Risk-Based Authentication


Risked Based Authentication somehow never made any sense to us. We are under the impression Adaptive Risk is better associated with Access Control Models then Authentication Methods


Risk-Based Authentication evaluate a host of user, system, and environmental attributes; other such signals; and Behavioral Characteristics to make an authentication decision. IP Address, Geolocation, time of day, transaction type, mouse movements, keystroke, and variances from typical usage norms are some of the signals used in these systems.

These solutions do not currently count as a valid authenticator in and of themselves, as this information does not necessarily constitute a “Secret,” and most solutions leverage proprietary ways of making an authentication decision. We(NIST) are eager to discover secure, standards-based ways to execute these processes. However, until we have a good way to define the requirements to properly execute these approaches, “risk-based” and “adaptive” techniques are considered added controls to digital authentication. If you have ideas on how we can add these as acceptable authenticator types in future guidance, please let us know all about it!


Supposedly Risk-Based Authentication is a an Authentication Method that performs Authentication by gathering various context parameters that the Digital Identity possesses or demonstrates either within the same channel and or protocol or form separate channels or protocols.

More Information#

There might be more information for this subject on one of the following: