Cyber threats are evolving, with increasingly more sophisticated attack tactics such as credential stuffing, phishing and malware intrusions. As threats become increasingly difficult to tackle, securing your digital assets will take much more than a simple username/password authentication.

According to Verizon’s 2024 DBIR, in 2023:

  • Credential theft was responsible for the most (about 40 percent) of data breaches, plus a staggering 77 percent of web application attacks.
  • A non-malicious human element (phishing and errors) was responsible for 68 percent of the 10,000 data breaches in 2023.

Consequently, several businesses use multi-factor authentication (MFA) as added security. However, static MFA fails to adapt to each login’s risk level. This leads to unnecessary friction for low-risk users and missed threat prevention opportunities for higher-risk logins.

Let’s discuss seven practical examples of using risk-based authentication against modern threats and ways to implement it effectively in your organization.

Understanding risk-based authentication (RBA)

Also called adaptive authentication or risk-based MFA, RBA uses machine learning to assign a risk level to every authentication request. Depending on the perceived risk, it decides whether to prompt for additional authentication factors.

RBA assesses the user’s behavior along with several other factors including IP address, geographic location, device, network and login time to determine the risk score in real-time.

Depending on whether the calculated risk score is low or high, the user is either authenticated with only a username and password or is challenged for further authentication. If the additional authentication fails, access is denied.

A higher risk score implies a deviation from usual behavior. This could include requests from dubious IP addresses (such as Tor exit relay) and/or login attempts from new devices, unfamiliar locations or at unusual times.

Since RBA uses machine learning to process the risks, it learns from user behavior and security events, becoming more intelligent over time and assessing risks more accurately in different situations.

In a nutshell, RBA helps businesses prevent the risk of unauthorized access and meet security regulations without inconveniencing authentic users.

7 real-world examples of risk-based authentication in action

Let’s explore a few real-life examples where you can use RBA to secure your systems against potential threats:

#1 Credential theft

Picture this: A hacker located on another continent somehow got their hands on the credentials to one of your U.S. employee accounts. While the U.S. employee is logged in to their account during working hours, the attacker uses the stolen credentials to gain access at the same time but from halfway around the world.

RBA in action: The adaptive authentication system would see account access from two separate parts of the world as high-risk and increase the risk score. Even if accounts were accessed from two different locations a few hours apart, it is highly unlikely that the employee has moved to the opposite part of the world so quickly. This elevated risk score would then prompt the employee and the hacker to provide additional authentication, and the hacker would be denied access and blocked from accessing corporate apps.

#2 Insecure WiFi hotspots

Let’s say one of your employees is working remotely through a public WiFi network that other people are using too. An attacker is silently waiting for people to log in to their corporate networks and execute a man-in-the-middle attack to capture their credentials. Static MFA rules automatically trust connections from certain geographic regions and might not flag these spots.

RBA in Action: However, RBA would see it as an unfamiliar location or network and, depending on the network’s reputation, determine the risk score in real-time. If the score crosses the threshold, it will activate MFA and block the unwanted intruder.

#3 Phishing and device fingerprinting

Phishing, the second most used tactic for cyberattacks after stolen credentials, usually easily circumvents static MFA rules. For instance, consider a situation where a malicious actor succeeds in infiltrating your employee’s computer with malware through a phishing email. The malware would then use brute force to access your company’s network and try to access sensitive data and applications. The static MFA rules would not flag it as risky, as the malware uses the company’s network, failing to prevent the attack.

RBA in action: On the other hand, adaptive authentication would assign a higher risk score to this event. It would see the malware’s HTTP client as unfamiliar, tagging it as a new device fingerprint. Consequently, the malware will be prompted for MFA, but it will fail to authenticate as it’s just software and not a human who could pass the authentication, ultimately preventing the attack.

#4 Credential stuffing attacks

Imagine a hacker bombarding your system with several credentials they obtained from a popular website’s data breach, hoping to gain unauthorized access. Now suppose your employee uses the same credentials everywhere, including the ones present in the leaked data.

If the attacker is using a trusted network to execute the credential stuffing tactic, the static MFA system would consider the requests legitimate and allow them to bypass your safeguards.

RBA in action: The risk-based authentication system, on the other hand, would analyze these attempts in real time, considering other factors like login time, device used and login history. If an anomaly is found, the risk score would spike, and both the employee and the impostor would be challenged with MFA prompts, even if a trusted IP is involved. Thus, RBA stops the automated scripts in their track to protect your valuable data.

