Identity Confidence

The Cloud Authentication Service can establish high or low confidence in a user's identity based on data it collects when users attempt to authenticate over a period of time. The service leverages machine-learning algorithms to profile the user’s normal activity in order to understand deviation from that activity in the current authentication request. The Cloud Authentication Service evaluates the individual user, total population, and known risky authentication patterns to determine the identity confidence score. Older historical events are weighted less than more recent events, so past behavior ages out of the system and new behavior is more impactful.

The Identity Confidence attribute is available with the Cloud Premier License of RSA.

Note: Identity Confidence attribute evaluation is supported in Web-based authentications and via Web-based authentication agents such as Active Directory Federation Services (ADFS) and Citrix StoreFront in Authentication Manager Proxy mode.

By default, API-based (non-Web-based) agents such as Multi-Factor Authentication (MFA) and RADIUS do not support Identity Confidence attribute evaluation unless they explicitly pass the Identity Confidence facts as part of the authentication request.

To learn more, see:

You can perform these tasks:

Learning User Behavior Through Data Collection

The Cloud Authentication Service collects data about users over a period of time to learn the following attributes about users.

Attribute Description
Time Time at which an application is accessed.
Weekend Whether or not the user authenticated during the weekend.
Uncommon Applications User authenticates to an application that he normally does not access.
High Authentication Frequency User unsuccessfully authenticates quickly numerous times.
New Device User accesses a device he has never used before.
Location Physical location of a user (estimated from IP address and HTML5 Geolocation).
High Device Access Rate A user account is being used simultaneously on at least two devices.
Users on Device Rate Multiple users authenticating from the same device.
Users on IP Rate Multiple users authenticating from the same IP address.

The collected data is specific to your company. Data from a large user population collected over a long period of time ensures more reliable results than data from a small user population collected over a short period of time. Identity confidence results can vary from company to company depending on these factors.

Confidence Threshold

The user's identity confidence score is categorized as high or low confidence in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.

The Cloud Authentication Service requires an initial learning period of at least 1,000 authentications (authentication minimum) to collect sufficient user history to optimize identity confidence scoring. Prior to reaching the authentication minimum, the system uses a default threshold (0.37) for determining identity confidence. It is likely that more users will receive low confidence scores in this scenario. After this minimum has been reached, the Cloud Authentication Service adjusts the threshold up or down every seven days as it learns each user's behavior to optimize the low confidence scores.

RSA recommends that you require multifactor authentication for all users until the system has reached the minimum number of authentications.

The following table summarizes what high and low scores represent in relation to the Confidence Threshold.

User's Overall Confidence Score Meaning
Low score (low confidence) A score that is lower than the Confidence Threshold indicates low confidence (high risk). This means the Cloud Authentication Service cannot identify the user with a reasonable degree of certainty. You can choose to deny the user access to protected resources or require the user to authenticate at a higher assurance level.
High score (high confidence) A score that exceeds the Confidence Threshold indicates high confidence (low risk). This means the Cloud Authentication Service has high confidence that the user is indeed who he says he is.

Risk AI Dashboard

Use the Risk AI Dashboard to view information that can help you identify anomalous authentication activity in your company. In most cases, anomalous behavior does not indicate a cyberattack or require you to take action. The dashboard provides your company with the necessary tools to analyze user behavior and make decisions that keep your company safe. The dashboard reports the following information.

Analytics Reported Description

Multifactor Authentication Attempts

Counts the number of user attempts to access resources protected by access policies that do and do not include the identity confidence attribute.

The total count includes attempts when users satisfy policy conditions that allow them to skip multifactor authentication.

At least one attempt must be found to display results.

Attempts Based on Identity Confidence

Counts the number of authentication attempts that resulted in a low or high confidence score.

The confidence threshold determines if an evaluation results in high or low confidence.

Reasons for Low Identity Confidence

A low confidence score occurs when the Cloud Authentication Service does not recognize the user's behavior, device, or location in an authentication attempt because the user has changed behavior, device, or location since the previous attempt. Or the score may be low if the user is new and has not authenticated enough times to earn a high confidence score. Low confidence can be due to one or more of these factors:

  • Behavior

  • Device

  • Location

  • Behavior and location

  • Location and device

  • Behavior, device, and location

  • Undetermined

Undetermined cause is reported when the Cloud Authentication Service cannot identify a single factor as the predominant cause of the low score. Multiple factors always play a role in confidence scores, and sometimes one particular factor does not stand out.

Top Anomalous Users

Lists users who exhibit anomalous behavior. “Severity” is the difference between the user’s Confidence score and the Confidence Threshold at the time of authentication. The larger the difference, the higher the degree of anomalous behavior. Up to four factors that contributed to lowering the score are provided. Use this information to decide whether these users require further action in accordance with your company’s security policies. In most cases, anomalous behavior does not indicate a cyberattack or require you to take action.

