Before you deploy risk-based authentication (RBA), consider these aspects when you plan your RBA deployment strategy and establish RBA policies:
Do you want to use RBA for all users in a security domain? If yes, you can configure Authentication Manager to enable all users automatically. If no, the administrator enables users individually.
Do you have a web tier? RSA recommends a web tier for RBA. You can have multiple web tiers handling RBA traffic.
Which server do you want to select as the preferred server for RBA? RBA requires a preferred server. You must select a unique preferred server for each web tier handling RBA traffic.
Do you want to integrate RBA with your web-based authentication agents? RSA supports specific web-based agents for integration with RBA. You may integrate other web-based agents that support either the RSA SecurID protocol or the RADIUS protocol.
Do you want to use silent collection, which allows the system to establish a baseline authentication history for each user and register authentication devices automatically to users during the data accumulation period?
How often do users access protected resources from public computers or devices? Consider this when you are choosing a minimum assurance level, deciding whether you want to enable silent collection, and configuring device settings. You may want to select a higher assurance level if users frequently use public computers or devices.
Do users typically access protected resources using multiple devices or from changing locations? How sensitive should Authentication Manager be to changes in the user’s location, device, and behavior? Consider this when you choose a minimum assurance level and configure device settings.
Which identity confirmation methods should be available to users? For example, if users carry mobile phones that your organization authorizes for business use, you might choose on-demand authentication. For laptop or desktop users, you might choose security questions.
How many devices should be associated with each user? How long should each device remain registered to the user? Consider these when you are configuring device settings.