The days of multifactor security tokens may be numbered, just as they are moving beyond hardware form factors. While they are clever solutions, users don’t always like to use them in whatever guise. Tokens do get in the way of the actual transaction itself. IT staffs tolerate tokens but they do require a fair amount of programming effort to integrate into their existing systems. Tokens also have their limitations and typically only address a single access threat vector. For example, some authentication methods are great at protecting e-commerce connections but don’t handle remote connections to in-house systems or pre-paid debit card exploits

What is catching on is to use what is called risk-based authentication, context-aware or adaptive access controls The idea is to base any access decisions on a dynamic series of circumstances. These count as the additional authentication factor, rather than rely on a particular set of tokens or pieces of smartphone software. Access to a particular business application goes through a series of trust hurdles, with riskier applications requiring more security so that users don’t necessarily even know that their logins are being vetted more carefully. Moreover, this all happens in real time, just like the typical multifactor methods.

What are the typical ways that this works? Logins to your account are scored based on a series of metrics, including the role you have (such as a network admin), if you are connecting from a particular country (just as the credit card companies examine their transactions) and if you have changes to particular transaction patterns or spending patterns. If a user is doing something that doesn’t match his or her history, that becomes a riskier transaction so that authentication requests and logins can be challenged with an additional authentication measure. Challenging unusual login or transaction patterns creates a barrier that a hacker or fraudster cannot easily circumvent, while not doing the customer the disservice of demanding such authentication in a blanket manner.

Or you could have a system that detects geo-locations in a series of logins (such as one from a Chinese-based IP address and another from Canada a few minutes later).

Firewalls and intrusion prevention products have had similar step-up risk-based rules for years to analyze and block particular network behavior. But now a number of vendors are including risk-based authentication into their security tools, including Symantec’s VIP service, Vasco, RSA, SecureAuth and CA. Expect to see more of them in the near future, as the notion gains traction. I have begun to review these tools on SearchSecurity.com for a series on multifactor authentication.

Finally, if you are interested in having me write or speak on this topic, let me know.