Eliminate Passwords with Risk-based Authentication

Our Blog

Eliminate Passwords with Risk-based Authentication

Imagine never requiring another password and using risk based authentication to get there. Traditionally, risk based authentication is used to ask for a second factor such as a token or OTP or biometric if the user and/or device is deemed risky after the password is entered. If anything looks fishy, step them up. It’s secure, it’s zero trust, it’s a pretty good policy but it’s a fairly awful user experience. The user gets the worst of all worlds, they have to remember a password, enter the c0mplIc@Ted thing, and still might have to deal with a push notification if it’s a new browser or on a hotel network or if any other risk factor is triggered.

Eliminate passwords with flexible policies

One customer recently told of us about a novel 180 degree different way of looking at it. They use risk to determine if they are going to ask for the password and only ask for it if it’s looking risky. This makes it so only the potentially bad guys have to type out that annoying P@ssw0rd. The policy is pretty straightforward: the user enters their username and ID Dataweb’s AXN Manage returns a risk score with these options.

  • No risk, let them in
  • Small risk, send MFA
  • Medium risk, ask for password, send MFA
  • High risk, deny access

Getting the password out of the way of users accessing systems most likely feels foreign the first time but modern passwordless and MFA solutions on a smart phone are so much easier for the user and often times encompass multiple factors at once (what you have and what you are). The user has a much faster entry with fewer keystrokes, fewer sticky notes next to their keyboard and significantly less friction. Just enter their username, tap a button on their phone screen and get productive.

Know your risk, secure your user

To do this right, you need to have a handle on the risk side of the house. If you aren’t checking the right risk signals, all of the security and user experience gains go out the window. AXN Manage is a unique risk engine as it acts as an orchestration layer to build a trust score from multiple sources. AXN Manage will check with a fraud consortium to determine if this device has engaged in fraud. If on a mobile device, it will check to see if it has been ported or SIM swapped. It checks against previous authentications to determine patterns of use, impossible travel, IP blacklists, risky VPNs, TOR node access and many other signals. These signals are all distilled into a single trust score and compared to your specific policy. These policies can be customized and tuned to your specific risk tolerance or based on industry best practices.

Additionally, AXN Manage integrates seamlessly with every major IdP (Auth0, CyberArk, ForgeRock, Microsoft AAD, Okta, Ping and Strivacity). Since these out of the box integrations are all built on open standards and/or very flexible APIs, they are able to be deployed in days and get your users out of the password game and into the productivity game faster and more securely.

Want to read more about how Kuppinger Cole views ID Dataweb’s position in the Fraud Reduction Intelligence Platform space?