Risk-based authentication (RBA) offers companies and website users enhanced security without all of the hassles that are involved with always utilizing two-factor authentication. Although risk-based authentication absolutely uses a two-factor approach, an analysis of the specific risk is quickly run for each log-in to determine whether or not the second factor should come into play. In other words, most users won’t have to jump through multiple hoops each time they want to access their account, but they’ll still have the benefits of additional security layers.
How does risk-based authentication work?
RBA takes into account each user’s typical activity. For example, if you almost always log-in to your bank account from your smartphone in the morning while connected to your home WiFi, RBA is going to learn to trust this access point. Meanwhile, if a desktop computer located across the country attempts to log-in to the same account in the afternoon, RBA will instantly require two-factor authentication.
Risk-based authentication can use a wide variety of secondary verification methods. You might be asked to provide a PIN, answer a security question, scan your fingerprint or enter a code delivered via SMS.
Risk-based authentication reduces shopping cart abandonment
Shopping cart abandonment is a big issue that every online company faces. Some consumers are deterred by having to pass multiple security checks. In other instances, the process of going through two layers of security simply gives them too much time to rethink their purchase. Either way, businesses that always use two-factor authentication experience problems with shopping cart abandonment due to this added complication causing payment friction.
With RBA, this particular problem can be almost completely solved. It’s estimated that only about 5 percent of online transactions truly need two-factor authentication based on fraudulent activity. By using RBA to gauge when a log-in or purchase seems most likely to be fraudulent, your company can make the online checkout and payment process go much more smoothly.
Who uses risk-based authentication?
RBA is becoming increasingly popular as a fintech solution. For the uninitiated, fintech refers to software and other technology that’s used to protect financial services such as online banking. RBA is also popping up on several eCommerce sites. A prime example is Amazon.com, where two-factor authentication kicks in if the RBA assessment goes into the danger territory. This is most commonly experienced by users who try to make a purchase from a new device or geographic area.
Typing biometrics can take RBA to the next level
The entire point of risk-based authentication is to keep accounts secure without inundating users with unnecessary extra log-in steps. Typing biometrics work as a combination of RBA and two-factor authentication by constantly assessing whether or not the user’s typing behaviors are consistent with their typical typing style.
TypingDNA’s typing biometrics provide a risk-based score based on a factor such as a person’s typing patterns. This goes much deeper than simply looking at the user’s device and geographic location.
After all, someone could steal your phone or access your laptop. If that happens, the typical RBA process will be fooled. Typing biometrics would instantly raise a red flag, though, because the criminal wouldn’t have the true user’s same exact typing patterns. By using the risk-based score from TypingDNA, the website’s RBA would kick in during situations it otherwise would have ignored, thereby protecting the user’s account from fraud.
As you can see, typing biometrics offer a natural complement for risk-based authentication. Accounts will be more secure, and companies will reduce their risk of typical RBA methods failing when a criminal accesses a user’s information from one of their trusted devices.
Risk-based authentication can and should be complemented with continuous authentication, for a seamless continuous risk-based authentication solution. This ensures having a safe authentication and also to continuously verify the identity of the endpoint against intruders, and to lock them out.