It has been proven repeatedly that passwords alone are a weak form of authentication. Two-factor authentication adds an element of complexity that makes it more secure, but also much less convenient. The solution may lie in risk-based authentication—an authentication mechanism that approaches the authentication process from a smarter angle.
Password best practices are a basic mantra of computer and network security. Although many ignore it, everyone knows they’re supposed to choose strong, complex passwords, and use different, unique passwords for each site and service. Ideally, that both prevents the password from being easily guessed or cracked, and provides additional assurance that even if a password is cracked it won’t allow an attacker to access all of your accounts.
Authentication boils down to something you are, something you have, or something you know. A password may seem like “something you have”, but it only exists in your mind so it’s really “something you know”. Because someone else can “know” it as well by guessing or cracking it the simple truth is a password alone is not a very good form of authentication. Secondary security questions like where you went to school, or the middle name of your oldest sibling are also tidbits of information that fall under “something you know”.
The idea of two-factor authentication is that in addition to “something you know”, you must also have one of the other elements. It might be a fingerprint or retina scan—both “something you are”, or it could be a PIN generated from an authentication device or a mobile app on your smartphone—two examples of “something you have”. Even if someone obtains your password, without your fingerprint, eyeball, authentication fob, or smartphone, they would be unable to authenticate as you.
The problem with two-factor authentication is that it adds complexity when logging in, and makes the authentication process much less convenient. If your two-factor authentication relies on a PIN from your smartphone, and you don’t have your smartphone on you, you may not be able to log in to your accounts. That additional security might get in the way of being able to use the thing you’re trying to protect.
That’s where risk-based authentication comes in. Risk-based authentication isn’t single or two-factor authentication necessarily. It is both and neither. Risk-based authentication assesses the interaction and generates a risk score. If it is a low-risk authentication, a simple password will do. If it is a medium-risk authentication, perhaps a fingerprint scan or PIN will be required. For a high-risk authentication, additional methods may be used to ensure the individual is truly the person they claim to be.
What are the risk factors? Risk-based authentication develops a profile of normal behavior—when do you normally log in? How often do you normally log in? From what platforms or devices do you normally log in? A login attempt on a Tuesday from your work desktop during normal business hours probably wouldn’t raise any red flags, but multiple failed attempts from an Internet café in Europe at 3am local time would be cause for suspicion, and risk-based authentication would require more thorough vetting to verify the identity of the person logging in.
Risk-based authentication applies a level of intelligence to the authentication transaction so that low-risk attempts remain convenient, while higher-risk authentication attempts provide the additional protection they deserve.