SBN

How Risk-Based Authentication Creates a Frictionless Customer Experience

risk-based authentication

risk-based authentication

Failing to securely identify customers when they log in to digital assets is something that all modern organizations fear. Likewise, customers are paying more attention to the risks inherent in the global digital landscape. Businesses and customers alike are more aware than ever that traditional password-only login methods don’t provide enough security for today’s digital needs.

A move away from simple, password-based authentication is essential if companies are to protect themselves and their customers. This means a move toward passwordless login, multi-factor authentication (MFA/2FA), and risk-based authentication.

So, what is “risk-based authentication”, and how can it help protect your customers and business assets?

What Is Risk-Based Authentication?

Essentially, risk-based authentication uses what you already know about how a given customer usually behaves online to determine how likely they are to be who they say they are. If you’re already using customer identity and access management (CIAM), or are planning to adopt it in the near future, adding a risk-based authentication system can be simple.

Your customer’s CIAM profile includes a record of their “usual” activity, and this record is compared with how your customer is currently acting online. If your customer’s activities trigger an action that’s been set up under risk-based authentication, various levels of security action will take place.

There are standard triggers that will apply to most situations, but it’s also very simple to add and adjust these to meet specific organizational needs. Triggers include things like IP address, country, city, and browser.  

The Problems and Use Cases that Risk-Based Authentication Addresses

Today’s increasingly complex digital world needs a new type of security framework, one that goes beyond simple password-based access management. At the same time, it’s possible to leverage improvements like CIAM to improve security system-wide.

Standard access management VS Risk-based authentication

Password-based access managementRisk-based authentication
  • Single point of security (at the login screen)
  • Multiple points monitored for unusual behavior
  • Easily cracked or extracted by other means (e.g. phishing)
  • Difficult to fool, since what is “normal” for each customer is constantly evolving
  • Either not secure enough, or frustrating because of constant login prompts
  • Smooth customer experience that adjusts the number of security challenges to suit the situation
  • Security alerts may be non-existent or come too late. Once an attacker is past the login screen, they have complete access to the account and its features.
  • Customers and administrators automatically alerted when there’s a security issue, with the option to have trigger points anywhere that a customer journey could diverge from normal.
  • Just a few short steps for a bad actor to change passwords and emails, locking a customer out of their compromised account
  • Customers don’t know whether or not they are currently safe and secure
  • Nefarious activity leads to account locking, keeping bad actors out until the account activity can be reviewed by administrators
  • Customers are confident in their security because they are alerted to changes in their security status and asked for responses throughout their user session

As you can see, the security level for the entire organization can now be tweaked to meet requirements at suitable points throughout the customer journey. This benefit also works in the other direction—there’s no reason why customers can’t be presented with a more straightforward and challenge-free journey once they’re safely authenticated on their “home” machine.

Pertinent reminders and requests for further authentication all serve to boost customer confidence in the authentication system. The ability to alert customers to potential data breaches before and/or during their execution has the potential to stop some attacks in their tracks, most notably ones like the recent Outlook breach.  

The Benefits of Risk-Based Authentication

Any modern authentication solution needs to make use of more than one layer of authentication, and any authentication layer that can be added at little or no extra cost is bound to be highly attractive.

Fully automated, and based around the data that’s already held in your CIAM solution, risk-based authentication doesn’t just save time and money. By adding an additional form of authentication, you’re giving your customers an extra layer of security that’s flexible and responsive.

Customers can be notified instantly if something is off-pattern, for example, if someone tries to log in from a foreign country or a new IP address. Businesses are able to change which actions are triggered by which changes. So you can use RBA to protect your business from many different security risk scenarios.

How the LoginRadius RBA System Works

In the LoginRadius Admin Console, you can combine risk factors such as city, country, browser, or IP address with a risk profile based on your company’s regulatory and other requirements to set a range of preconfigured actions based on perceived risk. How you set up these triggers will depend on your needs, and there’s scope for you to discuss more complex needs with our team where necessary.

These are the pre-set risk actions that are available from the LoginRadius Admin Console:

  • Notification Email: When specific risk criteria are met, a notification email is sent to the customer and/or the site administrator. The least intrusive option when used on its own, a notification email can also accompany more severe actions. Triggers might include things like logging in from a new device or a new location that’s still in the same country as the last login.
  • Multi-Factor Authentication: Multi-factor authentication is a brilliant way to increase login security, but requiring a customer to use it every time they log in from familiar locations and devices can soon become a drag. Often, it’s best to set up RBA so that MFA is only needed once when changing devices or locations.
  • Security Questions: Security questions are ideal when a customer is requesting access to more secure parts of their account such as detailed security/activity logs, or if they want to change vital login data like passwords, mobile phone numbers, or similar—especially where MFA has failed due to the loss of access to authentication devices or apps.
  • Blocking User Access: This is the most severe and restrictive action available. Customers are forced to reach out to site administrators to regain access. This action is only used in severe risk situations (for example, when a customer tries to log in from several high-risk locations around the world and change or access sensitive data with invalid credentials repeatedly.

Some of the most commonly used rules are based around which country the customer is trying to access your services from, or which device they’re using. Malicious access will often try to spoof country or IP address/device, so if these are suddenly drastically different it’s a good indication that things aren’t right.

Conclusion

The main thing to take away about risk-based authentication is that you have complete control over how your customer interacts with these risk-based actions, and what your company says to your customers when these actions are triggered. With the LoginRadius Risk-Based Authentication solution, you can match your brand, voice, and expected security response from your type of organization and reassure your customers without annoying them.

The fully managed RBA workflow is super-simple to implement and maintain in LoginRadius. It reassures your customers and shows them that you take their security seriously, which can give you a competitive advantage over businesses that fail to use these authentication techniques.

Download our Risk-Based Authentication datasheet to learn more about how RBA can help you protect your business and your customers.


*** This is a Security Bloggers Network syndicated blog from LoginRadius authored by Alice Liang. Read the original post at: https://www.loginradius.com/blog/2019/05/risk-based-authentication/