Authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...

, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on) of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles leads to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. Risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate. The point is that user validation accuracy is improved without inconveniencing a user and risk-based authentication is used by major companies.

Criticism

* The system that computes the risk profile has to be diligently maintained and updated as new threats emerge. Improper configuration may lead to unauthorized access. * The user's connection profile (e.g. IP Geolocation, connection type,

keystroke dynamics Keystroke dynamics, keystroke biometrics, typing dynamics and typing biometrics refer to the detailed timing information that describes when each key was pressed and released as a person is typing on a computer keyboard. Science The behavioura ...

, user behaviour) has to be detected and used to compute the risk profile. Lack of proper detection may lead to unauthorized access.

References

* http://www.google.com/patents/US20050097320 Authentication methods Computer access control Applications of cryptography Access control Password authentication {{crypto-stub

Criticism

See also

References