Risk-based authentication – a process whose time is now

29 Aug

Read­ing time: 2 — 3 minutes

Many times we tend to view authen­ti­ca­tion as a black-white issue.  You either are or are not the per­son you claim to be, and there­fore authen­ti­ca­tion is a suc­cess or fail­ure.  For exam­ple, if you know the pass­word, you are (in the eyes of the sys­tem) the per­son to whom they claim to be.  Stronger or advanced meth­ods for authen­ti­ca­tion rep­re­sents a “higher hur­dle”, one must meet in order to prove who you are.  But when you pass this hur­dle (or skip over it, as the metaphor may require), your iden­tity is deemed to be known, and now you are approved.

But as con­tex­tual fac­tors have begun to be used in the approval process, the deci­sion becomes more com­pli­cated.  For exam­ple, if the per­son who authen­ti­cate them­selves suc­cess­fully, but the request orig­i­nates from an East­ern Euro­pean coun­try at 3 am local time.  Or what if it orig­i­nates from Italy, whereas the pre­vi­ous logon orig­i­nate from New York three hours ago?  In these cases it would be wise to let these login attempt is suc­cess­ful, even in the face of proper cre­den­tials shall be sub­mit­ted to the authen­ti­ca­tion service.

Both of these sit­u­a­tions illus­trate the impor­tance of a risk-based approach to authen­ti­ca­tion, which can help iden­tify poten­tial iden­tity theft and attempted fraud.  By cre­at­ing poli­cies for how “seri­ous” cer­tain aspects of an authen­ti­ca­tion con­text may be, you can develop a risk score that can help deter­mine whether authen­ti­ca­tion suc­ceeds or not.   Develop these cri­te­ria is not always easy, but when you have a gen­eral idea of how you rank the authen­ti­ca­tion con­text para­me­ters, it will be much eas­ier for the sys­tem can rec­og­nize any fake authen­ti­ca­tion attempt.

This is, in a nut­shell, the pur­pose of the inte­gra­tion between CA and Arcot Risk­Fort Site mem­o­ries, which was announced last week at the RSA.  By intro­duc­ing a risk analy­sis and score in each approval can APPROXIMATELY SitieMinder do a much more informed deci­sion (based on secu­rity group have defined the poli­cies) to allow the approval or not.  Or if the risk score exceeds a cer­tain thresh­old, Site Reminds could force a stronger, advanced level for the approval of the user, and thus increase the level of assur­ance that this per­son is who they claim to be.

In my con­ver­sa­tions with cus­tomers here at RSA and the feed­back I have heard about this mes­sage, it appears that a risk-based approach to authen­ti­ca­tion WINS sig­nif­i­cant trac­tion of its ben­e­fits for the pre­ven­tion of fraud becomes clearer.

  • Web Design Delhi

    I am extremely impressed along with your writ­ing abil­i­ties and also with the for­mat in your blog. Any­way stay up to the excel­lent high qual­ity writ­ing,
    it’s rare to find a nice weblog like this one these days.