Risk-Based Authentication Policies

Risk-based authentication (RBA) is a multifactor authentication solution that strengthens SecurID and password-based systems by applying knowledge of the client device and user behavior to assess the potential risk of an authentication request. If the assessed risk is high, the user is challenged to further confirm his or her identity.

An authentication request is flagged as high risk when all of the following conditions exist:

  • The user authenticates to a web-based application, such as an SSL-VPN, thin client, or web portal.

  • The user has not configured an identity confirmation method.

  • The user attempts to authenticate using a low assurance device.

When RBA is enabled, the following authenticator-related events can cause the system to raise the risk level:

  • User exceeds the threshold for unsuccessful logon attempts.

  • User uses a temporary tokencode or fixed passcode.

  • Administrator clears a user’s PIN.

  • Administrator changes a user’s PIN.

  • Administrator marks a token as lost and a user attempts to logon with it.

If an authentication request has a high risk, the user is prompted with a message. You can configure the message by using a message policy. For more information, see Risk-Based Authentication Message Policy.

To use RBA in your deployment, you must create an RBA policy, or edit the default policy, and associate the policy with a security domain. A policy can be associated with multiple security domains. For more information, see Add a Risk-Based Authentication Policy.

An RBA policy contains the following settings: