What is risk-based authentication?

What is risk-based authentication?

Risk-based authentication is an approach to validating user actions beyond confirming their credentials. Risk-based authentication assesses multiple factors in addition to whatever authentication factors users provide to determine if their activities are probably legitimate or are likely those of an attacker or a scammer. This security measure is especially relevant for platforms that are often targeted for financial fraud, such as ecommerce retailers or financial platforms.

Instead of simply confirming that a user has entered the correct password at the start of the session, risk-based authentication might take into account factors like:

• Geolocation
• Time
• Past user behavior
• IP address
• Device information
• Which browser is used

While basic authentication is either allow or deny — the user either logs in or they do not — risk-based authentication weighs all these factors to create a risk score. Once the risk score passes a certain threshold, a user action might trigger an additional challenge to further validate their identity. Past a certain point, the user action might be denied altogether.

Why use risk-based authentication?

Attackers often use account takeover to hijack legitimate user accounts and then carry out fraud. Risk-based authentication is a way to verify that users are behaving normally, and therefore less likely to be carrying out fraud, without disturbing the user. Risk-based authentication runs in the background and only prompts the user for additional authentication when necessary.

Risk based authentication: A real-world analogy

Imagine these three scenarios:

1. Bob visits his father in person and asks for a loan.
2. Bob calls his father and asks for a loan.
3. "Bob," texting from a new phone number, messages his father and asks for a loan, to be deposited into an offshore bank account.

The first scenario is the least risky. Bob's father can be very sure he is really talking to Bob, his son.

The second scenario introduces some risk. A scammer might be pretending to be Bob over the phone. Bob's father might be reasonably sure he is speaking to Bob, but he might still say, "Let's talk about it more the next time you visit."

The third scenario is the most risky. The person who calls themself Bob is acting differently from Bob and using a different phone number. Bob's father might not even respond to such a request.

Risk-based authentication is an automated way for digital platforms to build in Bob's father's sense of judgment. It automatically sorts out authentic actions from probable scams.

How does risk-based authentication work?

Risk-based authentication continuously monitors user actions. It applies both to user logins and to actions taken after user logins. It uses risk signals to calculate a risk score, which is then used to determine if the user should provide additional authentication or should be blocked from carrying out their attempted action altogether.

Risk signals

Risk-based authentication tracks data points like:

• Number of failed logins
• Time
• Location
• Past user behavior (can draw from UEBA analytics)
• IP address and reputation
• Device reputation
• Browser

All of these can be risk signals. Some — such as device reputation — are more cut-and-dried: if a device has been known to participate in attacks or fraud in the past, actions originating from that device can be considered extremely risky.

Others rely on comparing current factors against a baseline: for instance, the time of day does not indicate much in and of itself, but if a user is accessing their account at a highly unusual time for them (at three in the morning, for instance) that can be a risk signal, though its strength can vary. If Alice works at her job from 9 AM to 5 PM, a login at 6 PM could be a slight risk signal, while Alice logging in at 11 PM could be a somewhat stronger risk signal. Machine learning is used to compare these data points against each other and detect deviations from the norm.

For data points like IP reputation and device reputation, risk-based authentication platforms often rely on third-party threat intelligence feeds. This aids them in, for example, identifying unknown IP addresses that have been associated with fraud in the past.

Risk score

The risk signals are tracked and combined into a risk score. An action like Alice logging into an application from a new device but from a familiar location and at a typical time might receive a medium risk score. Alice logging into an application from a new device and on the other side of the world might receive a high risk score.

If the risk score exceeds a certain threshold, then a few possible things can happen:

• Additional authentication methods are triggered. When Alice logs in from the other side of the world, she might be asked to scan her fingerprint in order to confirm it is really her.
• Authorization is reduced. Alice might not be able to access certain parts of the system due to her high risk score.
• If the risk score is high enough, the action might be blocked altogether. A risk-based authentication platform might consider an employee like Alice unexpectedly logging in from a completely new geolocation to be too risky and block her from logging in. (Which might stop an attacker who had stolen Alice's credentials from taking over her account, if it was not really Alice trying to log in.)

User authentications

For an elevated risk score, risk-based authentication might prompt the user to provide an additional authentication factor to log in or to perform certain actions. Users might have to authenticate using a factor they had not provided at login, such as using a hard key or providing biometric authentication. Or, they might have to provide another instance of a previously used authentication factor — tapping a hard key again, or answering security questions when they had previously entered a password. (The former is usually more secure.)

What are the benefits of risk-based authentication?

• Smoother customer experience: Most of the time, risk-based authentication goes on in the background. It should allow users to carry out low-risk transactions without doing any extra security steps. Risk-based authentication helps keep transactions secure without introducing delays into the user experience.
• Protection of both user and platform from fraud: Higher-risk transactions are challenged or blocked, reducing the risk of fraud for both the platform and potential victims. For ecommerce platforms, this can stop attacks like inventory hoarding and credential stuffing.
• Data breach prevention: Risk-based authentication can challenge or block threats to confidential data.
• Hybrid workforce support: Risk-based authentication can help keep remote working styles secure by verifying end user identity when data might be at risk.

Cloudflare One allows organizations to incorporate User Risk Scores directly into their zero trust network access (ZTNA) policies. User access can be adjusted based on the risk they pose to the business, helping to stop insider threats, fraud, and other attacks. Explore how User Risk Scoring works.