Risk-based authentication
In authentication, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on) of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles leads to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. Risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate.
The point is that user validation accuracy is improved without inconveniencing a user, and risk-based authentication is used by major companies.
Criticism
- The system that computes the risk profile has to be diligently maintained and updated as new threats emerge. Improper configuration may lead to unauthorized access.
- The user's connection profile (e.g. IP Geolocation, connection type, keystroke dynamics, user behaviour) has to be detected and used to compute the risk profile. Lack of proper detection may lead to unauthorized access.
See also
- Access control list
- Attribute-based access control (ABAC)
- Capability-based security
- Context-based access control (CBAC)
- Discretionary access control (DAC)
- Graph-based access control (GBAC)
- Lattice-based access control (LBAC)
- Mandatory access control (MAC)
- Organisation-based access control (OrBAC)
- Role-based access control (RBAC)
- Rule-set-based access control (RSBAC)