Risk-based authentication
Increasing security requirements in day-to-day online activities can be a real hassle for today's creatures of habit and are known to spoil the digital experience. Risk-based authentication is a way to make life easier without taking major risks.
A large part of our daily tasks takes place online and the trend is rising. From simple train ticket searches to managing your assets, most actions contain private data that must be protected from prying eyes on the Internet. The technical solution for the providers is straightforward: A combination of encryption, complicated passwords and several authentication factors are highly likely to identify the user as the one he or she claims to be. On the other hand, the convenience gained for the customer by digitizing the service in question dwindles with each additional factor. While we easily understand the need to protect our privacy and data, we still think the login procedures are tedious.
A way out
Risk-based authentication aims to alleviate this problem precisely by counting on humans being creatures of habit. Many of us follow a very regular daily routine and even if we deviate from it, we often use the same services at similar times and usually from the same devices. These metrics and a few other factors can then be used to create a profile specifically tailored to the respective user and service. This assigns a value to the risk that the user who logs on is in fact the person they claim to be. For example, if someone logs on to an online service at the usual time, from their usual location with their computer, they could be allowed to simply authenticate themselves with their user name and password. However, if they were to take this action from abroad while using a borrowed device, they would have to confirm their identity with another factor for security.
What about security?
With a well-designed risk profile and an smart selection of the factors to be considered, no loss of security is to be expected despite the simplification of daily standard procedures — for several reasons:
- For each service, a minimum authentication hurdle is defined per se according to the service offered, which is never undercut.
- Factors that can be evaluated include not only coarse values such as location or time, but also very personal parameters such as typing speed, mouse movements and other subtle properties (see e.g. device fingerprinting).
- As soon as suspicious factors appear, the system immediately switches to stronger authentication (also multi-level if desired).
- Current authentication solutions such as the Airlock IAM, which aspectra offers as a service, offer some of these possibilities already "out of the box".
As with any cat and mouse game, the creators of Trojans and other shady characters will soon be romping around on this playground, but it will be quite some time before they can simulate the peculiarities of the respective victim sufficiently accurately.