LOGIN RISK TECHNICAL OVERVIEW
Login Risk Scoring amasses many signals of a login event to provide a numeric score representing the likelihood that a login attempt is not the legitimate account holder. Even when the correct password is provided, organizations cannot be completely confident that it is the real account holder or user behind a login attempt. Organizations can use the score to determine whether or not to allow account access, provide limited account access or capabilities, or to use some form of step-up authentication or check such as Knowledge Based Assessments, security questions, Consumer Alerts, two-factor authentication or other measures.
Key considerations when implementing or buying this functionality include:
What features, techniques and signals are utilized to determine the risk of a given login attempt? This can include Device Identification, Velocity of Use, Velocity of Change, IP Geolocation, Proxy Detection and more.
Does the Login Risk Scoring vendor offer all of the techniques and data points or do some of these need to be provided externally?
Is there ability to leverage third party data integrations and custom data fields into the login risk score?
Is there ability to create custom rules or model features to leverage in the login risk score?
Does the vendor support shared velocities or cross-organizational data to identify a single IP address and/or device that is attempting many high risk login attempts across their client base?
Does the service provide a true score or a binary Pass/Fail response? A rang or score provides more ability to utilize different responses to the outcome, such as limiting account access or allowing access with a Consumer Alert rather than simply not allowing access.
Does the service keep up with the recent data breaches and look for the use of known compromised email and password combinations?
HOW DOES IT WORK?
Organizations will implement one to several lines of code on their web pages where account logins can occur. Information about the login attempt, typically including IP address, device, user account and other information is sent to the provider. The vendor should leverage data of their own, such as information around email and password combinations compromised in data breaches, and may also utilize cross-client data sharing to detect a known bad actor seen at by
other client organizations.
The provider uses modeling and/or a rules based approach, and possibly data sharing components as well, to provide back a numeric score indicating the level of risk associated with the login attempt. Typically, the higher the score the higher the risk of the login attempt being an account takeover attempt.
These services are typically setup to make a decision in near-real time. In addition to providing a login risk score, the vendor may provide details of the login attempt such as IP address, past activity of the device and other details.
HOW DO YOU USE THE RESULTS?
Based on the results of a Login Risk Score, the organization can choose to do one of the following:
Allow the user to login without any restrictions. This implies you believe the user is legitimate and there was a low login risk score.
Prevent the user from logging-in. The organization may also choose to notify the user and/or force a password reset. This would be in response to a high Login Risk Score and implies the login attempt is high risk and likely to be an account takeover.
Allow the user to login but restrict what they are able to do while logged in during this session. This applies to medium Login Risk Score attempts. In the event it is the real user the organization does not want to introduce friction, but also wants to limit potential risk. Restrictions can include requiring the user to re-enter payment card details but not used stored payment credentials, allowing access to check balances but not make any transfers, and not allowing account changes like providing a new email address or changing their password. It may be the a form of step-up authentication is introduced should the user attempt a restricted action.
Present a form of step-up authentication or additional protection layers. This can apply to medium-low or medium-high Login Risk score attempts, with different step-up measures leveraged based on the level of perceived risk. For lower risk login attempts where there is some suspicion, it may be that the organization chooses just to send a Consumer Alert. For low-to-medium risk login attempts an organization may want to require the user to answer security questions. The level and type of step-up measures is also contingent on the type of organizations. Banks, for example, have a lot more sensitive information to protect behind a login. Banks, social media companies and other organizations may require the user to pass two-factor authentication (2FA) or complete a Knowledge Based Assessment (KBA).
DID YOU KNOW
Login Risk Scoring vendors use proprietary models, rules and/or other systems to assess the level of risk associated with a user login attempt.
Allowing any user to login simply by providing their correct password just doesn't cut it anymore. Data breaches are a seemingly daily occurrence the amount of login credentials for sale on the darkweb is astounding. Not only are compromised login credentials widely available, but they are inexpensive. Fraudsters will pay more for banking credentials with a cost that is correlated with account balances, but there are also email and password combinations sold in bulk for fractions of a cent.
This puts organizations in a predicament. Limiting friction and providing a strong user experience must be balanced with protecting the information and/or funds behind a user's account. Login Risk Scoring provides an economical way to include a variety of techniques and risk checks while providing a numeric response that indicates the level of risk associated with the combination of all high and low risk signals measured.
Organizations can use the Login Risk Scoring results to determine how to handle an account login event, and this doesn't have to be a binary decision. Users can be allowed to login to an account but not given full access. Users can be allowed to login but simultaneously sent an email or SMS text message validating it is them.
For higher risk login attempts, organizations can simply deny access and potentially blacklist a known bad data point. Alternatively, they can implement various step-up authentication measures to validate the user. This strikes a balance where not all users are subject to two-factor authentication or security questions on every login attempt, but the organization can present these additional hurdles when deemed necessary.
KEY NOTES
Alternative Solutions - Some modeling and analytics service providers offer capabilities to apply risk models at login events.
Building this In-House - Organizations could use a rules or modeling based scoring system to apply a series of techniques and derive risk signals the login event.
Estimated Cost - Services are typically charged on a per login attempt basis, or every time a score is provided. Cost per event is tiered to volume, and may include a set number of score responses per month at a given base cost.
Sample Vendors - Deduce, Kount