Risk Based Access and Multi-factor Authentication

Overview of risk-based access

Data breaches, Identity theft, Online fraud becoming more common every day. Millions of passwords are stolen or phished each year. In this environment, it is clear that there is a need for something more than just password-based protection for employee, partner and customer access to valuable online resources.

miniOrange Fraud prevention is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles lead to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. The risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate.

Fraud prevention works by developing a risk score based on the following contextual elements:

• IP Address
• Device
• Location
• Time of access
• User behavior

For example, if the user logged in ten minutes ago from Canada and is now trying to log in from China, it’s definitely considered a higher risk transaction. miniOrange Fraud prevention can be used to reduce fraud and protect users from internet attacks whether they are shopping online, or accessing confidential or private information using application. The following diagram shows miniOrange Fraud Prevention setup:

You can assess the potential risk of a particular login attempt before authenticating the user and then mitigate the risk if required. The calculated risk score is then fed into your policies to decide whether to authorize the current activity, request step-up authentication and/or send an alert or block the activity. This provides your organization with a transparent layer of protection against identity theft, data breaches, and fraud.

This risk score is then evaluated against defined risk levels. You can define the risk levels based on the sensitivity of the information. After the risk level is identified, the authentication mechanism is selected and the user is authenticated. In cases of high risk, the user is either denied access or is required to go through additional authentication methods. Inputs/risk factors are used to estimate the security risk value associated with each access request. The final risk value is then compared with risk policies to make the access decision.