Risk-based authentication

Last updated

In authentication, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on [1] ) of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles leads to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. Risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate. [2] [3] [4]

Contents

Machine authentication is often used in a risk based authentication set up. The machine authentication will run in the background and only ask the customer for additional authentication if the computer is not recognized. In a risk based authentication system, the institution decides if additional authentication is necessary. If the risk is deemed appropriate, enhanced authentication will be triggered, such as a one time password delivered via an out of band communication. Risk based authentication can also be used during the session to prompt for additional authentication when the customer performs a certain high risk transaction, such as a money transfer or an address change. Risk based authentication is very beneficial to the customer because additional steps are only required if something is out of the ordinary, such as the login attempt is from a new machine.

[5]

The point is that user validation accuracy is improved without inconveniencing a user, [2] [6] and risk-based authentication is used by major companies. [7]

Criticism

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Used for user authentication to prove identity or access approval

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role-based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

<span class="mw-page-title-main">Personal identification number</span> PIN code

A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

<span class="mw-page-title-main">Password strength</span> Resistance of a password to being guessed

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse. This could be used to detect eavesdropping in quantum key distribution (QKD).

<span class="mw-page-title-main">Smudge attack</span> Discerning a password via screen smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.

Implicit authentication (IA) is a technique that allows the smart device to recognize its owner by being acquainted with his/her behaviors. It is a technique that uses machine learning algorithms to learn user behavior through various sensors on the smart devices and achieve user identification. Most of the current authentication techniques, e.g., password, pattern lock, finger print and iris recognition, are explicit authentication which require user input. Comparing with explicit authentication, IA is transparent to users during the usage, and it significantly increases the usability by reducing time users spending on login, in which users find it more annoying than lack of cellular coverage.

Virtual assistants are software technology that assist users complete various tasks. Well known virtual assistants include Amazon Alexa, and Siri, produced by Apple. Other companies, such as Google and Microsoft, also have virtual assistants. There are privacy issues concerning what information can go to the third party corporations that operate virtual assistants and how this data can potentially be used.

References

  1. Wiefling, Stephan; Dürmuth, Markus; Lo Iacono, Luigi (2021-01-26). "What's in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics" (PDF). Financial Cryptography and Data Security. FC '21. Vol. 12675. pp. 361–381. arXiv: 2101.10681 . doi:10.1007/978-3-662-64331-0_19. ISBN   978-3-662-64330-3. S2CID   231709486.
  2. 1 2 USpatent 9021555,Takaya Kato,"Risk-based authentication patent",issued March 29, 2006
  3. Wiefling, Stephan; Lo Iacono, Luigi; Dürmuth, Markus. "Information website on Risk-based Authentication". Risk-based Authentication. Retrieved 2019-04-29.
  4. Wiefling, Stephan; Lo Iacono, Luigi; Dürmuth, Markus (2019). "Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild". In Dhillon, Gurpreet; Karlsson, Fredrik; Hedström, Karin; Zúquete, André (eds.). ICT Systems Security and Privacy Protection. IFIP Advances in Information and Communication Technology. Vol. 562. Springer International Publishing. pp. 134–148. arXiv: 2003.07622 . doi:10.1007/978-3-030-22312-0_10. ISBN   9783030223120. S2CID   189926752.
  5. Williamson, G. (2006). "Enhanced Authentication In Online Banking" (PDF). Journal of Economic Crime Management. 4 (2): 18–19.
  6. Wiefling, Stephan; Dürmuth, Markus; Lo Iacono, Luigi (2020-12-07). "More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication". Annual Computer Security Applications Conference. ACSAC '20. Austin, USA: Association for Computing Machinery. pp. 203–218. arXiv: 2010.00339 . doi: 10.1145/3427228.3427243 . ISBN   978-1-4503-8858-0.
  7. Wiefling, Stephan; Lo Iacono, Luigi; Dürmuth, Markus. "Who uses RBA? We found evidence that Google, Facebook, LinkedIn, Amazon and GOG.com are using it". Risk-based Authentication. Retrieved 2019-04-29.
  8. Borky, John M.; Bradley, Thomas H. (2019). "Protecting Information with Cybersecurity". In Borky, John M.; Bradley, Thomas H. (eds.). Effective Model-Based Systems Engineering. Cham: Springer International Publishing. pp. 345–404. doi:10.1007/978-3-319-95669-5_10. ISBN   978-3-319-95669-5. PMC   7122347 . Retrieved 2023-08-28.