For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

What is risk-based authentication?

What is risk-based authentication?

Risk-based authentication is a dynamic approach that analyzes several factors surrounding a login attempt to assess the risk of unauthorized access. Based on the perceived risk score, the system applies a corresponding level of strictness to the authentication process.

For example, if an authorized member of an organization logs into the HR portal from their registered device, usual location, and during typical hours, they may gain access without the extra hurdle of multi-factor authentication (MFA).

On the other hand, accessing a sensitive internal server from an unknown location, even with the correct credentials, could trigger an additional verification step, such as a prompt for biometrics. These dynamic adjustments allow organizations to strike a balance between strong authentication and a seamless user experience.

How does risk-based authentication work?

So, how does risk-based authentication (RBA) distinguish between an authorized, everyday user and a potential security threat? Imagine you're at a bank. When a familiar customer walks in during regular banking hours, dressed appropriately, carrying their ID, and tries to transfer a small sum of money to their wife’s account, the teller may process their transaction quickly with minimal verification. This represents a low-risk situation.

However, if a customer arrives just before closing time and attempts to withdraw a large sum of money without proper identification, the teller would likely trigger additional security measures due to the heightened risk. This represents a high-risk situation.

This is how a risk-based authentication system works. Here’s a simplified overview of the steps involved:

  1. A user tries to authenticate themselves by entering their credentials (e.g., username and password).
  2. The access management system gathers an array of data points including user location, device information (operating system, device ID etc.), IP address, time of login and the type of application being accessed.
  3. Using sophisticated algorithms, the system then calculates and assigns a risk score to the login attempt. A low score indicates a familiar and trusted scenario, while a high score suggests a potentially unauthorized attempt.
  4. Depending on the risk score, the system modifies the authentication workflow. For low-risk scenarios, a simple password may suffice. For high-risk scenarios, additional verification steps like one-time codes, fingerprint scans, tokens or security questions are triggered.
  5. Finally, access is either granted or denied.
How does risk-based authentication work?

Adaptive risk-based authentication

RBA can be further enhanced with adaptive capabilities. In adaptive risk-based authentication (ARBA), the system continuously learns from user behavior and refines its risk assessment over time. This allows the system to become more familiar with a user's typical access patterns and adjust the authentication steps accordingly.

For example, suppose a user accesses the single sign-on (SSO) portal from a new device. The system, recognizing the unfamiliar device, will prompt the user for additional verification steps such as a token.

However, if the user successfully verifies themselves and continues to use this new device regularly, the ARBA system will gradually decrease the level of scrutiny for subsequent logins from the device. This streamlines the login process for the authorized user, without compromising risk management.

Continuous risk-based authentication

Continuous risk-based authentication (CRBA) monitors user activity and device behavior throughout the access session, not just at the login stage. This allows the system to intervene and apply preventive measures in real-time, whenever a user’s behavior deviates from the norm

For example, if a user successfully logs in to the enterprise network, but then starts downloading unusually large amounts of data on a sensitive server, the CRBA system can prompt for additional verification or temporarily restrict access until an administrator can review the user’s actions.

Is risk-based authentication the same as context-based authentication?

Risk-based authentication and context-based authentication have common goals: increased security, stricter access control, better risk management and a frictionless user experience. However, they differ in their approaches and focus.

Both calculate risk scores. However, they use different algorithms for this purpose. RBA focuses on factors like IP address, location and device details, while context-based authentication incorporates additional contextual data points like user behavior and network activity patterns.

Benefits of risk-based authentication

Here are some tangible benefits of risk-based authentication:

  • Improved security posture: By dynamically tweaking authentication requirements based on risk assessment, RBA makes it harder for malicious actors to gain unauthorized access to your systems.
  • Better user experience: RBA eliminates unnecessary verification steps for low-risk scenarios, delivering a more seamless and convenient user experience.
  • Customizable authentication workflows: RBA tools allow organizations to tailor their user authentication workflows based on their specific security policies and risk tolerance levels. For example, they can choose the type of two-factor authentication to use, or the factors to consider when categorizing identities for risk calculation.
  • Compliance: RBA helps organizations meet regulatory compliance requirements by making it easy to implement advanced authentication controls, and by enhancing data and system security.
  • Reduced IT costs: By automating risk assessments and creating a more streamlined authentication process, RBA helps IT teams save time and resources.

Examples of risk-based authentication

RBA is found in applications across several industries and scenarios. Here are some real-world examples:

  • Banks and financial institutions often use risk-based authentication to secure online banking portals. RBA analyzes factors like user location, current transaction sensitivity, transaction history and device information to detect and prevent fraudulent activities.
  • Online retailers deploy RBA to protect customer accounts and prevent unauthorized transactions. They consider factors like login location, purchase history and payment method to calculate risk and identify suspicious activities.
  • Healthcare providers leverage RBA to safeguard patient data and comply with regulatory requirements, such as HIPAA. By enforcing risk-aware authentication, healthcare systems prevent unauthorized access to electronic medical records and protect patient privacy.

Additionally, several organizations across industries employ RBA to secure access to enterprise applications and data.


Risk-based authentication is a dynamic approach to security, adjusting authentication requirements based on the level of perceived risk. RBA delivers a seamless user experience without compromising on protection, empowering organizations to combat threats effectively while reducing IT costs and meeting compliance requirements.

Try OneLogin for Free

Experience OneLogin's Access Management capabilities first-hand for 30 days