The Top 10 Risk-Based Authentication (RBA) Solutions

Duo provides zero-trust MFA and SSO that enables employees to access their accounts securely, while only having to verify their identity at the beginning of their session. Duo’s MFA supports authentication via traditional tokens and passcodes, as well as push notifications, U2F USB devices, and integration with biometric scanners built into user devices. Duo also offers granular management functionality: from one intuitive console, admins can configure risk-based, adaptive authentication policies at a user group and application level, based on user location, device and role – among other factors. Duo then checks these security policies for anomalous access attempts in order to securely enable or block logins across all managed and unmanaged devices.

Finally, Duo’s inbuilt Endpoint Remediation automatically blocks access to corporate applications if a user’s device is running an outdated software version, which protects business data against vulnerability exploits. Duo is deployed in the cloud and integrates natively with existing applications, making it easy to roll out and flexible to scale up with your organization. The Duo interface is easy to use from both an end-user and administrative perspective, making it popular amongst both employees and security technicians. We recommend Duo as a strong solution for organizations of any size looking to implement RBA with integrated SSO.

IBM Security Verify Access supports user authentication via one-time passwords, email verification and knowledge-based questions, as well as enabling passwordless SSO for accessing work applications such as Office 365 via a biometric fingerprint scan. Verify Access’ SSO is available across both desktop and mobile devices, removing the need for multiple logins to enable maximum productivity. Using the risk-scoring engine in the management console, admins can configure risk-based authentication policies to challenge anomalous login attempts. The risk-scoring engine analyzes each user’s login patterns, including information about their mobile devices and regular session activity, without interfering with their sessions, in order to accurately detect and challenge unusual login attempts.

Verify Access also comes with a companion app for mobile MFA that ensures all logins from a mobile device are verified and secure. Admins can configure policies to allow, challenge or deny mobile login attempts based on geolocation, IP address reputation and application data. This feature is particularly useful for companies with a high number of remote or BYOD workers. Customers praise IBM’s regular product updates and the numerous deployment options for Verify Access, which deploys on-prem, in a virtual or hardware appliance, or in a Docker container. We recommend Verify Access as a strong RBA solution for mid-market to enterprise organizations with a large percentage of mobile devices in their fleet.

iProov leverages powerful artificial intelligence and machine learning algorithms to compare users’ face and palm scans to a securely stored baseline image. The use of AI means that attackers are presented with a dynamic, evolving target that’s much more difficult to crack than a traditional password. iProov delivers an omnichannel authentication experience across all devices and platforms. The authentication process itself is quick and easy from the user’s perspective, while proving security teams with assurance that the person attempting the login is a genuine user. Via the iPortal feature, admins have complete visibility into user administration, provisioning and integration information. They can also generate reports into usage and performance, which include success rates and breakdowns of any errors in performance.

iProov’s authentication solutions are cloud-based, allowing for enterprise-grade scalability. iProov Face Verifier is a strong risk-based authentication solution for larger organizations looking for secure biometric verification. However, it’s important to note that, in order to use iProov’s solution, you must have a readily available photograph of each of your employees to use as a single source of truth or baseline for the authentication. These images must be accessible to the authentication system, so that they can be used to enrol employees when they first try to authenticate. Each employee must also have a device with a front-facing camera – be that BYOD or corporate-issued.

Kount Control uses its patented AI-driven technology to analyze user login behavior based on device status, IP address reputation, geolocation and mobile and proxy indicators, among others. Using this data, Kount detects anomalous access attempts that could be the result of bots, credential stuffing and brute force attacks. In the case of a high-risk login, the system challenges the user and requires them to verify their identity via a further authentication method. Admins can configure at what risk level the system should require further verification from each user, and these policies can be set at a user or user group level based on common characteristics identified by Kount. In addition to policy configuration, admins can access real-time reports that provide insights into login trends, including device and IP information. This makes it easier for security teams to identify and investigate login anomalies.

Kount Control is deployed as a cloud service, is easy to roll out and has the capability to scale with your business. In 2018, Kount partnered with BehavioSec to integrate Control with BehavioSense, a passive biometric analysis tool that monitors patterns in how a user interacts with their device, e.g. through keystroke dynamics and mouse motion. This integration makes Kount Control particularly strong in protecting against bots. Overall, we recommend Kount Control as a strong RBA solution for mid-market to larger enterprises that need to secure users’ account access and are looking for detailed reporting capabilities.

LastPass MFA combines contextual intelligence such as geolocation and IP reputation, with biometric intelligence, in order to analyze a user’s risk score and verify their identity. The LastPass authenticator app enables authentication via push notification without the need to enter an OTP, confirming the user’s identity at the same time and verifying that the login attempt is coming from a trusted device. All biometric data associated with user accounts is encrypted at the device level to ensure that it remains secure. From the centralized management console, admins can configure extensive authentication policies and monitor user access at an organizational, group and user level.

LastPass focuses on creating a seamless login experience for its users, so the solution is compatible with all web browsers and on any device. Additionally, from an administrative perspective, LastPass MFA is simple to deploy and integrates easily with Microsoft AD and Azure AD to automate and speed up user provisioning. We recommend LastPass MFA as a strong risk-based authentication solution, particularly for organizations looking for integrated SSO and those who are also considering adding a password manager to their access security stack.

