A risk-based authentication model presumes that the risk associated with different application resources and operations has been determined. The United States Office of Management and Budget (OMB) Memorandum M-04-04, “E-Authentication Guidance for Federal Agencies,” defines a model for assessing risk that may be applicable in the consumer space:
The risk from an authentication error is a function of two factors:
1. Potential harm or impact
2. The likelihood of such harm or impact
Categories of harm and impact include:
• Inconvenience, distress, or damage to standing or reputation
• Financial loss or agency liability
• Harm to agency programs or public interests
• Unauthorised release of sensitive information
• Personal safety
• Civil or criminal violations
The risk assessment should be performed by the marketing, security and compliance teams collaborating on the level of risk they’re willing to accept. Once resources have been categorised based on risk, the requisite LoA for each risk category can be decided. Authentication factors and models can then be chosen according to the level of LoA they can satisfy.
Let’s look at an example of a risk analysis. A UK bank implemented a “what you can do when…” model. The bank applied this logic: “When
authenticating with certain mechanism(s), a user can perform the following operations.” The bank assigned strengths (ranging from 0–40) for the different authentication mechanisms they provided their customers.
• A physical card reader combined with a user PIN that generates an OTP was assigned a strength of 40
• A mobile application that can generate OTPs was assigned a strength of 35
• A password was assigned a strength of 20
For each strength, there’s a corresponding list of allowed operations (e.g., check balance, transfer funds, etc.) that can be performed once the customer has authenticated with that mechanism. Other methodologies for performing a risk analysis exist, but the fundamental requirement is mapping possible authentication mechanisms to different application resources.