Introduction

Depending on an employee’s or contractor’s role, the authorizations granted can provide access to critical infrastructure and/or critical information, such as customer data and customer systems. To build and maintain the trust that customers place in the company to securely handle their data, it is mission-critical to establish the identity of those individuals who have the highest level of trust. It is extremely difficult for a company at any stage to request authentication for all services and users with the highest trust level though. As a result, an adaptive authentication strategy based on risk levels is being used.

Adaptive authentication is also known as “risk-based authentication” or “conditional access.” This means that the authentication type (and thus the level of confidence and trust in the authentication procedure) must be aligned with the associated risk of the service that the user wishes to access. The higher the associated risk, the higher the level of trust required in the authentication procedure to grant access. In some cases, the risk is so high that no access is permitted.

Calculating the risk estimate

1. The trust level of the endpoint from which the authentication request originates,
2. The criticality of the service to be accessed,
3. The related permissions of the access and
4. Behavioral characteristics such as regular working time, time since previous login, working location, or IP range where it makes sense and is accessible. A correlation between the geographical locations should also be performed, e. g. initial login from Asia, second login 25 seconds later from Portugal. It is impossible to change the location that quickly and therefore, the danger level should be raised to “high”.

Implications for authentication design

Based on application design, the underlying authentication and authorization model, and the configured access to an application, a so-called step-up authentication may be necessary. This is required if the same user account can authenticate with a single factor to access a low-risk service but subsequently wishes to access any important function or sensitive data/information with a high risk level. A further re-authentication with a higher trust level is absolutely necessary in this instance.