Risk-Based Authentication

Risk-based authentication (RBA), sometimes called adaptive authentication, is an emerging identity and access technology. It uses a range of factors from the user — their behavior, devices they’re using and other variables — to determine whether this user is potentially dangerous.

When a person attempts to access an application, database or any other secure resource, an RBA system will evaluate their credentials. If the user does not meet certain standards, they will be prompted to submit additional verification such as an SMS code, biometric factors or a security question answer. Any number of these may be required, depending on the administrator’s settings and the user’s threat level.

The diagram below shows how risk-based authentication works.

 class=

RBA has grown in importance with the boom of cloud services such as SaaS, PaaS and IaaS applications.

These tools are becoming increasingly important as a result of bring-your-own-device (BYOD) practices. Each new endpoint is a potential risk. Those risks increase exponentially with the emergence of the internet of things (IoT). There have already been a handful of incidents in the past where IoT endpoints have been compromised by malware and used in DDoS attacks, or used for simple pranks by hackers. RBA could help limit a hacker’s ability to inject malware or take over a device by restricting their access immediately.

RBA has also grown in importance with the boom of cloud services such as software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) applications. These are often used remotely and accessed via internet connections, but many connections are not secure. If someone tries to access a cloud application on an unsecure network, the RBA tool could trigger additional credential requirements or simply not allow access as a security risk.

Since more than 2.2 billion records were stolen in 2017, companies are frantically working on ways to better secure their data. RBA and behavioral analytics will help companies prevent external threats and identify internal parties that may be the source of leaks. Behavioral analytics will become complementary components to RBA in tracking user activity and identifying flaws in earlier practices.

Ideally, these practices will improve identity security and protect both corporate and individual data from potentially devastating identity theft repercussions. While machine learning can help security solutions better identify new threats and malware, it will also benefit access and authentication. Risk-based protocols are going to be the easiest and most effective way to integrate artificial intelligence (AI) technology with identity security solutions.


The pioneers of risk-based authentication

RSA, a security solutions company, has been innovative in implementing RBA features to standard products. It has already established itself in the identity and access security market, and were one of the first public-key cryptosystems. It has a pure-play RBA product called RSA Adaptive Authentication, in addition to an upgraded SecurID offering with risk-based authentication capabilities. This year it offered a new integration with the popular Microsoft Active Directory, and extended its Business-Driven Security™ to help comply with European Union GDPR regulations.

Aside from the long-time leaders in the market, new companies are gaining recognition for their RBA solutions. Companies such as Callsign and UnifyID received significant funding in 2017. Callsign pulled a whopping $35 million in Series A funding from Accel Partners, bringing its total to $38,750,000. UnifyID held its first funding round and gained $20 million from New Enterprise Associates.

Callsign has both consumer and business solutions for web, mobile and application security. The consumer product can be used via cloud, hybrid and for original equipment manufacturer (OEM) offerings. It also includes a mobile software development kit (SDK) for Android and iOS to allow developers to embed callsign security features in any app. The business version is geared towards larger networks, SaaS applications and endpoints. It’s scalable and can provide VPN and virtual machine coverage.

UnifyID defines adaptive authentication as “implicit authentication” to include undervalued factors such as keystroke timing, mouse movements and Wi-Fi telemetry. Vendors like these rarely advertise all the factors utilized to limit a hacker’s ability to game the system, but UnifyID claims to include more 100 factors. It specifically cites machine learning for IoT devices too. Products like this could, for the most part, eliminate a user’s need to remember or frequently update passwords.

More emerging companies like these will get big funding rounds in 2018, but many existing companies will likely just add the functionality to long-standing products. It may come as an additional module or up-charged feature, but the effectiveness of RBA is already being touted, motivating whoever hasn’t already added the capability to catch up.


The future of risk-based authentication in business

IoT will probably see the greatest long-term impact from RBA. It could ensure healthcare devices are only controlled by parties on the hospital’s secure network. Or it could make sure a fleet of smart cars can’t be controlled by anyone but an administrator’s single device. Continuous and adaptive security protocols could make these easier to manage for administrators and easier to access for end-users.

RBA features will continue to be added to cloud identity and access management software (CIAM) and single sign-on tools because it makes life easier for users while simultaneously improving data security. These tools can easily add factors that identify potentially risky parties from accessing information, and many already do. Utilizing machine learning to quickly compile risk ratings is a little more difficult, but still feasible for in-house development teams or teams that just integrate an RBA tool’s AP,I or provide an SDK like UnifyID.

Like Callsign, many RBA tools will be used to restrict access for cloud applications and other SaaS tools. Something like a cloud access security broker (CASB) with RBA would provide a simple centralized console for users. Symantec’s Cloud SOC already integrates with its identity management solutions, and facilitates RBA for access to applications like Salesforce CRM, Microsoft Office 365 and Amazon Web Services. More CASB tools will adopt or integrate with RBA tools in the near future, and help close the security hole between endpoints and cloud-based tools.

Password managers will likely either evolve into RBA solutions or simply fade out of the spotlight. Password trends have already changed, exemplified by the new password guidelines set by the The National Institute of Standards and Technology (NIST) in 2017. Many existing practices are archaic and overly simplistic. Companies need multi-factor authentication software to ensure their data is safe. Passwords alone may still exist for things like social media sites and mobile apps, but many of those already offer two-factor authentication as an additional feature in their privacy settings.


Risk-based authentication predictions 2018

The two companies already mentioned have set the stage for an emerging market. Their significant funding figures already point to a valuable market. The identity and access management market is expected to boom from $8 billion in 2016 to $14.82 billion in 2021. A significant portion of the market by then will be held by providers of RBA-based solutions.

Companies use dozens of cloud applications, and it’s not always easy to remember all the passwords, let alone govern hundreds of users. Centralized access providers for cloud apps will become heavy players in the RBA field. It reduces administrative burdens of setting access for specific users, riding old accounts and requiring complex password requirements. Plus, users save time and sweat trying to remember and store passwords for their dozens of applications.

Retinal scans and fingerprint scanners used to be the makings of a Philip K. Dick novel. But today everyday devices, such as your iPhone, have fingerprint or face scanners. When RBA triggers doubt a user’s identity, biometric analyses are reliable sources for a second or third factors for authentication.

Fraud prevention is of large concern for e-commerce providers and retailers. It’s not uncommon for identity thieves to utilize e-commerce platforms to spend another individual’s cash. A bank might pick up on it, but only if the transaction goes through. E-commerce providers could monitor historical customer activity and identify potentially fraudulent transactions before they’re processed.


Risk-based authentication tools have sustained a significant portion of the identity management technology discussion. As more incidents similar to the Equifax and Yahoo data breaches take place, companies continue to invest in tools that help limit identity and access management failures. Risk-based authentication (RBA) is the logical next step to manage user information and data security in real time. Providers will continue to offer new embedded authentication tools and utilize machine learning to optimize RBA effectiveness. It’s not the end-all, be-all solution for identity and access management, but it’s a step forward for protecting the everyday citizen’s sensitive information.


author-name

Aaron Montemayor Walker

Sr. Research Specialist, G2 Crowd