Risk-based authentication helps you in achieving the following goals:
Reduce fraud and the risk of improper access
Enforce different levels of authentication depending on factors such as user activity and geolocation, and calculated risk score
Improve user experience. Users need to provide additional details for authentication only when the associated risk prevails
Access control in federated setups
Consider a scenario where a company named Company1 wants to protect its payroll application. Risk-based authentication enables Company1 to achieve the following actions:
Restrict access to its contractual employees.
Grant access to permanent employees during the company business hours between 9 a.m. to 5 p.m. After business hours, all employees must specify a one-time password in addition to login credentials.
Grant special privileges to employees who work in the Finance department. For example, Company1 does not ask employees of the Finance department to specify a one-time password even if they log in after business hours.
Grant access to the Self-Service tool along with the payroll application when contractual employees use Intranet to log in.
Determine actions based on the priority of rule conditions. For example, type of employment is the most important criterion to grant access followed by the location of the user, and then the time of the login attempt.
Grant access without any additional authentication if the user has successfully logged in within one month.
Restrict access when an employee tries to log in from a specific geographical location.
Grant or deny access based on the version of the web browser used for the login attempt.
Deny access to any login attempt that originates from a handheld device.