Transforming Identity Assurance through Risk-Based Authentication

Sam Curry

Sam Curry

Chief Technology Officer, Identity and Data Protection at RSA, the Security Division of EMC

Risk-based authentication is one of the simplest security technologies to understand while at the same time being one of the most intelligent and adaptable. The concept of risk-based authentication is very similar to the risk decisions we make in our daily life – from how we drive our car to where we invest our money.

Think about your commute home tonight. You come upon a yellow light and there is a choice to make: do I take the risk of going through it or do I just stop and wait? There will likely be many factors that go into your decision such as the weather conditions, how busy the intersection is, your next destination, or if there are any police cars in sight. Your mind works within seconds to process all these factors simultaneously and instantly returns a risk decision.

Risk-based authentication works in the exact same way when looking at the risk of an identity. Traditional authentication methods – from username and password all the way to sophisticated one-time password tokens – make a decision based on a simple model of “Do I trust you?/Yes or No.” Risk-based authentication goes much further than that in making a risk decision. It looks at a variety of factors such as where the user is logging in from, the characteristics of the device, and certain behaviors like the time of day a user is requesting access. But in addition to just weighing risk based on these attributes, risk-based authentication goes even a step further and looks at your current login attempt and compares it to all historical authentication requests you have made (and in some cases, the rest of the user population) and instantly returns a risk decision.

Risk-based authentication is changing the way we do enterprise authentication. It is making authentication more dynamic by looking at the big picture and asking what is the transactional context, what patterns can I glean from it and what perspectives can I bring in from the outside to make more intelligent decisions around who to trust and how and when to do so. Then based on that decision, you can ask for more or less authentication. Risk-based authentication is automating security decisions, thus making authentication more usable and more affordable.

The release of Authentication Manager 8 today is a huge leap forward in transforming enterprise authentication. It is the industry’s first release of an authentication platform that brings together the traditional world of tokens and two-factor authentication with the next generation of Big Data analytics and intelligence-driven risk-based authentication. Industries like financial services have adopted and have been refining the risk-based model for years to address sophisticated threats such as man-in-the-middle and web session hijacking attacks.

So back to the yellow light. Just as we weigh the risks before we decide to slow down and stop or accelerate when we see a yellow light, the inclusion of risk-based authentication into RSA Authentication Manager will now allow organizations to evaluate a multitude of risk factors to make more granular and informed authentication decisions on how much to trust a user and under what circumstances.

Infographic preview below. Click here for the full infographic.

AA Infographic Teaser

 

Sam Curry

Sam Curry

Chief Technology Officer, Identity and Data Protection at RSA, the Security Division of EMC
Sam Curry

Latest posts by Sam Curry (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>