Balancing Security and Usability with Risk-Based Authentication
Key Points
- Authentication relies on three factor types: something you know (password/PIN), something you have (a registered device like a mobile phone), and something you are (biometric traits such as fingerprint or facial recognition).
- Each factor has inherent vulnerabilities: passwords can be stolen or shared, devices can be lost or taken, and biometrics can be spoofed or matched to similar individuals.
- Security and usability exist on a continuum—overly strict authentication creates user friction, while overly lax controls leave systems exposed.
- Risk‑based authentication combines one or more of these factors with contextual risk assessments to enable adaptive, fine‑grained multi‑factor security that balances protection with convenience.
Sections
- Three Pillars of Authentication - The speaker explains the three main authentication factors—something you know, something you have, and something you are—and highlights the inherent security risks of each.
- Risk vs Trust in Authentication - The speaker explains that as risk rises, trust falls, and in risk‑based authentication this leads to either restricted access or additional verification steps depending on the risk level.
- Behavior‑Based Adaptive Authentication - The speaker outlines how systems evaluate user behavior such as login timing, session duration, failed attempts, and device context to adjust trust levels and trigger additional identity verification.
- Risk-Based Authentication Decision Factors - The speaker explains how factors such as impossible travel, IP reputation, and transaction sensitivity are evaluated to deny or grant access beyond simple credentials.
- Adaptive Risk‑Based Authentication Explained - The speaker explains how incorporating behavior, device context, and transaction sensitivity enables adaptive (risk‑based) authentication that tailors security levels while reducing user friction.
Full Transcript
# Balancing Security and Usability with Risk-Based Authentication **Source:** [https://www.youtube.com/watch?v=n2eT3JRGAM4](https://www.youtube.com/watch?v=n2eT3JRGAM4) **Duration:** 00:13:25 ## Summary - Authentication relies on three factor types: something you know (password/PIN), something you have (a registered device like a mobile phone), and something you are (biometric traits such as fingerprint or facial recognition). - Each factor has inherent vulnerabilities: passwords can be stolen or shared, devices can be lost or taken, and biometrics can be spoofed or matched to similar individuals. - Security and usability exist on a continuum—overly strict authentication creates user friction, while overly lax controls leave systems exposed. - Risk‑based authentication combines one or more of these factors with contextual risk assessments to enable adaptive, fine‑grained multi‑factor security that balances protection with convenience. ## Sections - [00:00:00](https://www.youtube.com/watch?v=n2eT3JRGAM4&t=0s) **Three Pillars of Authentication** - The speaker explains the three main authentication factors—something you know, something you have, and something you are—and highlights the inherent security risks of each. - [00:03:08](https://www.youtube.com/watch?v=n2eT3JRGAM4&t=188s) **Risk vs Trust in Authentication** - The speaker explains that as risk rises, trust falls, and in risk‑based authentication this leads to either restricted access or additional verification steps depending on the risk level. - [00:06:13](https://www.youtube.com/watch?v=n2eT3JRGAM4&t=373s) **Behavior‑Based Adaptive Authentication** - The speaker outlines how systems evaluate user behavior such as login timing, session duration, failed attempts, and device context to adjust trust levels and trigger additional identity verification. - [00:09:17](https://www.youtube.com/watch?v=n2eT3JRGAM4&t=557s) **Risk-Based Authentication Decision Factors** - The speaker explains how factors such as impossible travel, IP reputation, and transaction sensitivity are evaluated to deny or grant access beyond simple credentials. - [00:12:25](https://www.youtube.com/watch?v=n2eT3JRGAM4&t=745s) **Adaptive Risk‑Based Authentication Explained** - The speaker explains how incorporating behavior, device context, and transaction sensitivity enables adaptive (risk‑based) authentication that tailors security levels while reducing user friction. ## Full Transcript
Who are you?
And how do you prove it?
Especially if you're trying to do it at opposite ends of a wire.
Well, you can't just take your ID and hold it up to the computer screen
and expect that that's going to work. It won't.
So how do we prove who we are when we're on IT systems.
Well, that's the process of authentication.
And there are different ways that we do it.
One is based upon something you know.
Something you know might be a secret,
a password that only you know, or a PIN.
So something like that.
We also might do it based upon something you have.
So that is a specific device.
Very often these days, that would be your mobile phone
because most people aren't separated from those for very long.
So you have that specific device and we register in advance.
And then the other way is based upon something you are.
This is some physical characteristic of you.
Your face print, your fingerprint, your maybe voice print,
some sort of biometric.
Now these are the ways that we do authentication
based upon something, you know, something you have, or something you are.
