×

Advanced risk-based authentication techniques can reduce an organization’s exposure to potentially costly, reputation-damaging information security breaches.

Unauthorized access to sensitive data presents a pervasive threat to an organization’s brand equity, competitive posture, and reputation. Given today’s evolving threat landscape, traditional identity and access management technologies no longer suffice. Corporate leaders are justifiably concerned about the impact of a security incident, and pressure is mounting to not only detect but, more importantly, prevent threats. Fortunately, next-generation identity and access management solutions employing advanced risk-based authentication techniques can help.

These solutions work by developing a risk score for each log-in attempt, and then weighing this score against allowable risk thresholds for various systems. Adapting authentication levels based on risk reduces the fallout organizations experience when the single form of authentication they rely on (such as a password or biometric scanner) gets compromised.

The risk score estimates the risk associated with a log-in attempt based on a user’s typical log-in and usage profile, taking into account their device and geographic location, the system they’re trying to access, the time of day they typically log in, their device’s IP address, and even their typing speed. An employee logging into a CRM system using the same laptop, at roughly the same time of day, from the same location and IP address will have a low risk score. By contrast, an attempt to access a finance system from a tablet at night in Bali could potentially yield an elevated risk score.

Risk thresholds for individual systems are established based on the sensitivity of the information they store and the impact if the system were breached. Systems housing confidential financial data, for example, will have a low risk threshold.

If the risk score for a user’s access attempt exceeds the system’s risk threshold, authentication controls are automatically elevated, and the user may be required to provide a higher level of authentication, such as a PIN or token. If the risk score is too high, it may be rejected outright.

The use cases in the following infographic illustrate how risk-based authentication systems work.

Click here or on graphic to enlarge

—by Irfan Saif, principal, Deloitte & Touche LLP; Rick Siebenaler, principal, Deloitte & Touche LLP; David Mapgaonkar, senior manager, Deloitte & Touche LLP