Risk Based Authentication??? What!!!
The concept of risk-based authentication is becoming the key word in identity management nowadays.Especially when you talk about big budget implementations of Customer facing Banking Solutions dealing with online business-to-consumer transactions.
What is Risk-Based Authentication?
Risk-based authentication (RBA) involves two key ideas: device profiling and behavioral analytics. It is about the automatic profiling of information associated with the way you normally login to an online application, such as your IP address, your computer’s operating system, browser version, your usual times of login, time zone etc. RBA works by referring to your stored profile each time you log in and, if there are variances, a risk level will be registered and you will be required to answer a security challenge question that only you know the answer to.
OK, How can it help you get better security to your application?
Risk-based authentication detects any abnormal login activity, such as a change in IP address or change in browser version. Abnormal login activity prompts you to answer a personal security question that only you know the answer to. RBA provides an additional layer of security to validate the identity of users trying to login to the application.
Let's take a case and see how this works. Let's assume that a bank is using RBA. It gathers a basic profile of the computer the customer typically uses to do online banking, learning things like the machine's MAC address and settings over the number of accesses you have made on it's website. The bank also tracks and begins to understand a your normal pattern of behavior, such as when he might typically log on or the types of transactions you usually conduct. Should you deviate from normal behavior -- perhaps by logging on from a different machine in a different country or attempting to transfer an unusually large sum of money -- the session would get a higher risk score, which could trigger the need for an additional form of authentication. This might mean that you have to answer a challenge-response question or that the bank will want to authenticate the user by phone.
In short, it is simply sequential, or matrix-based, authentication. But risk-based authentication can face a lot of user level dislike over things, such as the fact that spouses often access shared accounts on different computers and travelers occasionally log on from unexpected locations. Anyway, there is a long way to go for RBA... Just like my blogf in here... :) sorry for no posts till now...
