Risk-Based Authentication

Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analyzing user behavior and the device of origin. RBA strengthens RSA SecurID authentication and traditional password-based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity by using one of the following methods:

  • On-demand authentication (ODA). The user must correctly enter a PIN and a one-time tokencode that is sent to a preconfigured mobile phone number or e-mail account.

  • Security questions. The user must correctly answer one or more security questions. Correct answers to questions can be configured on the Self-Service Console or during authentication when silent collection is enabled.

RSA Authentication Manager contains a risk engine that intelligently accumulates and assesses knowledge about each user’s device and behavior over time. When the user attempts to authenticate, the risk engine refers to the collected data to evaluate the risk. The risk engine then assigns an assurance level such as high, medium, or low to the user's authentication attempt. RBA compares this to the minimum acceptable level of assurance that you have configured. If the risk level is higher than the minimum assurance level, the user is prompted to confirm his or her identity by answering security questions or using ODA.

Risk-Based Authentication Prevents Data Loss from Stolen Passwords

RBA allows users who are accustomed to authenticating with passwords to continue doing so with little or no impact on their daily tasks. At the same time, RBA protects your company if passwords are stolen.

For example, consider John, a sales representative who regularly accesses the corporate SSL-VPN from his home office. John typically authenticates with just a user name and password using the same laptop every day. Suppose an unauthorized person steals John’s password and attempts to log on to the SSL-VPN from a different machine and location. RBA detects that the attacker is using an unrecognized device and challenges the attacker to confirm his identity by answering security questions. When the attacker fails the challenge, he is denied access.

Users who are accustomed to using passwords for authentication can continue to do so while RBA works in the background to protect sensitive company resources. The authentication experience is interrupted only if a user’s behavior is considered unusual.

In most cases, the typical user simply enters a password, as shown in the following steps:

  1. The user opens a browser window and accesses the company web portal.

  2. The user enters a password.

  3. The user gains access to the protected resource.

After the password is entered, Authentication Manager analyzes the user’s risk level to determine if the user’s behavior and device are found to deviate from past attempts. Users who are considered suspicious or high risk are prompted to confirm their identity by performing these steps:

  1. If the user is configured for more than one identity confirmation method, the user is prompted to choose either on-demand authentication (ODA) or security questions.

  2. If the user selects ODA, the user enters a PIN. Authentication Manager Express sends a tokencode to the user by e-mail or SMS. The user enters the tokencode and is authenticated.

    If the user selects security questions, the user is prompted to answer predefined questions. If successful, the user is authenticated.

How Risk-Based Authentication Works

Risk-based authentication (RBA) intelligently assesses authentication risk for each user and accumulates knowledge about each user’s device and behavior over time to determine if an authentication attempt is legitimate. RBA has the following features:

  • Data Collection. RBA requires a learning period during which it builds up a profile of user devices and user behavior. After the initial learning period has expired, RBA continues to learn from the behavior of the user population and regularly customizes its risk model to adjust its definitions of “normal” and “abnormal” for your deployment.

  • Device Registration. The first time a user successfully authenticates from a device, RBA records characteristics about the device in the user’s device history and thus registers the device to the user. A registered device is one that Authentication Manager recognizes and that the user has previously used for authentication.

  • Device Matching. During authentication, RBA examines the characteristics of the user’s laptop or desktop computer and compares them with a list of previously used devices, in an attempt to find a close match.

  • Assurance Level. RBA uses the device characteristics and user behavior to calculate an assurance level, which is the likelihood that the access attempt is being made by a legitimate user. When the user attempts to authenticate, RBA refers to its collected data to evaluate the risk and then assigns an assurance level such as high, medium, or low to the user's authentication attempt.