Risk-based authentication is one of the simplest security technologies to understand while at the same time being one of the most intelligent and adaptable. The concept of risk-based authentication is very similar to the risk decisions we make in our daily life – from how we drive our car to where we invest our money.
Think about your commute home tonight. You come upon a yellow light and there is a choice to make: do I take the risk of going through it or do I just stop and wait? There will likely be many factors that go into your decision such as the weather conditions, how busy the intersection is, your next destination, or if there are any police cars in sight. Your mind works within seconds to process all these factors simultaneously and instantly returns a risk decision.
Risk-based authentication works in the exact same way when looking at the risk of an identity. Traditional authentication methods – from username and password all the way to sophisticated one-time password tokens – make a decision based on a simple model of “Do I trust you?/Yes or No.” Risk-based authentication goes much further than that in making a risk decision. It looks at a variety of factors such as where the user is logging in from, the characteristics of the device, and certain behaviors like the time of day a user is requesting access. But in addition to just weighing risk based on these attributes, risk-based authentication goes even a step further and looks at your current login attempt and compares it to all historical authentication requests you have made (and in some cases, the rest of the user population) and instantly returns a risk decision.