Advanced risk-based authentication techniques can reduce an organization’s exposure to potentially costly, reputation-damaging information security breaches.
Unauthorized access to sensitive data presents a pervasive threat to an
organization’s brand equity, competitive posture, and reputation. Given today’s
evolving threat landscape, traditional identity and access management
technologies no longer suffice. Corporate leaders are justifiably concerned
about the impact of a security incident, and pressure is mounting to not only
detect but, more importantly, prevent threats. Fortunately, next-generation
identity and access management solutions employing advanced risk-based
authentication techniques can help.
These solutions work by developing a risk score for each log-in attempt, and
then weighing this score against allowable risk thresholds for various systems.
Adapting authentication levels based on risk reduces the fallout organizations
experience when the single form of authentication they rely on (such as a
password or biometric scanner) gets compromised.
The risk score estimates the risk associated with a log-in attempt based on a
user’s typical log-in and usage profile, taking into account their device and
geographic location, the system they’re trying to access, the time of day they
typically log in, their device’s IP address, and even their typing speed. An
employee logging into a CRM system using the same laptop, at roughly the same
time of day, from the same location and IP address will have a low risk score.
By contrast, an attempt to access a finance system from a tablet at night in
Bali could potentially yield an elevated risk score.
Risk thresholds for individual systems are established based on the
sensitivity of the information they store and the impact if the system were
breached. Systems housing confidential financial data, for example, will have a
low risk threshold.
If the risk score for a user’s access attempt exceeds the system’s risk
threshold, authentication controls are automatically elevated, and the user may
be required to provide a higher level of authentication, such as a PIN or token.
If the risk score is too high, it may be rejected outright.
The use cases in the following infographic illustrate how risk-based
authentication systems work.
Click here or on graphic to enlarge.
By Irfan Saif
Source and more: