Risk-based authentication (RBA) solutions, also known as adaptive authentication, increase the level of verification required for a user to log in to an account, application or system, depending on the context of the login. RBA tools calculate a risk score for each login attempt in real time based on contextual factors such as login time, IP address, geolocation and device type. The higher the risk score, the more likely the login attempt is fraudulent; thus, more levels of verification are required.
80% of all hacking incidents involve the use of stolen credentials (Verizon), so it’s crucial that you implement further security to ensure that bad actors can’t access your company’s most sensitive data, even if they do crack an employee’s password. RBA is a cost-effective solution to the threat of credential theft, and authentication solutions are generally easy to deploy, configure and maintain. This makes them ideal not only for enterprises that may need to onboard large numbers of employees at once, but also SMBs that often don’t have the resources to implement expensive or complex security solutions.
RBA solutions combine multiple authentication methods to prevent fraudulent account access, and they weave these methods into a seamless login experience that causes as little disruption to the user as possible. For example, a user may attempt to sign in using their credentials, then be prompted to enter a one-time-passcode generated by their authenticator app. To enter that code, they must unlock their smartphone with a PIN or fingerprint scan.
This common workflow verifies the user via the three main types of authentication (something they know, have and are), whilst confirming that the login attempt is coming from a genuine user, in real time, using a trusted device. When investing in an RBA solution, it’s important that you choose the method of authentication that is the most compatible with your employees (e.g. do they all have smartphones?), and provides the best protection against the threats that they’re facing.
In this article, we’ll explore the top ten risk-based authentication solutions designed to secure your company’s data against credential theft. We’ll look at features such as supported authentication methods, integrated single sign-on (SSO), policy configuration, management and reporting. We’ll also give you some background information on the provider, as well as the type of customer that each solution is most suitable for.
The Top Risk-Based Authentication (RBA) Solutions include:
- Duo Security | IBM | iProov | Kount | LastPass | Okta | OneLogin | Ping Identity | RSA | SecureAuth
Simple, powerful RBA with granular policy configuration, integrated SSO and in-built device management capabilities to protect corporate assets from vulnerability exploits as well as credential theft
Acquired by Cisco in 2018, Duo is a simple yet powerful access management solution that secures access to corporate applications, systems and networks for any user, using any device, in any location. Duo offers MFA and SSO, while from its central management console admins can configure access policies and generate reports into account usage and risk management across the protected device fleet. These features are delivered across five plans, from a free version for smaller teams through to a comprehensive enterprise-grade plan for larger organizations. Duo also offers a FedRAMP, FIPS-capable version tailored specifically to the security and compliance needs of federal and public sector organizations.
Duo provides zero-trust MFA and SSO that enables employees to access their accounts securely, while only having to verify their identity at the beginning of their session. Duo’s MFA supports authentication via traditional tokens and passcodes, as well as push notifications, U2F USB devices, and integration with biometric scanners built into user devices. Duo also offers granular management functionality: from one intuitive console, admins can configure risk-based, adaptive authentication policies at a user group and application level, based on user location, device and role – among other factors. Duo then checks these security policies for anomalous access attempts in order to securely enable or block logins across all managed and unmanaged devices.
Finally, Duo’s inbuilt Endpoint Remediation automatically blocks access to corporate applications if a user’s device is running an outdated software version, which protects business data against vulnerability exploits. Duo is deployed in the cloud and integrates natively with existing applications, making it easy to roll out and flexible to scale up with your organization. The Duo interface is easy to use from both an end-user and administrative perspective, making it popular amongst both employees and security technicians. We recommend Duo as a strong solution for organizations of any size looking to implement RBA with integrated SSO.
IBM Security Verify Access
Enterprise-grade risk-based access that supports traditional authentication methods as well as biometrics, with an app for mobile MFA and seamless SSO for both desktops and mobile devices
IBM Security is a well-established cybersecurity vendor that offers solutions for IT infrastructure and management, software development, and analytics. Verify Access, formerly Access Manager, is IBM’s access management and user authentication solution. Verify Access secures user logins to all cloud, on-premises and mobile applications via a comprehensive combination of MFA, SSO, identity analytics and administrative management and control features.
