Scorpiones Group
Loading

What Is Risk-Based Authentication?

As businesses onboard more mobile and remote employees, partners, contractors, and other external users, the volume of people needing access to critical systems and data grows exponentially.
And while this increased connectivity provides tremendous operational and productivity benefits, it also creates new attack vectors for intruders and cybercriminals.
CSOs, CIOs, CTOs, and other security and IT leaders have a responsibility to protect their organization's data, systems, and IP assets.
It’s important to leverage the right technologies to make system access as safe and secure as it is seamless and affordable.

Password-based authentication methods must be replaced or augmented with additional layers of security that are easy to deploy and frictionless for the end-user.

Risk-based authentication (RBA) meets both criteria and should be considered by organizations of all sizes. This technology protects against sophisticated security breaches and hackers,
while reducing issues that result from a dependence on passwords and one-size-fits-all authentication strategies.

What Is Risk-Based Authentication?

RBA is a form of strong authentication that calculates a risk score for any given access attempt in real time, based on a predefined set of rules.
Users are then presented with authentication options appropriate to that risk level.

What Is Risk-Based Authentication
What Authentication Techniques Are a Best Fit for Risk-Based Authentication? (Best Practices)
Most RBA implementations use challenge and response questions—an authentication protocol in which one party presents a question (challenge) and another party must provide a valid answer (response) — as the second factor after submitting a username and password.
While cost-effective and easy to implement, we recommend only using this method as a fallback when internet or WiFi are unavailable.
Challenge and response authentication is simply not as secure as other smartphone, token, and smart card-based authentication techniques.
This is because breaking the authentication method only requires a little social engineering, rather than actual technical hacking.

Instead of challenge and response authentication, we recommend choosing from these other strong authentication techniques:
  1. Push authentication
  2. One Time Password (OTP) and Time-Based One Time Password (TOTP) authentication
  3. FIDO U2F tokens
  4. Smartcards with PKI—particularly if cards are already in use for facility access or other purposes
  5. Fingerprint biometrics
  6. Smartphone-based options, such as push authentication and one time passwords, are a particularly good fit for Risk-Based Authentication.


We would also like to bust the following myth: Risk-Based Authentication Is Only for Large Companies.
In reality, RBA should be considered by companies of all sizes.
RBA is:
  • Quick and easy to configure and install.
  • Very cost-effective - Organizations can leverage existing authentication solutions and user-owned smartphones.
  • Frictionless - Most access requests fall below the defined risk thresholds. So, only a fraction of requests require additional authentication.
  • Easy to manage and maintain - As new threats and risk factors are identified, adding them to your scoring and comparison processes is simple.


We at Scorpiones provide you with the complete cyber protection for your business, our arsenal of services is comprised of Penetration Testing, Red Team, Incident Response Team (IRT) and even Digital Forensics.
Contact us now and start protecting your business's data.


Tags: Penetration Testing Passwords Cyber Security

Contact Us

SEND A MESSAGE