Minimum Assurance Level

The minimum assurance level is the confidence threshold that each authentication attempt must meet to avoid a challenge to the user for identity confirmation. The setting is in the risk-based authentication (RBA) policy for each user’s security domain.

Each time a user attempts to authenticate, the risk engine evaluates the device match and user behavior in real-time to produce an assurance level. The risk engine compares the user’s assurance level with the minimum assurance level in the RBA policy. If the user’s level is lower than the minimum, the user is prompted for identity confirmation.

For an authentication attempt to be considered high assurance, most or all device characteristics must match those that were recorded during a previous authentication attempt. Device characteristics include, but are not limited to, the IP address, the browser type and version, and the HTTP and Flash cookies that identify the device.

If the device is not in the user’s device history (and silent collection is expired or is disabled), the authentication attempt is considered low assurance and the user must confirm his or her identity to access the RBA-protected resource. When the user’s assurance level is below the threshold, and the user has not configured an identity confirmation method, the user cannot access the protected resource.

Recommendations for Determining the Minimum Assurance Level

Before you deploy risk-based authentication (RBA), consider these factors regarding the minimum assurance level:

  • Many factors are involved in calculating the risk level. Results may vary based on your network, users, and specific situations.

  • The best minimum assurance level for your deployment depends on:

    • The sensitivity of the resources being protected

    • The acceptable user challenge rate

  • If strength-of-authentication is your primary objective, start with a higher assurance level, and adjust it to a lower level if users are being challenged too often.

  • If ease-of-use is your primary objective, start with a lower assurance level, and adjust it to a higher level if you want more security.

  • RSA recommends starting with a Medium-High assurance level.

Because assurance increases when the device is known and the user behavior is predictable, some user populations are better suited to higher assurance levels than others. For example, employees authenticating regularly from the same device and location usually have much higher assurance than employees who travel frequently. Adjust the minimum assurance level to match the majority of your user population.

The Impact of User Behavior on Risk-Based Authentication

A user’s behavior affects how often the user is challenged to confirm identity. The system calculates and assigns users a Behavioral Risk Assurance Level that indicates the degree of confidence that the user is known to the deployment. The Behavioral Risk Assurance Level is based on the user’s typical behavior. Abnormal user behavior, such as attempting to authenticate several times in a row using the wrong password, lowers the Behavioral Risk Assurance Level and increases the assessed risk of the authentication attempt.

The system also calculates and assigns a client device a Device Assurance Level that indicates the degree of confidence that the device is known to the deployment. The Device Assurance Level is based on a specified device matching technique.

Low-risk behaviors include common activities that are perfectly valid under most circumstances but could be associated with fraud. For example:

  • The user’s account was recently modified.

  • The user is authenticating from a previously unknown IP address.

Medium-risk behaviors may include multiple activities that are combined in a suspicious way. For example:

  • The user authenticates from an unknown IP address soon after a failed identity confirmation challenge.

  • The user authenticates from an unknown IP address after changing his profile through the Self-Service Console.

Any clearly identified fraudulent activity constitutes high-risk behavior. For example, authentication attempted from a machine with an invalid or compromised cookie is a high-risk behavior.

The effect of user behavior on the device and behavioral risk assurance level is shown in the following table.

Device Matching Technique

Device Assurance Level

Behavioral Risk Assurance Level

Low

Medium

Medium-
High

High

Based on two or more unique attributes and statistical data

High

High

High

Medium-
High

Very Low

Based on one unique attribute plus statistical data

Medium-
High

Medium-
High

Medium

Low

Very Low

Based on one unique attribute

Medium

Medium

Medium

Low

Very Low

Based on statistical data

Low

Very Low

Very Low

Very Low

Very Low

Unregistered device

Very Low

Very Low

Very Low

Very Low

Very Low