Thwarting Hackers with Risk-Based Authentication


The increased use of mobile and cloud services improves business agility by enabling anywhere, anytime access to applications and data. By opening up the network perimeter, however, it makes it difficult to ensure that only authorized users are accessing critical assets.

Traditional authentication with user names and passwords has become increasingly inadequate for a number of reasons. Password fatigue is part of it — people continue to employ passwords such as “password” or “12345” that are easy to remember but also easy to guess. Additionally, data breaches, phishing attacks and social engineering scams continually expose large numbers of passwords to hackers. By some accounts, as much as 80 percent of all hacking-related data breaches result from stolen or guessed passwords.

The rise of machine learning technologies is enabling a far more effective method of authentication known as adaptive authentication or risk-based authentication. It involves assessing all access requests based on a variety of user, device and contextual attributes to determine a “security confidence” score. Based on that score, a stronger form of authentication such as two-factor verification may be required.

The machine learning element enables organizations to refine these risk profiles over time. For example, if you frequently access your company’s sales reports from home in the evening using your iPhone, the authentication engine will learn those factors and build them into your risk profile. If you use the same device to access reports while on vacation in the Bahamas, you’ll likely be asked to answer a security question or provide some other form of authentication.

Machine learning and risk-based authentication are increasingly being used in a number of industries to fight the rising incidence of account takeover (ATO) fraud. ATO fraud involves the criminal access of banking, investment, credit card or even email accounts through the use of stolen credentials. According to Forrester, ATO fraud is responsible for $6.5 billion to $7 billion in annual losses across industries, including financial services, insurance, e-commerce and healthcare.

A recent evaluation of fraud patterns conducted by security analysts with RSA highlighted risk profiles that could be identified through the use of advanced authentication with machine learning capabilities. In particular, the analysis demonstrated a relationship between fraud incidents and the use of new devices or new accounts.

RSA found that fraud is 15 times more likely to originate from a new account than from one that has been established for more than 30 days. The probability of fraud drops dramatically for new accounts after 10 days, when it is only about three times more likely.

Similarly, there is a three-fold rise in fraud when an existing user attempts to make a transaction with a new device, which suggests someone has gained access to the user credentials and is accessing the account from their own device. The RSA analysis also found that the “new” device being used to access an account might not actually be new to fraud detection engines.

Growing reliance on mobile and cloud platforms, exponential increases in the number of digital transactions and a sharp rise in the sophistication and frequency of cybercrime all point to the need for organizations to improve the way they authenticate users trying to access important data and applications. Passwords alone are no longer sufficient. Risk-based authentication solutions based on machine learning technologies offer much stronger protection by giving organizations the ability to quickly calculate risks and determine what security actions should be taken to protect sensitive assets.


For more information about Risk-Based Authentication, please send us an email at (

Leave a Comment