How we perceive RBA as a user
How RBA works from the inside

Risk-Based Authentication is not standardized at the moment. For this reason, several types of RBA algorithms and implementations exist.

Based on our observations we were able to derive three types of conceptual RBA models.

Single-Feature Model

Used by: GOG.com

Single-Feature Model

  • Relies on a single feature only
  • Searches for an exact match of the IP address in the IP address history of the user
  • If there is no such match, additional authentication steps are requested
Advantages Disadvantages
  • Easy to implement
  • Minimum of sensitive data stored

Multi-Features Model

Used by: Google, Amazon, LinkedIn

Multi-Features Model

  • Derives additional features from the IP address
  • These are evaluated together with additional features in a scoring model
  • Multiple types of actions depending on the risk score
Advantages Disadvantages

VIP Model

Used by: Facebook

VIP Model

  • Only protects special users
  • Depending on the user’s status (e.g. important or not important), RBA is active or inactive
Advantages Disadvantages
  • Harder for attackers to gain information about the used RBA implementation
Pages:
How we perceive RBA as a user
How RBA works from the inside