Okta Adaptive Multi-Factor Authentication uses contextual factors such as device trust and geolocation to create a risk score for attempted logins before prompting users to further verify their identity. The platform supports secondary authentication via mobile app push notifications and biometrics, as well as more traditional methods, including security questions and OTPs sent via SMS, phone call and email. From the admin console, security teams can configure access policies, including role-based access, and generate a range of off-the-shelf and custom reports, including real-time system logs and application-specific access reports. The high level of customization here gives organizations key insights into login trends across the company, in order to continually improve their access policies.

Okta Adaptive Multi-Factor Authentication deploys in the cloud, making it flexible, scalable, and quick to roll out. The platform features enterprise-grade, granular configurations, but also manages to maintain its intuitive, user-friendly interface. We recommend Okta Adaptive Multi-Factor Authentication to mid-market organizations and larger enterprises looking for secure RBA with detailed report and policy customization options.

OneLogin’s SmartFactor Authentication leverages their Vigilance AI risk score technology to adjust authentication requirements in real-time based on the risk level associated with the context of each login attempt. The engine calculates risk scores based on user location, device security and user behavior, in order to determine the most appropriate action for each login: to allow, deny or challenge the login by requesting up to two more levels of further verification. SmartFactor Authentication supports SMS, email and voice OTPs, security questions, push notifications via the OneLogin Protect app, and biometrics. Admins have full control over which authentication methods are used and when, and can create user or application policies that completely deny access in certain circumstances.

In addition to the solution’s core MFA features, SmartFactor Authentication encourages users to create stronger passwords with its Compromised Credential Check feature. This feature compares newly created passwords against a database of credentials that are known to have been compromised in large-scale attacks, to prevent the use of stolen passwords. Overall, we recommend OneLogin SmartFactor Authentication as a robust risk-based authentication solution for any mid-market organizations looking to protect their corporate accounts against credential theft.

PingOne Risk Management uses UEBA machine learning models and AI to learn each user’s login behavior, analyzing risk predictors such as device type, operating system, browser version, date and time in real-time to distinguish between normal user login behavior and anomalous login attempts. The security team can give each predictor a weighting and implement effective, intelligent authentication policies that enable the system to grant, deny, or challenge access based on a risk score calculated using the combined predictor ratings. Admins can configure different policies for different use cases, depending on the business needs, and implement varying levels of authentication across the organization so that only the right users can access certain resources. Admins can also generate reports into authentication patterns, and what and where the most common risk factors are, in order to more effectively remediate potential threats.

PingOne Risk Management is delivered as a cloud-based service, and provides an Identity-as-a-Service (IaaS) model as well as a software-based solution (SaaS). Deployment is simplified further by the platform’s easy integration with APIs and SDKs to streamline the onboarding process and automate integrations with existing infrastructure and applications. We recommend PingOne as a strong risk-based MFA solution for larger organizations that require in-depth reporting for visibility and compliance, and the ability to configure their own adaptive authentication policies.

RSA Adaptive Authentication’s risk engine uses machine learning algorithms to analyze over 100 risk indicators, including payment activity, geolocation and cross-channel intelligence, to ensure that only genuine users are accessing corporate assets. The platform supports secondary authentication via SMS OTPs, biometrics, mobile push notifications and tokens. From the central management portal, admins can configure which methods of authentication should be used at both a user and application level. Additionally, customers can feed information into RSA’s eFraudNetwork, an ecosystem database of known and attempted fraud, meaning that all RSA-supported organizations benefit from one another’s threat knowledge and investments in anti-fraud tools.

RSA Adaptive Authentication can deploy on-prem or in the cloud. The solution comes with extremely granular configuration options, which smaller and mid-market organizations may not have the resources to set up effectively. Once configured, the solution provides a very high level of security. We recommend RSA Adaptive Authentication as a strong RBA solution for larger enterprises, especially those that are particularly concerned with meeting data privacy compliance regulations.

SecureAuth’s Identity Platform utilizes artificial intelligence to produce a risk score for login attempts based on contextual information, such as device health, location, IP reputation and user behavior. If the risk associated with a login attempt is too high, SecureAuth will request further verification from the user. The platform supports almost 30 different authentication methods, including OTPs, mobile push notifications and OTPs, to ensure that organizations have the capacity to verify all of their employees, no matter what device they’re working on. Users have the ability to self-serve their own enrolment, password resets and platform updates, simplifying the deployment process. From the central management console, admins can configure authentication policies and generate reports into account usage and login activity. These policies can be created from scratch, or admins can choose from SecureAuth’s library of editable templates for faster, simplified security.

SecureAuth’s Identity Platform can be deployed in the cloud, on-premise or as a hybrid combination of the two, making it one of the most flexible solution in this guide in terms of set up. Additionally, the platform is built in line with open standards, and offers full API integration with your existing infrastructure. We recommend SecureAuth as a strong solution for any sized organization looking for a comprehensive RBA platform with easy-to-use configurations and a focus on self-service security.