The Top 10 Risk-Based Authentication (RBA) Solutions

Prove is a market-leading identity proofing and affirmation provider that specializes in passwordless identity verification. They offer a range of identity solutions based around their own unique “Phone-Centric Identity” authentication model, which verifies users’ identities based on information derived from their cell phones. This enables Prove to authenticate user identities deterministically and with certainty, rather than granting access based on the probability that a user is genuine. Prove Auth is Prove’s passwordless, OTP-less authentication solution, which uses Prove’s Phone-Centric Identity technology to provide secure, frictionless access to web and mobile applications.

With Prove Auth, users can verify their identities in one of three ways: using Prove’s Phone-Centric Identity model, using in-device biometrics, or using push notifications. Organizations can also implement Phone-Centric authentication, with biometrics and push notifications as a method of step-up authentication where login attempts are deemed high risk. When using the Phone-Centric identity model, the user “binds” a cryptographic key (i.e., the SIM card or FIDO key on their cell phone) to themselves, and they’re issued a ProveID. Prove Auth then analyzes billions of mobile, telecom, and usage signals from the user’s phone to verify that the user owns the phone being used to authenticate, they’re in possession of it in real-time, and they’re using the phone how it’s historically been used—i.e., that this login attempt is “normal”. Using this information, Prove Auth can accurately and rapidly grant or deny access, helping increase account security and minimize the risk of fraud.

A cloud-based solution, Prove Auth integrates into your existing infrastructure via API, with configuration support available from Prove’s onboarding team. Overall, we recommend Prove Auth as a strong authentication solution for any sized organization—but particularly those in the e-commerce and finance industries—looking to increase security and streamline the user login experience.

Acquired by Cisco in 2018, Duo is a simple yet powerful access management solution that secures access to corporate applications, systems and networks for any user, using any device, in any location. Duo offers MFA and SSO, while from its central management console admins can configure access policies and generate reports into account usage and risk management across the protected device fleet. These features are delivered across five plans, from a free version for smaller teams through to a comprehensive enterprise-grade plan for larger organizations. Duo also offers a FedRAMP, FIPS-capable version tailored specifically to the security and compliance needs of federal and public sector organizations.

Duo provides zero-trust MFA and SSO that enables employees to access their accounts securely, while only having to verify their identity at the beginning of their session. Duo’s MFA supports authentication via traditional tokens and passcodes, as well as push notifications, U2F USB devices, and integration with biometric scanners built into user devices. Duo also offers granular management functionality: from one intuitive console, admins can configure risk-based, adaptive authentication policies at a user group and application level, based on user location, device and role – among other factors. Duo then checks these security policies for anomalous access attempts in order to securely enable or block logins across all managed and unmanaged devices.

Finally, Duo’s inbuilt Endpoint Remediation automatically blocks access to corporate applications if a user’s device is running an outdated software version, which protects business data against vulnerability exploits. Duo is deployed in the cloud and integrates natively with existing applications, making it easy to roll out and flexible to scale up with your organization. The Duo interface is easy to use from both an end-user and administrative perspective, making it popular amongst both employees and security technicians. We recommend Duo as a strong solution for organizations of any size looking to implement RBA with integrated SSO.

IBM Security is a well-established cybersecurity vendor that offers solutions for IT infrastructure and management, software development, and analytics. Verify Access, formerly Access Manager, is IBM’s access management and user authentication solution. Verify Access secures user logins to all cloud, on-premises and mobile applications via a comprehensive combination of MFA, SSO, identity analytics and administrative management and control features.

IBM Security Verify Access supports user authentication via one-time passwords, email verification and knowledge-based questions, as well as enabling passwordless SSO for accessing work applications such as Office 365 via a biometric fingerprint scan. Verify Access’ SSO is available across both desktop and mobile devices, removing the need for multiple logins to enable maximum productivity. Using the risk-scoring engine in the management console, admins can configure risk-based authentication policies to challenge anomalous login attempts. The risk-scoring engine analyzes each user’s login patterns, including information about their mobile devices and regular session activity, without interfering with their sessions, in order to accurately detect and challenge unusual login attempts.

Verify Access also comes with a companion app for mobile MFA that ensures all logins from a mobile device are verified and secure. Admins can configure policies to allow, challenge or deny mobile login attempts based on geolocation, IP address reputation and application data. This feature is particularly useful for companies with a high number of remote or BYOD workers. Customers praise IBM’s regular product updates and the numerous deployment options for Verify Access, which deploys on-prem, in a virtual or hardware appliance, or in a Docker container. We recommend Verify Access as a strong RBA solution for mid-market to enterprise organizations with a large percentage of mobile devices in their fleet.

iProov is an innovative cybersecurity vendor that specializes in biometric verification solutions that can be used as standalone products or as part of a multi-factor authentication process. iProov Face Verifier and Palm Verifier use iProov’s patented Genuine Presence Assurance technology to confirm that login attempts are coming from the right person, a real person, and in real time. iProov is particularly popular among finance and government organizations.

