Risk-Based Authentication PoliciesRisk-Based Authentication Policies

Risk-based authentication (RBA) is a multifactor authentication solution that strengthens SecurID and password-based systems by applying knowledge of the client device and user behavior to assess the potential risk of an authentication request. If the assessed risk is high, the user is challenged to further confirm his or her identity.

An authentication request is flagged as high risk when all of the following conditions exist:

• The user authenticates to a web-based application, such as an SSL-VPN, thin client, or web portal.

• The user has not configured an identity confirmation method.

• The user attempts to authenticate using a low assurance device.

When RBA is enabled, the following authenticator-related events can cause the system to raise the risk level:

• User exceeds the threshold for unsuccessful logon attempts.

• User uses a temporary tokencode or fixed passcode.

• Administrator clears a user’s PIN.

• Administrator changes a user’s PIN.

• Administrator marks a token as lost and a user attempts to logon with it.

If an authentication request has a high risk, the user is prompted with a message. You can configure the message by using a message policy. For more information, see Risk-Based Authentication Message Policy.

To use RBA in your deployment, you must create an RBA policy, or edit the default policy, and associate the policy with a security domain. A policy can be associated with multiple security domains. For more information, see Add a Risk-Based Authentication Policy.

An RBA policy contains the following settings:

• System default. Sets the default RBA policy for the deployment. For more information, see Choose the Default Risk-Based Authentication Policy for the Deployment.

• Automatic enablement. Determines how users can be enabled for RBA. For more information, see Enable Users Automatically for Risk-Based Authentication.

• Minimum assurance level. Determines the assurance level that is required to access an RBA-protected resource. For more information, see Set the Minimum Assurance Level for a Risk-Based Authentication Policy.

• Silent collection. Used to establish a baseline authentication history for RBA users. For more information, see Configure Silent Collection for a Risk-Based Authentication Policy.

• Identity confirmation methods. Specifies the methods that can be used to provide identity confirmation during logon. For more information, see Enable Identity Confirmation Methods for a Risk-Based Authentication Policy.

• Device registration settings. Determines the system response to unregistered authentication devices. For more information, see Configure Device Registration for a Risk-Based Authentication Policy.

• Device administration settings. Determines general settings for the device history. For more information, see Configure Device History Settings for a Risk-Based Authentication Policy.