The Cloud Authentication Service can establish high or low confidence in a user's identity based on data it collects when users attempt to authenticate over a period of time. The service leverages machine-learning algorithms to profile the user’s normal activity in order to understand deviation from that activity in the current authentication request. The Cloud Authentication Service evaluates the individual user, total population, and known risky authentication patterns to determine the identity confidence score. Older historical events are weighted less than more recent events, so past behavior ages out of the system and new behavior is more impactful.
The Identity Confidence attribute is available with the Premium Edition of RSA SecurID Access.
For more information, see:
The Cloud Authentication Service collects data about users over a period of time to learn the following attributes about users.
|Time||Time at which an application is accessed.|
|Weekend||Whether or not the user authenticated during the weekend.|
|Uncommon Applications||User authenticates to an application that he normally does not access.|
|High Authentication Velocity||User unsuccessfully authenticates quickly numerous times.|
|New Device||User accesses a device he has never used before.|
|Location||Physical location of a user (estimated from IP address and HTML5 Geolocation).|
|High Device Access Rate||A user account is being used simultaneously on at least two devices.|
|Users on Device Velocity||Multiple users authenticating from the same device.|
|Users on IP Velocity||Multiple users authenticating from the same IP address.|
The collected data is specific to your company. Data from a large user population collected over a long period of time ensures more reliable results than data from a small user population collected over a short period of time. Identity confidence results can vary from company to company depending on these factors.
The user's identity confidence score is categorized as high or low confidence in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.
The Cloud Authentication Service requires an initial learning period of at least 1,000 authentications (authentication minimum) to collect sufficient user history to optimize identity confidence scoring. Prior to reaching the authentication minimum, the system uses a default threshold (0.37) for determining identity confidence. It is likely that more users will receive low confidence scores in this scenario. After this minimum has been reached, the Cloud Authentication Service adjusts the threshold up or down on a daily basis as it learns each user's behavior to optimize the low confidence scores.
RSA recommends that you require multifactor authentication for all users until the system has reached the minimum number of authentications.
The following table summarizes what high and low scores represent in relation to the Confidence Threshold.
|User's Overall Confidence Score||Meaning|
|Low score (low confidence)||A score that is lower than the Confidence Threshold indicates low confidence (high risk). This means the Cloud Authentication Service cannot identify the user with a reasonable degree of certainty. You can choose to deny the user access to protected resources or require the user to authenticate at a higher assurance level.|
|High score (high confidence)||A score that exceeds the Confidence Threshold indicates high confidence (low risk). This means the Cloud Authentication Service has high confidence that the user is indeed who he says he is.|
Use the Identity Confidence Dashboard to view information that can help you identify potentially risky authentication activity in your company. The dashboard reports the following information.
Multifactor Authentication Attempts
Counts the number of user attempts to access resources protected by access policies that do and do not include the identity confidence attribute.
The total count includes attempts when users satisfy policy conditions that allow them to skip multifactor authentication.
At least one attempt must be found to display results.
|Attempts Based on Identity Confidence|| |
Counts the number of authentication attempts that resulted in a low or high confidence score.
The confidence threshold determines if an evaluation results in high or low confidence.
|Reasons for Low Identity Confidence|| |
A low confidence score occurs when the Cloud Authentication Service does not recognize the user's behavior, device, or location in an authentication attempt because the user has changed behavior, device, or location since the previous attempt. Or the score may be low if the user is new and has not authenticated enough times to earn a high confidence score. Low confidence can be due to one or more of these factors:
Undetermined cause is reported when the Cloud Authentication Service cannot identify a single factor as the predominant cause of the low score. Multiple factors always play a role in confidence scores, and sometimes one particular factor does not stand out.
|User Behavior Over Time|| |
The dashboard displays a graph that shows the following information for a single user over a period of time. Click points on the graph to see:
Configure identity confidence by using the Identity Confidence attribute in an access policy. In the following sample policy, users with high identity confidence can access the resource without performing additional (step-up) authentication. Users with low identity confidence are denied access. For configuration instructions, see Add, Clone, or Delete an Access Policy
Use the Identity Confidence Dashboard to view authentication information for all users in your company or for individual users within a specified timeframe.
Open the Cloud Administration Console and click Users > Identity Confidence Dashboard.
By default, the initial pie charts that display reflect authentication activity collected over the past 30 days for all users in your company who have authenticated through the Cloud Authentication Service.
To view data for a specific user, enter the user's email address and the timeframe (1-30 days).
Note: The search criteria must be able to return at least one authentication attempt in which identity confidence was evaluated. Otherwise, no attempts are displayed.
The following example shows information for one user.
The following graph shows user behavior over time. Click a point on the red line to see the user's Confidence score, Confidence Threshold, and Contributing Factors on a specific day and time. The blue line shows the Confidence Threshold over time. Each red authentication point has a corresponding blue Confidence Threshold point so you can see what the threshold was on the day and time of authentication.
We want your feedback on this feature. Tell us what you think.
The User Event Monitor reports the following information in the Authentication Details column for event 25001. All of the attributes described in Learning User Behavior Through Data Collection contribute to these scores.
|Confidence Details Reported in User Event Monitor||Description|
The user's overall identity confidence score, which is influenced by the user's separate scores for Device Confidence, Behavior Confidence, and Location Confidence.
|Confidence scores higher than this threshold indicate high confidence, while lower scores indicate low confidence. The threshold calculation is based on information collected from all users within your company and adjusts over time as the Cloud Authentication Service learns about your users and as more users authenticate. The initial default threshold is 0.37. After at least 1,000 authentications have been reached, the threshold is updated daily.|
Level of confidence based on attributes associated with the user's device. These attributes describe device characteristics and user behavior. The Device Confidence score starts at 0.0 if the user has not previously used the device and increases each time the user successfully authenticates from the same device.
|Level of confidence based on attributes associated with the user's behavior. For example, this score is adjusted when the user successfully authenticates to access the same application within the same timeframe.|
|Level of confidence based on attributes associated with the user's location. For example, this score is increased if the user successfully authenticates from the same location every day and decreased if the user successfully authenticates from different locations every day.|
|Contributing Factors|| |
If a user's overall Confidence score indicates low confidence, the User Event Monitor reports up to four factors that most contributed to lowering the score. These factors are listed as Contributing Factors, in order from most impactful to less impactful. Factors that contribute to raising a user's overall score are not listed. For example:
In this example, the factors numbered 1, 2, 3, and 4 most contributed to lowering the user's overall Confidence score.
RSA recommends that you leave data collection for identity confidence and location enabled. If your company requires you to disable data collection for identity confidence, do not use the identity confidence attribute in access policies. To obtain maximum benefit from identity confidence scores, RSA recommends that you also leave location data collection enabled. If you must disable data collection, see Configure Company Information and Certificates for instructions.