But each one of these has a certain amount
of risk associated with them.
In fact, something you know,
well, knowledge is something that can exist in actually two brains at the same time.
So if I steal your password, I might know it as well.
And therefore I could log in as you.
Your device, maybe I steal it from you.
Now you don't have it anymore.
And I authenticate as you, even though I'm not you.
So that has a weakness.
And biometrics also have weaknesses in that someone may have
similar physical characteristics and they may be similar enough.
Or maybe there's a way to fake out the biometric reader
and make it think that you're someone that you're actually not.
So in other words, all of these have inherent weaknesses,
but we're also looking at trying to make this authentication process
one where we're having to consider a continuum
between security on one end
and usability or convenience,
on the other end.
If we make it too secure,
in fact, we've locked it down to such a point
that there's a lot of friction introduced for the user,
and they're not going to be happy about that.
And the opposite end is,
if we make it so easy, in other words, like put no lock on the front door,
then anybody can walk in.
It's very usable, very accessible, very convenient.
But then there's no security.
So where is the right place along this continuum?
Well, in fact, what we're going to take a look at in this video is risk based authentication.
We're going to throw risk into the consideration.
And look at these factors which oftentimes we will use in combination.
For instance if I take something you know and something you have
or something you have and something you are
or something you know and something you are,
or all three of those.
We call that multi-factor authentication.
What if I consider not only these factors,
but some other things and create a risk-based calculation
that then lets me do more fine-grained authentication decisions?
That's what we're going to look at in this video.
Okay, let's take a look at this relationship between risk and trust.
It turns out that as risk increases.
Well, guess what?
Trust will decrease.
And conversely, the opposite happens.
If risk goes down, then our sense of trust should be increasing.
Now let's think about that when it comes to authentication
and specifically risk-based authentication.
So that means if I've got a very high risk
scenario based upon how I've judged it to be,
then I'm not going to trust it very much and I might limit some capabilities.
Let's take a look at an example of what that might be.
So let's say we're over here on this end of the spectrum
and we'll say it's a low risk situation.
So low risk, high trust.
Probably what we're going to say in that case is allow it.
They've logged in and what they were trying to do
wasn't really all that risky to begin with.
And the information they've given me gives me a lot of confidence and trust.
So we're going to allow it.
How about the next case?
Let's say we're in a medium case where we've got medium risk involved here.
Well now I have a couple of choices.
I could either limit what their access is
and say, okay, I sort of trust you.
I sort of don't.
So I'm going to only let you do these things, but not those things.
Or I might do something where I end up asking for additional factors.
So I'm going to look at other things, the context about the transaction.
I may also do something that would cause you to have to reauthenticate later.
So we could make a decision on either of those kinds of things.
And then finally, if we judge it to be a high risk situation, well, guess what?
We're probably just going to say no.
We're not going to allow that.
Although we'll look at a scenario where we might be able to,
maybe make some adjustments in that case.
Okay, let's take a look at what some of those risk factors would be.
What kinds of things would help us determine whether we can trust
this authentication, this proof of who a person is, or not?
Well, I've already talked about the basics,
and those are the things that you know, something you have, something you are.
And a lot of times, as I said, we use these in multiple combinations.
Multi-factor authentication.
So that's the basic stuff here, right?
Well, there's another one that actually fits into this as well.
That's, kind of unusual one,
it's called a behavioral biometric.
So we're looking at how a person actually
does something, not just the physical characteristic of what they look like.
But for instance, one of these might be the way you type in your password.
It turns out people type differently,
and they'll pause in a micro way on just one key versus another.
So if we profile that, then we could, with some degree of of confidence,
say that we think it's you because the way you typed your password,
and the speed, the way you hesitated, all that matches.
That's a behavioral biometric that would fit into those authentication types.
How about some of the other things that we could consider here?
Well, other things in terms of the way the user, once they're on the system,
different kinds of behaviors may also factor into this.
So for instance, we may look at at the times that you log in,
we may even have restrictions.
Like we know, for instance, your job is Monday through Friday, 9 to 5.
And if you're trying to log in on Saturday at 2 a.m.?
No. The answer is no.
I don't care if you've got all the rest of this right.
That still doesn't look right.
We could also look at duration,
the amount of time you spend on the system, typically,
and find out if that looks like it's out of sync.
You know, you're not normally on for this amount of time.
So we're either going to reauthenticate you and challenge you
to prove your identity again, or something along those lines.
Some other things that we could look at is failure cases.
So the number of failures that you've had.
You've logged in and you've been generally successful at doing this.
