Risk-based authentication

Risk-based authentication takes one or more pieces of context information into account to assess the current risk. The authentication process can then be influenced based on the assessed risk. It can be used, for example, to omit the second factor in low-risk situations, deny access altogether in very risky situations, or choose a different path in the authentication flow.

Simple example usage (flow-based authentication):

RiskBasedAuthenticationFlow

Risk context information

Risk context information is the basis for the risk assessment. Conceptually, it can be any kind of information available during the authentication flow. Whether a piece of context information can be used in risk-based authentication depends on the availability of a corresponding risk extractor plugin able to process the information.

  • Examples for context information:
  • Client IP address
  • Date and time of day
  • Physical location and computed traveling speed of the client
  • End-user behavior
  • Risk estimation of an external threat intelligence system
  • Risk score of Airlock Gateway (Anomaly Shield, client fingerprinting)
  • etc.