Authentication and risk

Risk-based authentication plays an important role in many scenarios such as information access and use, fraud detection, device protection, and secure hardware and software product development. Risk-based authentication often works behind the scenes and its use is well established in banks and other financial institutions (Breitenfeld, 2011). Below are two scenarios related to risk-based authentication.

Fraud Detection. Companies such as Experian have deep experience in the use of risk-based methodologies to authenticate identity (Breitenfeld, 2011). Authentication schemes involve the establishment of an authentication score and use of layered identity correlation with knowledge challenges. The goal is confirm a correct identity with a high probability of assurance and minimize the risk of identity theft. Credit card and banking transactions are long-time consumers of risk-based authentication to reduce fraud and financial loss. With the advent of the Internet, the same methodologies are now used to detect and alert individuals of possible suspicious activity. Risk-based authentication provides ecosystem reduction in the wrongful manipulation of identity.

Improved Identity Detection. Internet authentication schemes often rely on basic information such as device type or IP address to establish individual identity (Traore, Woungang, Obaidat, Nakkabi, & Lai, 2012). This type of information can be fabricated by attackers looking to disguise their identity or may his the identity of an attacker who controls a compromised computer (Federal Trade Commission, 2013). To address this type of risk, keyboard or mouse use as well as other use behaviors may provide a secondary form of authentication (Traore, Woungang, Obaidat, Nakkabi, & Lai, 2012).   The issue with user behavior is that a system must be well-trained to identify an individual and then potentially block behaviors that are not consistent with an individual. As biometric technology evolves, biometrics may combine with user behavior to provide higher assurance of identity. Biometrics provides a strong correlator for authentication and may deliver benefits such as ease of use (Boriev, Sokolov, & Nyrkov, 2015).

The Risk of Risk: Protecting Access

Reliance of risk-based authentication should not be confused with replacement of access controls. Smart cards and other methods of authentication are often coupled with access controls to automate the process of identity establishment and authorized resource access (Boriev, Sokolov, & Nyrkov, 2015). Access controls can also be associated with the ability conduct certain operations such as payroll or bank account access. Risk-based analysis should not be limited to authentication. Risk-based analysis should extend to suspicious activity such as transferring funds that are outside typical parameters (Breitenfeld, 2011). As device and software designers focus on authentication, risk analysis should extend through to access controls and resource usage to further mitigate overall system risks.

References

Boriev, Z. V., Sokolov, S. S., & Nyrkov, A. P. (2015). Review of modern biometric user authentication and their development prospects. In IOP Conference Series: Materials Science and Engineering (Vol. 91, No. 1, p. 012063). IOP Publishing.

Breitenfeld, K. (2011). Positive identity. Public CIO, 9(3), 34-38.

Federal Trade Commission. (2013). Taking charge: What to do if your identity is stolen. April),(accessed March 4, 2014),[available at http://www. consumer. ftc. gov/articles/pdf-0009-taking-charge. pdf].

Traore, I., Woungang, I., Obaidat, M. S., Nakkabi, Y., & Lai, I. (2012, November). Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments. In Digital Home (ICDH), 2012 Fourth International Conference on (pp. 138-145). IEEE.