Risk-Based Authentication (RBA)
RapidIdentity MFA implements Risk-Based Authentication (RBA) during operating system and application access. This is in contrast to RBA that is commonly deployed to secure online account access, such as financial websites where the user is required to first enter their username and password, following which the RBA engine determines if a security risk exists and upon a determination of risk, prompts the user to answer one or more previously selected security questions prior to granting access to protected account information. RapidIdentity MFA applies similar RBA logic Windows or Shared Workstation logon or during application access when combined with single sign-on (SSO).
How RBA works with RapidIdentity MFA
RBA includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. The technology is generally considered one of the least secure methods of authentication, due to the ease of socially engineering the answers to response question; however, when implemented correctly RBA can be as secure as some stronger forms of authentication. RBA is routinely deploy as a fallback method to another form of authentication or as a primary method in deployments where budgetary constraints are the driving force. RapidIdentity MFA manages the generation of the user-based software token and associated user-based profiling. During enrollment, users select questions from a pool of 27 questions. The answers are then encrypted and stored in RapidIdentity MFA Server. The common workflow for RBA includes the user logging on to Windows with username and password, RapidIdentity MFA then assesses the level of risk associated with the logon event and locks the system if the event a risk is determined. The user then must either logon with a stronger form of authentication, such as fingerprint biometrics or correctly answer the responses to one or more challenge questions. Once validated, the user is permitted access to the operating system or protected application.