Chapter 6

Risk-Based Authentication: Tutorial & Best Practices

May 8, 2023

User authentication is the process of verifying a user’s identity to make sure they are who they claim to be. Before an organization can enforce role-based access controls (RBAC), it needs to authenticate the user so that it can apply for the appropriate access permissions based on the user’s role. One of the common challenges in authentication systems is balancing security and convenience. Overly complex authentication systems harm the user experience, while systems optimized for convenient access may offer inadequate protection. Risk-based authentication addresses this challenge by tailoring the process to the user’s behavior.

For example, users logging in from a known device and location may be presented with a straightforward password authentication experience. However, users demonstrating high-risk behavior — such as logging in from an unusual location or at an odd time — undergo a more stringent authentication process.

Risk-Based Authentication (RBA) is a valuable complement to single sign-on (SSO) services and zero-trust architecture (ZTA). A zero-trust architecture ensures that every session is authenticated, authorized, and encrypted. A single sign-on system allows users to use the same authentication mechanism for a variety of service, creating an easier experience for the user while avoiding the security hazards of credential reuse. Risk-Based Authenticaiton can enable the SSO service to vary the authentication requirements based on perceived risk.

This article explores risk-based authentication in detail and discusses six best practices.

What is Risk-Based Authentication?

A risk-based authentication system uses real-time intelligence to assess the context behind every user login. Based on the user’s behavior, the system determines if the user should log in by a standard mechanism or provide additional identity evidence. Authentication mechanisms escalate if one of two criteria are met:

  1. The user requests access to sensitive systems or information
  2. User behavior may be considered suspect and  a greater threat to the organization

For example, repeated login attempts or edit access requests to classified data can escalate the risk-authentication mechanism based on the risk score. An organization may define the following policies:

  • A user may not be prompted to authenticate at all if the request is from a known device, known address, known user, and at the right time.
  • A user is prompted for basic credentials — such as a time-based one-time password (TOTP) — if the time of access is unusual, but it's still a known device and address.
  • The user may be asked to use multifactor authentication (MFA) — e.g., both a TOTP and a password — if the risk score is even higher.
  • The user may be denied access if the access request is considered high risk.

Summary of Risk-Based Authentication Best Practices

A risk-based authentication system benefits the organization and its users if implemented correctly. Consider the following best practices:

Best Practice Description
Perform a risk assessment Identify high-risk activities that require stricter authentication.
Consider a range of risk indicators Develop a library of risk indicators to identify the most likely security risks, such as malware, lost/stolen devices, and compromised accounts.
Select strong authentication mechanisms Use MFA mechanisms known to offer strong authentication and eliminate weaker ones when possible (e.g., SMS authentication codes).
Apply the principle of least privilege Risk-based authentication manages access to accounts, and applying the principle of least privilege manages the risks associated with these accounts.
Integrate with security architecture Integrate Risk Based Authentication (RBA) into the security architecture to take advantage of data sources, generate alerts, and execute response actions based on the suspicion of access attempts.
Monitor and test Perform ongoing monitoring and testing to ensure that risk indicators accurately identify high-risk activities and situations.

Perform a Risk Assessment

Determining whether a user is requesting a high-risk action requires an understanding of the relative risk that various actions pose to the organization and its users. You can perform a preliminary assessment that classifies various potential actions based on relative risk levels. You can then define appropriate authentication mechanisms for each. For example:

Action Risk level Authentication
User requests full access to sensitive records from an unknown device or unexpected location High Deny
User requests read-only access to non-sensitive records Low Password
User requests read-only access to sensitive data Moderate Multi-factor authentication
User requests write access to sensitive data High Multi-factor authentication + admin user approval

Consider a Range of Risk Indicators

You should identify risk indicators that indicate the various ways in which a compromised user account may behave. For example:

  • Unusual login time
  • Unusual login location
  • Login attempt from an unknown device or browser
  • Several failed login attempts within a short time
Optm logo
Next-Gen Cybersecurity Mesh VPN
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable - no need to purchase hardware
Learn More

However, it's important to note that common risk indicators don't work in every scenario. For example, if an organization has staff that travel to client locations and have a 24-hour on-call roster, unusual time or location indicators could generate numerous false alarms. You have to choose the ones most appropriate for your organization’s processes.

