In Authentication, risk-based authentication is a non-static authentication system which takes into account the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Higher risk profiles leads to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. Risk-based implementation allows the application to challenge the user for additional credentials only when the risk level is appropriate.
- The system that computes the risk profile has to be diligently maintained and updated as new threats emerge. Improper configuration may lead to unauthorized access.
- The user's connection profile (e.g. IP Geolocation, connection type, keystroke dynamics, user behaviour) has to be detected and used to compute the risk profile. Lack of proper detection may lead to unauthorized access.