12 risk-based authentication tools compared

Risk-based authentication tools have become more sophisticated and popular as companies transition away from dependence on password protection.

access control / authentication / privileges / security
ipopba / Getty Images

Risk-based authentication (RBA), also called adaptive authentication, has come of age, and it couldn’t happen fast enough for many corporate security managers. As phishing and account takeovers have blossomed under the pandemic, RBA can become a key technology to protect corporate assets, particularly as remote work is more the rule than the exception.

What is risk-based authentication?

RBA is all about examining “signals,” as the vendors refer to the various observations they make in near-real time as a user moves through the login process or when a customer buys something online. It creates a risk profile of the person or device requesting access to the system. That profile is based on factors or signals including IP geolocation, user behavior, keystroke patterns, and connection type. These factors may change depending on specific threat factors, and this could require ongoing management of risk profiles.

The changing risk-based authentication market

A lot of corporate M&A has occurred in the authentication space since Experian bought 41st Parameter in 2013:

  • Equifax bought Kount
  • Lexis/Nexis Risk Solutions bought ThreatMetrix
  • Transunion bought Iovation
  • Quest Software bought OneLogin (and now owns OneIdentity)
  • Vasco rebranded as OneSpan
  • RSA split off Fraud Manager to Outseer
  • Easy Solutions is now part of Appgate
  • Ping Identity bought SecureTouch

Behind all this activity, RBA has split into two and a half major markets: transactions/fraud prevention and enterprise authentications. The “half” could be considered the passwordless branding that some vendors are using. While this last use case isn’t a full adaptive/step-up authentication, the notion of combining a series of authentication factors helps drive a full RBA adoption.

Note that some of these mergers involve the major credit bureaus. That shows how quickly RBA has grown from some wonky infosec tech into the mainstream.

Authentication trends driving RBA adoption

Multi-factor authentication becoming the norm

Google made multi-factor authentication (MFA) mandatory last October across its own accounts and has seen a rapid adoption and a just as rapid decrease in phishing and account compromises. This has helped drive higher RBA adoption, too, because you need MFA in place before you can roll out RBA. Two other core technologies that are seeing more traction include more adoption of both FIDOv2 and OpenID Connect standards. They have both come a long way and are mostly now accepted and well implemented across all five endpoint operating systems (Windows, MacOS, Linux, Android and iOS).

Concern over use of biometric data

Thanks to the EU’s GDPR and its global equivalents, there is a growing sensitivity about how security tools leverage biometric data, where this data is stored, and how it traverses the authentication infrastructure. Witness the recent blowback from the IRS’s use of facial recognition software as a prime example of what not to do. Having RBA can help control how these biometric factors are consumed by your security apparatus.

Threats becoming more sophisticated

 RBA will continue to be useful in fighting the latest sophisticated threats. One such example is the growing popularity of installment payments.

Increased adoption of EMV 3-D Secure

Payment vendors have continued to develop the EMV 3-D Secure (3DS) standard, which incorporates RBA methods to fight transaction fraud. A few RBA vendors have begun to incorporate this standard in their toolsets. The payment and credit vendors -- including Mastercard’s NuData Security business -- now have access to a huge corpus of billions of transactions that they can use as early warnings of fraud to apply the step-up challenges. (NuData partners include both Thales and Entersekt.)

Risk-based authentication products

We spoke with the following vendors:

  • Appgate RBA
  • Cisco/Duo Security
  • Entersekt Authentication
  • iProov
  • Lexis/Nexis Risk Solutions
  • Okta, who offers its own and Auth0 product lines
  • OneLogin by One Identity/Quest
  • OneSpan Intelligent Adaptive Authentication
  • Outseer Fraud Manager
  • PingID, which offers a series of products
  • Silverfort
  • Thales Safenet Trusted Access

Other vendors in this space including Iovation, Kount, IBM Security’s Verity Access, HID’s Global Risk Management, SecureAuth and Transmit Security did not respond to multiple requests.

RBA pricing

Most RBA vendors are coy about pricing. There are two general approaches: One scheme is used for transactional or fraud detection business and another for what is sometimes called the workforce -- the traditional per-end-user authentication business.

Three notable exceptions are worthy of your attention: Duo, Ping and Okta. Duo has the best pricing page, laying out the various pricing tiers and the features available in each in a clear and informative manner. Ping has finally made its pricing public, and Okta has pricing pages for both its Okta and Auth0 business units. Many vendors offer free trials of their most capable plans and some, like Duo and Auth0, have forever-free plans -- but with limited features that don’t include any RBA support.

Appgate RBA

Appgate purchased the RBA software line from Easy Solutions in October 2021 and has added advanced behavioral biometrics that bring near-real-time decision making and a more complete API. The product temporarily stores biometric information on an Appgate server when needed to verify a user’s login but then delete the data.

Appgate has added the workforce RBA to augment the older Easy Solutions transaction RBA. While Appgate is now a FIDO member, it hasn’t yet added support. The company has transaction pricing and says a mid-sized organization with about 6 million logins per year would pay a fixed fee of $10,000, with surcharges for additional transactions. They don’t have their own identity provider but support Active Directory, Google, Salesforce, SugarCRM, and others through SAML and Radius connections.

Cisco/Duo Security 

Since being purchased by Cisco several years ago, Duo has continued to enhance its authentication offerings and has a fully featured collection of authentication tools. Some are available with its Access tier, but you probably want to consider the Beyond plan tier for the full set.

