Overview#Risked Based Authentication somehow never made any sense to us. We are under the impression Adaptive Risk is better associated with Access Control Models then Authentication Methods host of user, system, and environmental attributes; other such signals; and Behavioral Characteristics to make an authentication decision. IP Address, Geolocation, time of day, transaction type, mouse movements, keystroke, and variances from typical usage norms are some of the signals used in these systems.
These solutions do not currently count as a valid authenticator in and of themselves, as this information does not necessarily constitute a “Secret,” and most solutions leverage proprietary ways of making an authentication decision. We(NIST) are eager to discover secure, standards-based ways to execute these processes. However, until we have a good way to define the requirements to properly execute these approaches, “risk-based” and “adaptive” techniques are considered added controls to digital authentication. If you have ideas on how we can add these as acceptable authenticator types in future guidance, please let us know all about it!