And now all of a sudden you can't seem to log in anymore.
You've had a large abnormal number of failed login attempts.
And therefore that is going to make us
feel this is a higher risk and we're going to have lower trust.
So what are some other things that we can consider?
How about a broader context for a particular transaction.
So we might for instance look at the device that you're using
and say okay, if you're using one type of device
then we're going to trust it more than another type of device,
or this is the type of device you normally use
and now you're using a different one.
So we think that might, in fact, infer that there's more risk in this.
We might also look not only at the type that I mentioned,
but we could also look at the configuration of the device.
So I might, for instance, say you should have
certain security software installed on your device.
And if you have that, I have more confidence than if you don't have that.
Another thing is to look if the device has been jailbroken.
So if there's been a jailbreak on the device, then I really can't trust it.
In other words,
someone has modified the operating system and therefore it could have malware.
It could have all kinds of things going on with it.
So if I see these kinds of things or the absence of those things,
it would give me more or less trust in that situation.
How about geographical location?
So if you normally log in from the US
and then suddenly you're logging in from the other side of the world,
then I'm going to say,
that really is not what we're expecting from you.
So your location in that case is wrong.
Now, if it turns out, though, let's say I normally log in from the US
and then I log in from Rome, then you might say that's wrong.
Unless I was supposed to be in Rome in the first place.
In which case logging in from the US would have been the incorrect case.
So sometimes you have to understand
the context as well, and it's not always static.
It could be, in fact dynamic.
And we need to be able to adjust for those kinds of situations.
Also look for what we call impossible travel.
That is, if I logged in from the US,
let's say New York, and then ten minutes later logged in from Beijing.
Not possible.
I can't be in both of those places.
That's an impossible travel case.
And therefore we want to deny access in that case.
Another one is IP reputation.
Yeah, internet protocol addresses,
your IP address has a reputation as well.
If we know that that IP address has normally been a place where a lot
of malware or hackers have attacked from, then we're going to say, you know what?
I don't care if you got all the rest of this stuff right.
It's really not worth it.
It's too high risk.
But if your IP address generally has been a good actor
on the internet, then I'm going to have more confidence in you.
And I'm going to allow this to go ahead through,
some other things that we could look at would be transactions,
the kind of transaction that you're going to do.
So the type of transaction.
There are certain things, maybe you're checking your balance,
or maybe you're trying to do something that is of higher value.
So now in this case I'm going to consider
some graded trust that goes along with this.
The sensitivity of the transaction.
What kind of information am I trying to get out?
So as you look at this,
there's a lot of different factors that we could take into account.
And in fact, it's a lot more, you see,
than just something you have ,something you are, and
something you know.
I could consider a lot of different things,
put all of these things into the soup, into the algorithm,
and then see what we come out with.
It's a way of creating greater trust by reducing risk.
Alright, let's take a look now at the relationship between risk and sensitivity.
Because these two kind of need to be considered together
when we're looking at a graded trust situation.
So for instance, if I start off with a case where I say risk is high
and the sensitivity of the transaction is high,
I'm probably going to deny that.
On the other hand, if I say risk is low
and the sensitivity is low,
I'm going to allow that to go through.
So those are the two extremes.
Now it gets a little dicier.
Let's say that the sensitivity is high but the risk is low.
Okay. As long as the risk is low
and probably in most cases going to go away and allow that.
However, what about this case?
This is an outlier.
Now risk looks to be high and sensitivity is relatively low.
But because of that high risk I may say you know what I want to do.
Let's challenge you.
Let's do something we call a step-up authentication.
So you gave me something to to prove who you are.
But I considered it to be still fairly high risk.
So maybe I'm going to go rechallenge you
and make you step up your authentication.
In other words, give me additional proofs that you didn't give initially.
So that's another type of option that I might do.
And you might decide different things based upon your policy and your tolerance for risk.
Not everyone has the same tolerance for risk.
But bottom line, as you see, this is a hard problem, authentication.
And it's why we can check things like something, you know, something you have and you are.
And we can determine a certain amount from that.
But if I could add in these additional factors,
things like your behavior, when you're doing these things,
the context of the device, the transactions that you're trying to do
and their level of sensitivity,
I could take all of those things into account
and actually make a better decision.
It's a more complex decision.
But the beauty of this, this gives us risk based authentication.
It's adapting to the situation.
You may also hear the term adaptive access or adaptive authentication.
They're very similar in concept.
So with this I can now adapt my risk
to the level of authentication someone is given.
And that way we end up with what is hopefully
a more frictionless environment for the user
and a more secure situation for the organization.