IBM Security Verify Access supports user authentication via one-time passwords, email verification and knowledge-based questions, as well as enabling passwordless SSO for accessing work applications such as Office 365 via a biometric fingerprint scan. Verify Access’ SSO is available across both desktop and mobile devices, removing the need for multiple logins to enable maximum productivity. Using the risk-scoring engine in the management console, admins can configure risk-based authentication policies to challenge anomalous login attempts. The risk-scoring engine analyzes each user’s login patterns, including information about their mobile devices and regular session activity, without interfering with their sessions, in order to accurately detect and challenge unusual login attempts.
Verify Access also comes with a companion app for mobile MFA that ensures all logins from a mobile device are verified and secure. Admins can configure policies to allow, challenge or deny mobile login attempts based on geolocation, IP address reputation and application data. This feature is particularly useful for companies with a high number of remote or BYOD workers. Customers praise IBM’s regular product updates and the numerous deployment options for Verify Access, which deploys on-prem, in a virtual or hardware appliance, or in a Docker container. We recommend Verify Access as a strong RBA solution for mid-market to enterprise organizations with a large percentage of mobile devices in their fleet.
iProov Face Verifier and Palm Verifier
Sophisticated face and palm verification that utilizes iProov’s own patented technology to securely authenticate users and customers
iProov is an innovative cybersecurity vendor that specializes in biometric verification solutions that can be used as standalone products or as part of a multi-factor authentication process. iProov Face Verifier and Palm Verifier use iProov’s patented Genuine Presence Assurance technology to confirm that login attempts are coming from the right person, a real person, and in real time. iProov is particularly popular among finance and government organizations.
iProov leverages powerful artificial intelligence and machine learning algorithms to compare users’ face and palm scans to a securely stored baseline image. The use of AI means that attackers are presented with a dynamic, evolving target that’s much more difficult to crack than a traditional password. iProov delivers an omnichannel authentication experience across all devices and platforms. The authentication process itself is quick and easy from the user’s perspective, while proving security teams with assurance that the person attempting the login is a genuine user. Via the iPortal feature, admins have complete visibility into user administration, provisioning and integration information. They can also generate reports into usage and performance, which include success rates and breakdowns of any errors in performance.
iProov’s authentication solutions are cloud-based, allowing for enterprise-grade scalability. iProov Face Verifier is a strong risk-based authentication solution for larger organizations looking for secure biometric verification. However, it’s important to note that, in order to use iProov’s solution, you must have a readily available photograph of each of your employees to use as a single source of truth or baseline for the authentication. These images must be accessible to the authentication system, so that they can be used to enrol employees when they first try to authenticate. Each employee must also have a device with a front-facing camera – be that BYOD or corporate-issued.
Powerful, AI-driven RBA with in-depth reporting and integrated passive biometric analysis for accurate risk detection at a per-user level
Kount is a market leader in providing fraud prevention and account security solutions for digital businesses. Particularly popular in the finance and banking industry, Kount’s patented AI and machine learning models enable them to protect over 9,000 organizations around the world. Kount Control is Kount’s solution to account takeover and credential theft, which protects corporate data against malicious logins. To do this, Kount Control combines adaptive authentication, granular policy customization and robust reporting functionality.
Kount Control uses its patented AI-driven technology to analyze user login behavior based on device status, IP address reputation, geolocation and mobile and proxy indicators, among others. Using this data, Kount detects anomalous access attempts that could be the result of bots, credential stuffing and brute force attacks. In the case of a high-risk login, the system challenges the user and requires them to verify their identity via a further authentication method. Admins can configure at what risk level the system should require further verification from each user, and these policies can be set at a user or user group level based on common characteristics identified by Kount. In addition to policy configuration, admins can access real-time reports that provide insights into login trends, including device and IP information. This makes it easier for security teams to identify and investigate login anomalies.
Kount Control is deployed as a cloud service, is easy to roll out and has the capability to scale with your business. In 2018, Kount partnered with BehavioSec to integrate Control with BehavioSense, a passive biometric analysis tool that monitors patterns in how a user interacts with their device, e.g. through keystroke dynamics and mouse motion. This integration makes Kount Control particularly strong in protecting against bots. Overall, we recommend Kount Control as a strong RBA solution for mid-market to larger enterprises that need to secure users’ account access and are looking for detailed reporting capabilities.
Market leading biometric and contextual MFA with integrated SSO that delivers a user-friendly, passwordless login experience
LastPass by LogMeIn is a market leader in identity and access management solutions; their security suite includes password management, multi-factor authentication and single sign-on tools. LastPass MFA is their adaptive RBA solution that secures corporate assets against credential theft whilst providing users with a seamless, passwordless login experience. LastPass MFA enables secure access to all cloud-based, desktop and mobile applications, including VPNs, making it a strong tool for any workforce, no matter its state of cloud migration.