#5 The WFH employee

In this example, imagine an employee working from home and logging in from the same location, IP address and device daily for weeks on end. If static rules were used, they would force MFA for every login attempt, always treating it as high-risk and unreasonably burdening the employee. Although it’s not a security event, it would be flagged as one, cluttering your SIEM mechanism and compromising productivity – ultimately causing unnecessary disruptions and false positives.

RBA in action: Conversely, if RBA were at play, the system would gradually learn that this scenario is business as usual and assign a lower risk score to the event. This would allow the employee to log in with just a username and password, saving your SIEM systems from unnecessary alerts.

#6 App misconfiguration and vulnerability exploits

The 2024 Verizon DBIR reported that attacks exploiting system vulnerabilities have tripled from the previous year, and that’s something to worry about.

Imagine a cybercriminal finds a vulnerability in one of your apps due to a misconfiguration. By exploiting this flaw, they could bypass the authentication process altogether or generate inaccurate event logs, leaving a seemingly legitimate trail. Static MFA rules that rely on these logs would become ineffective and fail to detect the invasion.

RBA in action: RBA would analyze risk factors beyond just the logs to accurately determine threat likelihood. Its context-based authentication mechanism would raise the risk score, identifying the app misconfiguration and the resulting irregularities. This would trigger an MFA prompt to prevent the attacker from gaining unauthorized access.

#7 The IP address conundrum

Consider our last situation: an attacker tries to get into your network using your employee’s own device during office hours but from another region. They are using Tor to mask their actual location and gain access anonymously. The hacker knows the exact browser and OS used by your employee.

RBA in action: Since the login attempt is made from an unfamiliar IP address, country and device, RBA would label this event as high-risk and prompt the attacker for MFA. The attacker would fail and be denied access to network resources.

How you can implement RBA to protect against advanced threats

Let’s say your organization’s IT network is your digital kingdom, and your valuables are stored in a secure castle. To use the risk-based approach to secure your castle from pillage, you need a vigilant gatekeeper (a risk-based threat protection system) at every entrance. It must assess requests to access your castle in real-time and categorize them based on several risk factors, plus effectively learn who to trust and who to suspect as time passes (machine learning).

The new gatekeeper must also work alongside your kingdom’s existing security posture (such as single sign-on (SSO) and identity and access management (IAM) systems), analyzing risks at the point of entry and assigning them a risk level (low, medium or high) depending on the context. For instance, they would consider fire-breathing dragons as high-risk (ransomware attack), tunnel diggers as medium-risk (insider threats) and pesky archers as low-risk threats (unauthorized access to non-critical data).

Then, the wise general must create suitable security policies that trust no one (zero trust policy) to manage potential threats based on the risk values. The gatekeeper must then implement these policies vigorously and, depending on the risk level, ask for additional identification (2FA/MFA) to gain access or block their entry altogether.

In addition, the gatekeeper must work in a way that is least troublesome to regular visitors to the castle (genuine users). For instance, if a trusted advisor or vendor requests access, they would be quickly granted permission to enter by showing basic identification (password and known device/location).

Embrace adaptive authentication: The future of cybersecurity

While many businesses have robust authentication methods in place, they are insufficient to keep up with the ever-increasing sophistication of threats. Cybercriminals constantly refine their tactics, and you need to adapt your defenses to new forms of attacks just as quickly.

Traditional authentication methods, such as password protection or static MFA rules, can no longer prevent expensive data breaches executed using modern cyberattack tactics.

Get ahead of hackers with a cutting-edge, risk-based authentication strategy. It is the key to a comprehensive security posture, analyzing threats in real-time and intelligently applying security measures. It reinforces your network security with minimal trouble to legitimate users.

Don’t wait for a cyberattack to ruin your business. Explore RBA solutions to proactively implement a risk-based approach and fortify your digital kingdom today.

About the Author

Alicia Townsend

For almost 40 years, Alicia Townsend has been working with technology as both a consultant and a trainer. She has a passion for empowering others to use technology to make their lives easier. As Director of Content and Documentation at OneLogin, Ms. Townsend works with technical writers, trainers and content marketing writers to inspire and empower everyone to take advantage of what OneLogin’s platform has to offer them.

Related Articles