another layer of security.
Furthermore, the size of the system and the number of users can influence the likelihood of hack attempts. A large system with an increased number of users may be a more alluring hack proposition for cyber criminals – necessitating a more robust risk based authentication process.
With high profile hack attempts occurring with alarming regularity, it has never been more important to develop a robust security system which measures risk and reacts accordingly. An intelligently designed and implemented autonomous risk based authentication system can instantly process a huge volume of sign on requests – adding an extra layer of security, but not an extra layer of inconvenience.