In addition to checking for unusual logins, you can verify that a device is up-to-date, securely configured, employer-managed, and running the corporate antivirus software. If a device fails these checks, there is a higher probability that the user is not authentic.

Select Strong Authentication Mechanisms

When developing a risk-based authentication system, an organization should consider the strengths and weaknesses of various types. Keep the following factors in mind.

Factor Strength

Passwords can provide weak authentication due to the risk of weak, reused, and breached passwords. Similarly, SMS-based one-time passwords (OTPs) are a form of multifactor authentication (MFA) that has been considered insecure since an incident in 2017 when O2 Telefonica fell victim of an attack resulting in many bank accounts being emptied by fraudsters who hacked O2’s cell phone signaling system. Instead, organizations should consider more robust alternatives, such as

  • Biometric authentication
  • Passkey authentication
  • OTPs generated by authenticator apps
  • Physical security tokens

Often, these strong factors incorporate multiple forms of authentication. For example, passkeys, OTPs, and tokens are often protected by biometric authentication on mobile devices or hardware fobs.

Probability of Loss

“Something you have” factors such as authenticator apps and physical security tokens offer stronger security than “something you know” factors, such as passwords or PINs. However, physical factors such as an RSA SecruID device can be lost or stolen.


If a password is exposed in a data breach, it’s possible to change the password and lock an attacker out of the compromised account. However, other authentication factors – such as biometrics – can’t be so easily changed if the data used for authentication is leaked.

When weighing the pros and cons of various authentication factors, it’s best to focus on the most likely threats an organization and its users face. Passwords may be more easily replaceable, but they offer weak security and a high risk of breach. On the other hand, biometrics and physical security tokens may not be replaceable if breached, but they offer much stronger authentication under normal circumstances. The theft risk of a physical asset or copying someone’s fingerprints is much lower.

Support with the Principle of Least Privilege

Strong risk-based authentication is the first step towards effective access management. After verifying a user’s identity, you also have to tailor their access. A least-privilege access control policy is the cornerstone of zero-trust security.

With least privilege access you:

  1. Only grant users the permissions and access to the resources they need for their role
  2. Evaluate access requests on a case-by-case basis

Least privilege and risk-based authentication are complementary solutions. Risk-based authentication ensures that the company knows who a user is while maximizing user convenience where sensible, and least privilege access limits the potential damage an authenticated user can cause to the organization.

Integrate with Security Architecture

Once you identify potentially compromised accounts, you may have to take additional steps to remediate the potential risk to the company. You can integrate risk-based authentication systems with your organization’s security architecture to implement threat management and response.

Monitor and Test

You must refine your risk-based authentication system as business and security needs evolve. For example, an organization may:

  • Identify and fine-tune scoring factors that routinely generate false positives
  • Update the risk-based authentication parameters after an application update introduces new functionality
  • Include new IT assets under the existing authentication system.

Your risk-based authentication system should undergo regular monitoring and testing to ensure that it is accurately identifying high-risk situations. You should also test integrations between the authentication system and the security architecture to validate that identified risks are appropriately managed.


Risk-based authentication is a valuable component of a zero-trust authentication system. It provides a solution to the common challenges between authentication usability and security. Under normal circumstances, users undergo a simpler authentication process. But when the user or the requested action poses a greater risk to the company, the user requires enhanced authentication.

When designing and implementing a risk-based authentication system, following certain best practices – such as comprehensive risk assessments and strong authentication factors – improves security without compromising the user experience.

Optm logo
Next-Gen Cybersecurity Mesh VPN
Learn More
Traditional VPN
Multiple consoles 
Centralized administration 
VPN links using outdated algorithms
Multiple consoles 
Breach containment
Attackers free once inside
Every session is authenticated
Total cost of ownership
Individual deployed hardware units
No capital expenditure and scalable
Learn More
Optm logo
Next-Gen Cybersecurity Mesh VPN
Learn More
Enable secure point-to-point encryption and authentication across your organization
Easily configure, deploy, and manage your zero trust mesh security from a single portal
100% cloud-hosted, fault tolerant, and highly scalable – no need to purchase costly hardware
Learn More
Subscribe to our LinkedIn Newsletter to receive more educational content
Subscribe now
Subscribe to our Linkedin Newsletter to receive more educational content
Subscribe now