LastPass MFA combines contextual intelligence such as geolocation and IP reputation, with biometric intelligence, in order to analyze a user’s risk score and verify their identity. The LastPass authenticator app enables authentication via push notification without the need to enter an OTP, confirming the user’s identity at the same time and verifying that the login attempt is coming from a trusted device. All biometric data associated with user accounts is encrypted at the device level to ensure that it remains secure. From the centralized management console, admins can configure extensive authentication policies and monitor user access at an organizational, group and user level.
LastPass focuses on creating a seamless login experience for its users, so the solution is compatible with all web browsers and on any device. Additionally, from an administrative perspective, LastPass MFA is simple to deploy and integrates easily with Microsoft AD and Azure AD to automate and speed up user provisioning. We recommend LastPass MFA as a strong risk-based authentication solution, particularly for organizations looking for integrated SSO and those who are also considering adding a password manager to their access security stack.
Okta Adaptive Multi-Factor Authentication
Secure MFA and SSO with very granular policy customization and report generation capabilities, delivered via an intuitive, user-friendly interface
Okta is a cloud-based identity and access management platform that enables organizations to secure user access to business accounts via MFA and SSO. Okta Adaptive Multi-Factor Authentication is their MFA solution. Focused on usability, it comes with a host of integrations with existing cloud-based tools and applications, as well as custom-built applications, in order to provide a seamless sign-on experience to all accounts, across all devices. As well as creating a consistent experience for end users, Okta’s central admin portal makes it easy for security teams to configure and enforce MFA policies and access insights into account usage across the organization.
Okta Adaptive Multi-Factor Authentication uses contextual factors such as device trust and geolocation to create a risk score for attempted logins before prompting users to further verify their identity. The platform supports secondary authentication via mobile app push notifications and biometrics, as well as more traditional methods, including security questions and OTPs sent via SMS, phone call and email. From the admin console, security teams can configure access policies, including role-based access, and generate a range of off-the-shelf and custom reports, including real-time system logs and application-specific access reports. The high level of customization here gives organizations key insights into login trends across the company, in order to continually improve their access policies.
Okta Adaptive Multi-Factor Authentication deploys in the cloud, making it flexible, scalable, and quick to roll out. The platform features enterprise-grade, granular configurations, but also manages to maintain its intuitive, user-friendly interface. We recommend Okta Adaptive Multi-Factor Authentication to mid-market organizations and larger enterprises looking for secure RBA with detailed report and policy customization options.
OneLogin SmartFactor Authentication
Advanced RBA that supports multiple forms of identity verification, with the option to configure multiple levels of authentication and “deny access” policies for high-risk access attempts
OneLogin is a trusted vendor in delivering secure, user- and developer-friendly identity and access management solutions. Their high-quality solutions and 24/7 support make OneLogin popular among their customers, and the vendor currently secures over 2500 companies globally. SmartFactor Authentication, part of their Trusted Experience Platform, is OneLogin’s adaptive authentication solution, designed to protect organizations against sophisticated credential-based threats such as spear-phishing and brute force attacks.
OneLogin’s SmartFactor Authentication leverages their Vigilance AI risk score technology to adjust authentication requirements in real-time based on the risk level associated with the context of each login attempt. The engine calculates risk scores based on user location, device security and user behavior, in order to determine the most appropriate action for each login: to allow, deny or challenge the login by requesting up to two more levels of further verification. SmartFactor Authentication supports SMS, email and voice OTPs, security questions, push notifications via the OneLogin Protect app, and biometrics. Admins have full control over which authentication methods are used and when, and can create user or application policies that completely deny access in certain circumstances.
In addition to the solution’s core MFA features, SmartFactor Authentication encourages users to create stronger passwords with its Compromised Credential Check feature. This feature compares newly created passwords against a database of credentials that are known to have been compromised in large-scale attacks, to prevent the use of stolen passwords. Overall, we recommend OneLogin SmartFactor Authentication as a robust risk-based authentication solution for any mid-market organizations looking to protect their corporate accounts against credential theft.
