Risk-Based Authentication (RBA)
What is Risk-Based Authentication (RBA)?
Risk-Based Authentication (RBA)An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
Risk-based authentication scores every authentication attempt using contextual signals: device fingerprint, IP reputation, ASN, geolocation, time of day, prior user behavior, threat intelligence, and known leaked credentials. Low-risk attempts pass with a passkey or password; medium-risk attempts trigger MFA or step-up; high-risk attempts are blocked or quarantined. Microsoft Entra ID Protection, Okta ThreatInsight, Ping Risk Engine, IBM Trusteer Pinpoint, and Auth0 Adaptive MFA all implement RBA. NIST SP 800-63B endorses risk-driven choice of authenticators, and academic work since Williamson's 'Enhanced Authentication in Online Banking' (2007) has established the discipline. Effective RBA pairs supervised models with explainable rules so that auditors and operations teams can investigate every decision.
● Examples
- 01
Entra ID Protection escalating to MFA only when the sign-in risk is medium or high.
- 02
Banking site that blocks logins from a freshly seen device combined with a high IP risk score.
● Frequently asked questions
What is Risk-Based Authentication (RBA)?
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score. It belongs to the Identity & Access category of cybersecurity.
What does Risk-Based Authentication (RBA) mean?
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
How does Risk-Based Authentication (RBA) work?
Risk-based authentication scores every authentication attempt using contextual signals: device fingerprint, IP reputation, ASN, geolocation, time of day, prior user behavior, threat intelligence, and known leaked credentials. Low-risk attempts pass with a passkey or password; medium-risk attempts trigger MFA or step-up; high-risk attempts are blocked or quarantined. Microsoft Entra ID Protection, Okta ThreatInsight, Ping Risk Engine, IBM Trusteer Pinpoint, and Auth0 Adaptive MFA all implement RBA. NIST SP 800-63B endorses risk-driven choice of authenticators, and academic work since Williamson's 'Enhanced Authentication in Online Banking' (2007) has established the discipline. Effective RBA pairs supervised models with explainable rules so that auditors and operations teams can investigate every decision.
How do you defend against Risk-Based Authentication (RBA)?
Defences for Risk-Based Authentication (RBA) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk-Based Authentication (RBA)?
Common alternative names include: RBA, Risk-aware authentication.
● Related terms
- identity-access№ 015
Adaptive Authentication
An authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
- identity-access№ 1103
Step-Up Authentication
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
- identity-access№ 216
Continuous Authentication
An approach that keeps validating a user's identity throughout the session — using behavioral and device signals — rather than authenticating only once at login.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- identity-access№ 519
Impossible Travel Detection
A detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time.
- defense-ops№ 1189
UEBA (User and Entity Behavior Analytics)
A detection technology that profiles normal behavior of users and entities, then surfaces statistical or machine-learning anomalies that may indicate compromise or insider risk.
● See also
- № 009Account Lockout