User Behavior Over Time

The dashboard displays a graph that shows the following information for a single user over a period of time. Click points on the graph to see:

  • Date and time of authentication

  • Confidence score at date and time of authentication

  • Confidence Threshold at date and time of authentication

  • Contributing factors in order of impact (provided when the Confidence score is below the threshold)

Configure Identity Confidence in Access Policies

Configure identity confidence by using the Identity Confidence attribute in an access policy. In the following sample policy, users with high identity confidence can access the resource without performing additional (step-up) authentication. Users with low identity confidence are denied access. For configuration instructions, see Add, Clone, or Delete an Access Policy

securid_ngx_g_id_confidence_policy_example.png

View Risk Analytics and Track Behavior for a User

Use the Risk AI Dashboard to view authentication information for all users in your company or for individual users within a specified timeframe.

Procedure

  1. Open the Cloud Administration Console and click Users > Risk AI Dashboard.

    By default, the initial pie charts that display reflect authentication activity collected over the past 30 days for all users in your company who have authenticated through the Cloud Authentication Service.

  2. You can view data for a specific user in either of two ways:

    • In the Filter by field, enter the user's email address and the timeframe (1-30 days). Click Go.

      Note: The search criteria must be able to return at least one authentication attempt in which identity confidence was evaluated. Otherwise, no attempts are displayed.

    • Select a user's email address from the Top Anomalous Users table on the right.

      The page is updated to show authentication activity for the selected user. Click Reset if you want to return to the display for all users in your company.

In the following example, the graphs on the left show information that is filtered for one user.

securid_ngx_g_risk_ai_dashboard_updated.png

In the following graph, the blue line represents the user's authentication activity, the red line represents the threshold calculated by the Risk AI over the same period of time, and the black line represents the sum of the Dynamic Calculated Threshold and the adjusted threshold values. Each blue authentication point has a corresponding point on the Dynamic Calculated Threshold line indicating the threshold on the day and time of authentication. Click a point on the blue line to see the user's Identity Confidence Score, Dynamic Calculated Threshold, and Effective Threshold on a specific day and time. If the user's score dips below the Identity Confidence Threshold, indicating low confidence, a list of Contributing Factors appears.

Note: When you modify the Identity Confidence Threshold, the Effective Threshold will be displayed in the graph.

securid_ngx_g_risk_ai_dashboard_bottomgraph_updated.png

We want your feedback on this feature. Tell us what you think.

Modify Identity Confidence Threshold

The Identity Confidence Threshold Adjustment feature gives you the ability to increase or decrease the number of users that are required to perform additional authentication when trying to access applications or services. You can adjust the value of the Identity Confidence threshold set for users.

In the Identity Confidence Threshold Adjustment section, you can view the Calculated Dynamic Threshold value along with the date and time. You can increase the value of the Identity Confidence threshold up to 0.1 points with increments of 0.02 points, or you can decrease its value up to 0.04 points with increments of 0.02 points. When you can increase or decrease the value of the Identity Confidence threshold, the sum of both the Calculated Dynamic Threshold and the adjusted threshold value will affect the value of the Effective Threshold.

Procedure

  1. Open the Cloud Administration Console and click Users > Risk AI Dashboard.

  2. Click Modify Threshold.

  3. In the Identity Confidence Threshold Adjustment section (My Account > Company Settings > Company Information), you can move the slider forward or backward to increase or decrease the threshold value. The adjusted value will be displayed in the Effective Threshold. To reset the modified threshold value, click Reset.

View a User's Identity Confidence Score in the User Event Monitor

The User Event Monitor reports the following information in the Authentication Details column for event 25001. All of the attributes described in Learning User Behavior Through Data Collection contribute to these scores.

Confidence Details Reported in User Event Monitor Description

Confidence

The user's overall identity confidence score, which is influenced by the user's separate scores for Device Confidence, Behavior Confidence, and Location Confidence.

Confidence Threshold

Confidence scores higher than this threshold indicate high confidence, while lower scores indicate low confidence. The threshold calculation is based on information collected from all users within your company and adjusts over time as the Cloud Authentication Service learns about your users and as more users authenticate. The initial default threshold is 0.37. After at least 1,000 authentications have been reached, the threshold is updated daily.

Device Confidence

Level of confidence based on attributes associated with the user's device. These attributes describe device characteristics and user behavior. The Device Confidence score starts at 0.0 if the user has not previously used the device and increases each time the user successfully authenticates from the same device.

Behavior Confidence

Level of confidence based on attributes associated with the user's behavior. For example, this score is adjusted when the user successfully authenticates to access the same application within the same timeframe.

Location Confidence

Level of confidence based on attributes associated with the user's location. For example, this score is increased if the user successfully authenticates from the same location every day and decreased if the user successfully authenticates from different locations every day.
Contributing Factors

If a user's overall Confidence score indicates low confidence, the User Event Monitor reports up to four factors that most contributed to lowering the score. These factors are listed as Contributing Factors, in order from most impactful to less impactful. Factors that contribute to raising a user's overall score are not listed. For example:

Contributing Factors=1. New cookie or multiple cookies; 2. Location changed; 3. New application; 4. Location has multiple previous failed authentications

In this example, the factors numbered 1, 2, 3, and 4 most contributed to lowering the user's overall Confidence score.

Disable Data Collection for Identity Confidence

RSA recommends that you leave data collection for identity confidence and location enabled. If your company requires you to disable data collection for identity confidence, do not use the identity confidence attribute in access policies. To obtain maximum benefit from identity confidence scores, RSA recommends that you also leave location data collection enabled. If you must disable data collection, see Configure Company Information and Certificates for instructions.