While its span of authentication features is granular and deep, managing the RBA processes and policies isn’t as adept as it could be. For example, you can track user location, device hardware fingerprint, behavioral factors, apps being run and lots more. However, crafting the best action from these various signals can take some effort. Any biometric data is encrypted and stored in the endpoint secure enclave.

Duo supports a variety of identity providers including Okta, Google and Active Directory. It also supports the FIDOv2 standards and devices and is a key player in the shared signals working group of OpenID. As I mentioned earlier, Duo’s pricing is transparent and useful and should be a model for vendors that are still hiding their fee structure. The company processes billions of monthly transactions.

Entersekt Authentication 

Entersekt is based in Capetown, South Africa, and has been providing mostly financial services transaction security for the past decade. It has recently branched out into the workforce user authentication market. Entersekt doesn’t have its own identity provider but supports others through SAML and OAuth. It works with the endpoint secure hardware enclave to store private encryption keys and detect jailbreak and harmful apps installed on the phone.

Entersekt scores risk signals including location, fingerprinted hardware, and the NuData Security transaction corpus to build a risk profile for each transaction. It supports FIDO devices and standards. Entersekt offers both transaction and per-user pricing.

iProov

iProov is another decade-old security vendor that offers SDKs for developers rather than a turn-key application suite. Its network handles hundreds of thousands of daily transactions. iProov doesn’t store private data other than for a brief time to check a user’s initial login. Customers can specify a range from 12 hours to a month for the life of this temporary data storage.

iProov supports identity providers including ID.me, Ping Identity and Jumio.com. It offers both transaction and per-user pricing. iProov is involved in an interesting trial at London’s St. Pancras train station where passengers just need to have their face scanned to board Eurostar trains.

Lexis/Nexis Risk Solutions

The company acquired ThreatMetrix in 2018 and has since built a sophisticated RBA business, offering a line of mobile SDKs and Java-based tools that are now found in just about every large bank and most of the major insurance carriers. Lexis/Nexis Risk Solutions use its large corpus (the company processes more than 270 million hourly transactions across more than 8.5 billion devices) to detect transaction fraud and provide signals for identity verification.

It offers three different levels of endpoint identification: the ExactID based on cookies, the SmartID based on Java and the StrongID system using cryptographic signatures with a private key stored in the phone or desktop’s secure enclave. It supports the latest EMV 3DS protocols. Lexis/Nexis offers transaction pricing.

Okta 

Okta offers two product lines. First is the Auth0’s Adaptive MFA. Auth0 has a well-developed collection of risk signals, including “impossible travel” (where multiple logins happen in near succession from far-apart locations), known bad IP addresses, bot detection, and breached password detection through its separate attack protection and Credential Guard services, which are available to Enterprise plans. Pricing is transparent, with a forever-free plan and others that start at $23/month (not based on per users, but transactions). Any RBA/MFA features are only available on the Enterprise plan at an additional cost.

Okta’s own product line includes its MFA tool and a large collection of authentication policies for 7,000 different products and a large collection of API references for different programming languages and frameworks. Okta’s Risk Ecosystem API augments its built-in risk scoring system by ingesting external risk signals from new third-party solutions, including bot detection and web application firewall providers Fastly, HUMAN, F5 Networks, and PerimeterX. Okta’s FastPass passwordless product works with its single-sign on product.

The company also has a transparent pricing page that provides workforce plans that start at $5/user/month for RBA. Add $6/user/month for Adaptive MFA, and there are other extra-cost features. A separate pricing scheme for transactions starts at $36,000/year for enterprise-grade plans. 

OneLogin by One Identity/Quest 

OneLogin is now the access management component of One Identity’s solutions which span situations including privileged access and Active Directory connectors. The OneLogin RBA features are supplied by its Vigilance AI dynamic risk engine, which scores each authentication attempt and assigns the appropriate action and login flows. The product also offers dynamic Smart Factor Authentication and checks for compromised credentials to prevent users from password reused or part of a previous breach.

OneLogin doesn’t store any biometric data and supports on-device hardware fingerprinting. FIDO2/WebAuthn standards as an additional MFA (including using Yubico keys, FaceID and Windows Hello) are supported and are stored in the secure endpoint enclave. OneLogin can synchronize its own IDP as well as Google Workspace, AD, Azure AD, LDAP and others. Pricing ranges from $2-$6 per user per month for workplace users and transaction pricing for its fraud/transaction product line is also available.

OneSpan Intelligent Adaptive Authentication

The OneSpan product has been delivering RBA solutions for many years, and now supports both the user authentication and transaction markets. Its own Cronto hardware token to provide an encrypted channel for transactions was an early FIDO adopter, and it incorporates behavioral methods. OneSpan also has an integrated esignature and its own government ID verification applications. It covers a variety of MFA methods and token form factors and provides both SSO and RBA with a large collection of pre-configured rules and policies.

One place you should examine is its demo “My Bank” online application, where you can freely get to play around with its interface and see how the product works. OneSpan did not reveal pricing.

Outseer Fraud Manager

Outseer is the repository of RSA’s legacy fraud analytics business unit that primarily targets financial institutions. (RSA’s SecurID unit has its own RBA version based on similar technology.) It comes in either on-premises or cloud-based versions and can obtain signals from other behavior and location-based third parties. One of the new modules can protect fraud in installment “buy now, pay later” transactions, while another supports the latest EMV 3DS standard. The vendor also offers a FraudAction intelligence service.

PingID PingOne

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022