Definition

risk-based authentication (RBA)

Part of the Authentication glossary:

Risk-based authentication (RBA) is a method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised. As the level of risk increases, the authentication process becomes more comprehensive and restrictive.

You may have experienced risk-based authentication if you've ever accessed your bank account from another country and were asked more than the usual number of security questions. Common criteria for assessing risk includes geographic location, IP address and the status of antivirus software.

When performing a risk assessment for a network or Web site, an administrator should take into account the following factors:

  • The size of the system, in terms of the number of users. As a system grows larger, the chance of a breach increases.
  • The extent to which the system is critical to maintaining the operation of the organization. The most critical systems carry the greatest risk of serious damage in the event of a breach.
  • The ease with which data can be compromised or the system cracked by someone with the means and intent to do so. Ideally, protective measures such as firewalls and antivirus software should be robust and up-to-date, but these measures are not always given top priority when budgets are tight.
  • The relative sensitivity of the data that the system contains. Vital customer information such as names, addresses, and Social Security numbers requires enhanced protection.

Risk-based authentication can be categorized as either user-dependent or transaction-dependent. User-dependent RBA processes employ the same authentication for every session initiated by a given user; the exact credentials that the site demands depend on who the user is. In transaction-dependent RBA processes, different authentication levels may be required of a given user in different situations, based on the sensitivity or risk potential of the transaction. 

This was last updated in October 2012
Contributor(s): Stan Gibilisco
Posted by: Margaret Rouse

Related Terms

Definitions

  • invocation ID

    - An invocation ID is an ID number that identifies databases within Active Directory and changes as AD is in a restore process. Invocation IDs change during the restore process to make sure replicati... (SearchWindowsServer.com)

  • TAN (transaction authentication number)

    - A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password. TANs are often in a list made by a... (WhatIs.com)

  • social login

    - Social login is a single sign-on (SSO) that allows users to authenticate themselves on various applications and sites by connecting through a social networking site rather than typing a separate ID... (WhatIs.com)

Glossaries

  • Authentication

    - Terms related to authentication, including security definitions about passwords and words and phrases about proving identity.

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About risk-based authentication (RBA)Powered by ITKnowledgeExchange.com

Get answers from your peers on your most technical challenges

Tech TalkComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.