iProov leverages powerful artificial intelligence and machine learning algorithms to compare users’ face and palm scans to a securely stored baseline image. The use of AI means that attackers are presented with a dynamic, evolving target that’s much more difficult to crack than a traditional password. iProov delivers an omnichannel authentication experience across all devices and platforms. The authentication process itself is quick and easy from the user’s perspective, while proving security teams with assurance that the person attempting the login is a genuine user. Via the iPortal feature, admins have complete visibility into user administration, provisioning and integration information. They can also generate reports into usage and performance, which include success rates and breakdowns of any errors in performance.

iProov’s authentication solutions are cloud-based, allowing for enterprise-grade scalability. iProov Face Verifier is a strong risk-based authentication solution for larger organizations looking for secure biometric verification. However, it’s important to note that, in order to use iProov’s solution, you must have a readily available photograph of each of your employees to use as a single source of truth or baseline for the authentication. These images must be accessible to the authentication system, so that they can be used to enrol employees when they first try to authenticate. Each employee must also have a device with a front-facing camera – be that BYOD or corporate-issued.

Acquired by Equifax in 2021, Kount is a market leader in providing fraud prevention and account security solutions for digital businesses. Particularly popular in the finance and banking industry, Kount’s patented AI and machine learning models enable them to protect over 9,000 organizations around the world. Kount Control is Kount’s solution to account takeover and credential theft, which protects corporate data against malicious logins. To do this, Kount Control combines adaptive authentication, granular policy customization and robust reporting functionality.

Kount Control uses its patented AI-driven technology to analyze user login behavior based on device status, IP address reputation, geolocation and mobile and proxy indicators, among others. Using this data, Kount detects anomalous access attempts that could be the result of bots, credential stuffing and brute force attacks. In the case of a high-risk login, the system challenges the user and requires them to verify their identity via a further authentication method. Admins can configure at what risk level the system should require further verification from each user, and these policies can be set at a user or user group level based on common characteristics identified by Kount. In addition to policy configuration, admins can access real-time reports that provide insights into login trends, including device and IP information. This makes it easier for security teams to identify and investigate login anomalies.

Kount Control is deployed as a cloud service, is easy to roll out and has the capability to scale with your business. In 2018, Kount partnered with BehavioSec to integrate Control with BehavioSense, a passive biometric analysis tool that monitors patterns in how a user interacts with their device, e.g. through keystroke dynamics and mouse motion. This integration makes Kount Control particularly strong in protecting against bots. Overall, we recommend Kount Control as a strong RBA solution for mid-market to larger enterprises that need to secure users’ account access and are looking for detailed reporting capabilities.

Okta is a cloud-based identity and access management platform that enables organizations to secure user access to business accounts via MFA and SSO. Okta Adaptive Multi-Factor Authentication is their MFA solution. Focused on usability, it comes with a host of integrations with existing cloud-based tools and applications, as well as custom-built applications, in order to provide a seamless sign-on experience to all accounts, across all devices. As well as creating a consistent experience for end users, Okta’s central admin portal makes it easy for security teams to configure and enforce MFA policies and access insights into account usage across the organization.

Okta Adaptive Multi-Factor Authentication uses contextual factors such as device trust and geolocation to create a risk score for attempted logins before prompting users to further verify their identity. The platform supports secondary authentication via mobile app push notifications and biometrics, as well as more traditional methods, including security questions and OTPs sent via SMS, phone call and email. From the admin console, security teams can configure access policies, including role-based access, and generate a range of off-the-shelf and custom reports, including real-time system logs and application-specific access reports. The high level of customization here gives organizations key insights into login trends across the company, in order to continually improve their access policies.

Okta Adaptive Multi-Factor Authentication deploys in the cloud, making it flexible, scalable, and quick to roll out. The platform features enterprise-grade, granular configurations, but also manages to maintain its intuitive, user-friendly interface. We recommend Okta Adaptive Multi-Factor Authentication to mid-market organizations and larger enterprises looking for secure RBA with detailed report and policy customization options.

OneLogin is a trusted provider of secure, user- and developer-friendly identity and access management solutions. Their high-quality solutions and 24/7 support make OneLogin popular among their customers, and the vendor currently secures over 2500 companies globally. SmartFactor Authentication, part of their Trusted Experience Platform, is OneLogin’s adaptive authentication solution, designed to protect organizations against sophisticated credential-based threats such as spear-phishing and brute force attacks.

OneLogin’s SmartFactor Authentication leverages their Vigilance AI risk score technology to adjust authentication requirements in real-time based on the risk level associated with the context of each login attempt. The engine calculates risk scores based on user location, device security and user behavior, in order to determine the most appropriate action for each login: to allow, deny or challenge the login by requesting up to two more levels of further verification. SmartFactor Authentication supports SMS, email and voice OTPs, security questions, push notifications via the OneLogin Protect app, and biometrics. Admins have full control over which authentication methods are used and when, and can create user or application policies that completely deny access in certain circumstances.

