Deployment Considerations for Risk-Based Authentication

Before you deploy risk-based authentication (RBA), consider these aspects when you plan your RBA deployment strategy and establish RBA policies:

  • Do you want to use RBA for all users in a security domain? If yes, you can configure Authentication Manager to enable all users automatically. If no, the administrator enables users individually.

  • Do you have a web tier? RSA recommends a web tier for RBA. You can have multiple web tiers handling RBA traffic.

  • Which server do you want to select as the preferred server for RBA? RBA requires a preferred server. You must select a unique preferred server for each web tier handling RBA traffic.

  • Do you want to integrate RBA with your web-based authentication agents? RSA supports specific web-based agents for integration with RBA. You may integrate other web-based agents that support either the RSA SecurID protocol or the RADIUS protocol.

  • Do you want to use silent collection, which allows the system to establish a baseline authentication history for each user and register authentication devices automatically to users during the data accumulation period?

  • How often do users access protected resources from public computers or devices? Consider this when you are choosing a minimum assurance level, deciding whether you want to enable silent collection, and configuring device settings. You may want to select a higher assurance level if users frequently use public computers or devices.

  • Do users typically access protected resources using multiple devices or from changing locations? How sensitive should Authentication Manager be to changes in the user’s location, device, and behavior? Consider this when you choose a minimum assurance level and configure device settings.

  • Which identity confirmation methods should be available to users? For example, if users carry mobile phones that your organization authorizes for business use, you might choose on-demand authentication. For laptop or desktop users, you might choose security questions.

  • How many devices should be associated with each user? How long should each device remain registered to the user? Consider these when you are configuring device settings.

  • Do you want your organization’s logo on the RBA logon pages? For more information, see Customize Self-Service Console Web Pages.

  • Do your users use RSA SecurID authenticators? When RBA is enabled, the following authenticator-related events can cause the system to raise the risk level.

    • User exceeds your threshold for unsuccessful logon attempts

    • User uses a temporary tokencode or fixed passcode

    • Administrator clears a user’s PIN

    • Administrator changes a user’s PIN

    • Administrator marks a token as lost and a user attempts to logon with it

You may want to educate the SecurID users about these additional risk contributors to help them understand why the system challenges them for identity confirmation.