| Identity fraud is the major security concern for most of | | | | attributes. Fortunately, the difficulties in exploiting this, |
| the organizations doing Internet businesses today. It | | | | along with the availability of historical data that cannot |
| has an influence on the cost of doing business, | | | | be spoofed, make risk-based authentication more |
| increasing customer anxiety and thereby inviting | | | | effective. |
| government regulation. The best way to prevent | | | | Risk-based authentication enables Internet businesses |
| identity fraud would be to adopt a layered approach to | | | | to assess security risks and use out-of-band challenge |
| security. Fraud detection would be a critical security | | | | and response mechanism as a second factor |
| layer, which would include Risk-based Authentication | | | | authentication only when necessary. Risk-based |
| as a mechanism for fraud detection. | | | | authentication works behind-the-scenes and has a |
| Risk-based authentication is a technique that uses both | | | | minimal impact on users. Risk-based authentication can |
| contextual and historical user information, along with | | | | occur at initial log in and may also be performed at |
| data supplied during Internet transaction, to assess the | | | | subsequent interactions during secure sessions as well |
| probability of whether a user interaction is authentic or | | | | as during high-risk transactions. |
| not. Let us see what contextual and historical user | | | | Risk-based authentication allows selecting the right |
| information mean. The contextual information typically | | | | level of security for each activity, instead of using |
| includes the traditional username and password in | | | | comprehensive security for the entire user base. This |
| addition to the following information like who the user is, | | | | type of authentication gives businesses the flexibility to |
| from where they are logging in (IP addresses, location | | | | be able to provide additional authentication as and |
| information - city the user is actually in at the time of | | | | when necessary. The main benefit of this type of |
| communication), what kind of device they are using. | | | | authentication is that additional hardware or software |
| Historical user data includes specific attributes provided | | | | is not required, making this non-intrusive and seamless |
| from the session as well as user behavior and | | | | to the end user. In addition, risk-based authentication is |
| transaction patterns. This information represents an | | | | far less expensive to deploy and administer. It is also |
| additional authentication factor that supplements the | | | | one of the few solutions that successfully identify |
| username and password, making this an enticing | | | | man-in-the-middle attacks. |
| multifactor authentication technique. | | | | Risk-based authentication like any other authentication |
| The risk-based authentication model is built on a rule | | | | solution is not fully foolproof. There are few challenges |
| engine that takes into account multiple combination of | | | | like false positives & accuracy of risk prediction |
| parameters such as IP address, location etc. as | | | | that risk-based authentication must address in order to |
| described above. This data can be used to create a | | | | be more effective. False positives are a major |
| pattern to compare with those in future authorization | | | | challenge that risk-based authentication needs to |
| attempts. The rule engine checks each transaction to | | | | overcome. There are false positives with any given |
| see if it matches any pre-determined pattern for | | | | technology, but there are also ways to minimize these |
| fraudulent transactions. Since online fraud patterns | | | | issues by applying best practices and fine-tuning the |
| evolve rapidly, the rule engine must deploy automatic | | | | authentication process. |
| pattern recognition and self-learning capabilities, in order | | | | The bottom line is that risk-based authentication works |
| to quickly find new patterns to prevent fraud. A | | | | behind-the-scenes to spot the high-risk transactions, |
| machine learning, anomaly-detection system can also | | | | and apply the right level of security for the specific |
| be used to address the shortcomings of rule-based | | | | level of risk. It allows the organizations to manage |
| systems. | | | | online risk in a better fashion. It helps to decide what |
| In risk-based authentication, much of the contextual | | | | risk the business is willing to take, and what risk it isn't |
| data is susceptible to fraud. Although it is difficult to | | | | willing to take, for every online activity. Since most |
| replicate the contextual data, a fraudster could try and | | | | users are not challenged, it provides a good balance |
| spoof with the intention of fooling the authentication | | | | between security and usability and hence maximum |
| system in which case the fraudster would have to | | | | usability for the majority of users, and a little more |
| know all the specific attributes that the authentication | | | | effort for a small amount of users. |
| algorithms and then painstakingly replicate the | | | | |