In addition to the solution’s core MFA features, SmartFactor Authentication encourages users to create stronger passwords with its Compromised Credential Check feature. This feature compares newly created passwords against a database of credentials that are known to have been compromised in large-scale attacks, to prevent the use of stolen passwords.

OneLogin was acquired in 2021 by global cybersecurity provider One Identity, enabling seamless integrations with other solutions in the One Identity suite. Overall, we recommend OneLogin SmartFactor Authentication as a robust risk-based authentication solution for any mid-market organizations looking to protect their corporate accounts against credential theft.

Ping Identity is an intelligent identity and access management platform that enables organizations to secure user access to cloud accounts and applications, whilst simplifying the login experience for each of their employees. PingOne Risk Management is their risk-based authentication solution designed to help organizations make smarter authentication decisions and provide assurance that only genuine users are accessing corporate data.

PingOne Risk Management uses UEBA machine learning models and AI to learn each user’s login behavior, analyzing risk predictors such as device type, operating system, browser version, date and time in real-time to distinguish between normal user login behavior and anomalous login attempts. The security team can give each predictor a weighting and implement effective, intelligent authentication policies that enable the system to grant, deny, or challenge access based on a risk score calculated using the combined predictor ratings. Admins can configure different policies for different use cases, depending on the business needs, and implement varying levels of authentication across the organization so that only the right users can access certain resources. Admins can also generate reports into authentication patterns, and what and where the most common risk factors are, in order to more effectively remediate potential threats.

PingOne Risk Management is delivered as a cloud-based service, and provides an Identity-as-a-Service (IaaS) model as well as a software-based solution (SaaS). Deployment is simplified further by the platform’s easy integration with APIs and SDKs to streamline the onboarding process and automate integrations with existing infrastructure and applications. We recommend PingOne as a strong risk-based MFA solution for larger organizations that require in-depth reporting for visibility and compliance, and the ability to configure their own adaptive authentication policies.

RSA is a leading cybersecurity provider that offers a wide range of user authentication and account access security solutions. RSA’s solutions enable IT and security teams to monitor, manage, and secure user access to corporate data, systems, and applications, without adding unnecessary friction to the login process. RSA SecurID is their risk-based MFA solution. With SecurID, admins can configure and enforce granular authentication policies that assess each login attempt for suspicious activity, and only step up authentication for high-risk logins.

RSA SecurID uses machine learning algorithms to assess the risk posed by all user access requests. The platform’s risk engine analyzes over 100 indicators of suspicious login activity, including geolocation, payment activities, and cross-channel intelligence, to ensure that only genuine users—behaving as they normally would—are accessing business data. If SecurID detects a high-risk or anomalous login, the platform steps up the level of authentication required as per admin-defined access policies. Users can then verify their identities via SMS one-time-passcodes, mobile push notifications, biometrics, or hardware and software tokens. Admins can configure which authentication methods should be used at a user and application level to increase security for more critical accounts. The platform also supports single sign-on, for a more seamless login experience.

RSA SecurID offers on-premises and cloud deployment options. Once deployed, the solution offers granular configurations so it can be tailored to fit any network, but these can be complex to set up initially. As such, we recommend SecurID as a strong risk-based authentication solution for mid-size to large enterprises looking for the ability to configure different access policies for different network areas for security and compliance, without creating friction for the end user.

SecureAuth is an identity and access management platform that combines adaptive multi-factor authentication with single sign-on and user lifecycle management to help secure access to corporate accounts and mitigate password-related risks such as credential theft and account compromise. The SecureAuth Identity Platform combines AI-driven analytics, granular configurations, integrated SSO and detailed reporting to provide comprehensive RBA that supports nearly 30 different authentication methods.

SecureAuth’s Identity Platform utilizes artificial intelligence to produce a risk score for login attempts based on contextual information, such as device health, location, IP reputation and user behavior. If the risk associated with a login attempt is too high, SecureAuth will request further verification from the user. The platform supports almost 30 different authentication methods, including  mobile push notifications and OTPs, to ensure that organizations have the capacity to verify all of their employees, no matter what device they’re working on. Users have the ability to self-serve their own enrolment, password resets and platform updates, simplifying the deployment process. From the central management console, admins can configure authentication policies and generate reports into account usage and login activity. These policies can be created from scratch, or admins can choose from SecureAuth’s library of editable templates for faster, simplified security.

SecureAuth’s Identity Platform can be deployed in the cloud, on-premise or as a hybrid combination of the two, making it one of the most flexible solution in this guide in terms of set up. Additionally, the platform is built in line with open standards, and offers full API integration with your existing infrastructure. We recommend SecureAuth as a strong solution for any sized organization looking for a comprehensive RBA platform with easy-to-use configurations and a focus on self-service security.