Ping Identity PingOne Risk Management
Intelligent, enterprise-grade RSA with highly configurable authentication policies based on the combined score of several weighted risk predictors
Ping Identity is an intelligent identity and access management platform that enables organizations to secure user access to cloud accounts and applications, whilst simplifying the login experience for each of their employees. PingOne Risk Mangement is their risk-based authentication solution designed to help organizations made smarter authentication decisions and provide assurance that only genuine users are accessing corporate data.
PingOne Risk Management uses UEBA machine learning models and AI to learn each user’s login behavior, analyzing risk predictors such as device type, operating system, browser version, date and time in real-time to distinguish between normal user login behavior and anomalous login attempts. The security team can give each predictor a weighting and implement effective, intelligent authentication policies that enable the system to grant, deny, or challenge access based on a risk score calculated using the combined predictor ratings. Admins can configure different policies for different use cases, depending on the business needs, and implement varying levels of authentication across the organization so that only the right users can access certain resources. Admins can also generate reports into authentication patterns, and what and where the most common risk factors are, in order to more effectively remediate potential threats.
PingOne Risk Management is delivered as a cloud-based service, and provides an Identity-as-a-Service (IaaS) model as well as a software-based solution (SaaS). Deployment is simplified further by the platform’s easy integration with APIs and SDKs to streamline the onboarding process and automate integrations with existing infrastructure and applications. We recommend PingOne as a strong risk-based MFA solution for larger organizations that require in-depth reporting for visibility and compliance, and the ability to configure their own adaptive authentication policies.
RSA Adaptive Authentication
Omnichannel RBA that combines powerful machine learning analysis of over 100 risk indicators with fine-grained policy controls
RSA specializes in user authentication and account access security. Their solutions enable organizations to secure and manage access to their corporate accounts and applications, while making it as easy as possible for end users to access the data they need on a day-to-day basis. RSA Adaptive Authentication is their RBA solution that enables admins to configure and enforce granular authentication policies across their organization.
RSA Adaptive Authentication’s risk engine uses machine learning algorithms to analyze over 100 risk indicators, including payment activity, geolocation and cross-channel intelligence, to ensure that only genuine users are accessing corporate assets. The platform supports secondary authentication via SMS OTPs, biometrics, mobile push notifications and tokens. From the central management portal, admins can configure which methods of authentication should be used at both a user and application level. Additionally, customers can feed information into RSA’s eFraudNetwork, an ecosystem database of known and attempted fraud, meaning that all RSA-supported organizations benefit from one another’s threat knowledge and investments in anti-fraud tools.
RSA Adaptive Authentication can deploy on-prem or in the cloud. The solution comes with extremely granular configuration options, which smaller and mid-market organizations may not have the resources to set up effectively. Once configured, the solution provides a very high level of security. We recommend RSA Adaptive Authentication as a strong RBA solution for larger enterprises, especially those that are particularly concerned with meeting data privacy compliance regulations.
SecureAuth Identity Platform
Comprehensive, user- and admin-friendly RBA with integrated SSO, editable reporting templates and the capability to support almost 30 different authentication methods
SecureAuth is an identity and access management platform that combines adaptive multi-factor authentication with single sign-on and user lifecycle management to help secure access to corporate accounts and mitigate password-related risks such as credential theft and account compromise. The SecureAuth Identity Platform combines AI-driven analytics, granular configurations, integrated SSO and detailed reporting to provide comprehensive RBA that supports nearly 30 different authentication methods.
SecureAuth’s Identity Platform utilizes artificial intelligence to produce a risk score for login attempts based on contextual information, such as device health, location, IP reputation and user behavior. If the risk associated with a login attempt is too high, SecureAuth will request further verification from the user. The platform supports almost 30 different authentication methods, including OTPs, mobile push notifications and OTPs, to ensure that organizations have the capacity to verify all of their employees, no matter what device they’re working on. Users have the ability to self-serve their own enrolment, password resets and platform updates, simplifying the deployment process. From the central management console, admins can configure authentication policies and generate reports into account usage and login activity. These policies can be created from scratch, or admins can choose from SecureAuth’s library of editable templates for faster, simplified security.
SecureAuth’s Identity Platform can be deployed in the cloud, on-premise or as a hybrid combination of the two, making it one of the most flexible solution in this guide in terms of set up. Additionally, the platform is built in line with open standards, and offers full API integration with your existing infrastructure. We recommend SecureAuth as a strong solution for any sized organization looking for a comprehensive RBA platform with easy-to-use configurations and a focus on self-service security.