12 risk-based authentication tools compared

Risk-based authentication (RBA), also called adaptive authentication, has come of age, and it couldn’t happen fast enough for many corporate security managers. As phishing and account takeovers have blossomed under the pandemic, RBA can become a key technology to protect corporate assets, particularly as remote work is more the rule than the exception.

What is risk-based authentication?

RBA is all about examining “signals,” as the vendors refer to the various observations they make in near-real time as a user moves through the login process or when a customer buys something online. It creates a risk profile of the person or device requesting access to the system. That profile is based on factors or signals including IP geolocation, user behavior, keystroke patterns, and connection type. These factors may change depending on specific threat factors, and this could require ongoing management of risk profiles.

The changing risk-based authentication market

A lot of corporate M&A has occurred in the authentication space since Experian bought 41st Parameter in 2013:

• Equifax bought Kount
• Lexis/Nexis Risk Solutions bought ThreatMetrix
• Transunion bought Iovation
• Quest Software bought OneLogin (and now owns OneIdentity)
• Vasco rebranded as OneSpan
• RSA split off Fraud Manager to Outseer
• Easy Solutions is now part of Appgate
• Ping Identity bought SecureTouch

Behind all this activity, RBA has split into two and a half major markets: transactions/fraud prevention and enterprise authentications. The “half” could be considered the passwordless branding that some vendors are using. While this last use case isn’t a full adaptive/step-up authentication, the notion of combining a series of authentication factors helps drive a full RBA adoption.

Note that some of these mergers involve the major credit bureaus. That shows how quickly RBA has grown from some wonky infosec tech into the mainstream.

Authentication trends driving RBA adoption

Multi-factor authentication becoming the norm

Google made multi-factor authentication (MFA) mandatory last October across its own accounts and has seen a rapid adoption and a just as rapid decrease in phishing and account compromises. This has helped drive higher RBA adoption, too, because you need MFA in place before you can roll out RBA. Two other core technologies that are seeing more traction include more adoption of both FIDOv2 and OpenID Connect standards. They have both come a long way and are mostly now accepted and well implemented across all five endpoint operating systems (Windows, MacOS, Linux, Android and iOS).

Concern over use of biometric data

Thanks to the EU’s GDPR and its global equivalents, there is a growing sensitivity about how security tools leverage biometric data, where this data is stored, and how it traverses the authentication infrastructure. Witness the recent blowback from the IRS’s use of facial recognition software as a prime example of what not to do. Having RBA can help control how these biometric factors are consumed by your security apparatus.

Threats becoming more sophisticated

 RBA will continue to be useful in fighting the latest sophisticated threats. One such example is the growing popularity of installment payments.

Increased adoption of EMV 3-D Secure

Payment vendors have continued to develop the EMV 3-D Secure (3DS) standard, which incorporates RBA methods to fight transaction fraud. A few RBA vendors have begun to incorporate this standard in their toolsets. The payment and credit vendors — including Mastercard’s NuData Security business — now have access to a huge corpus of billions of transactions that they can use as early warnings of fraud to apply the step-up challenges. (NuData partners include both Thales and Entersekt.)

Risk-based authentication products

We spoke with the following vendors:

• Appgate RBA
• Cisco/Duo Security
• Entersekt Authentication
• iProov
• Lexis/Nexis Risk Solutions
• Okta, who offers its own and Auth0 product lines
• OneLogin by One Identity/Quest
• OneSpan Intelligent Adaptive Authentication
• Outseer Fraud Manager
• PingID, which offers a series of products
• Silverfort
• Thales Safenet Trusted Access

Other vendors in this space including Iovation, Kount, IBM Security’s Verity Access, HID’s Global Risk Management, SecureAuth and Transmit Security did not respond to multiple requests.

RBA pricing

Most RBA vendors are coy about pricing. There are two general approaches: One scheme is used for transactional or fraud detection business and another for what is sometimes called the workforce — the traditional per-end-user authentication business.

Three notable exceptions are worthy of your attention: Duo, Ping and Okta. Duo has the best pricing page, laying out the various pricing tiers and the features available in each in a clear and informative manner. Ping has finally made its pricing public, and Okta has pricing pages for both its Okta and Auth0 business units. Many vendors offer free trials of their most capable plans and some, like Duo and Auth0, have forever-free plans — but with limited features that don’t include any RBA support.

Appgate RBA

Appgate purchased the RBA software line from Easy Solutions in October 2021 and has added advanced behavioral biometrics that bring near-real-time decision making and a more complete API. The product temporarily stores biometric information on an Appgate server when needed to verify a user’s login but then delete the data.

Appgate has added the workforce RBA to augment the older Easy Solutions transaction RBA. While Appgate is now a FIDO member, it hasn’t yet added support. The company has transaction pricing and says a mid-sized organization with about 6 million logins per year would pay a fixed fee of $10,000, with surcharges for additional transactions. They don’t have their own identity provider but support Active Directory, Google, Salesforce, SugarCRM, and others through SAML and Radius connections.

Cisco/Duo Security 

Since being purchased by Cisco several years ago, Duo has continued to enhance its authentication offerings and has a fully featured collection of authentication tools. Some are available with its Access tier, but you probably want to consider the Beyond plan tier for the full set.

While its span of authentication features is granular and deep, managing the RBA processes and policies isn’t as adept as it could be. For example, you can track user location, device hardware fingerprint, behavioral factors, apps being run and lots more. However, crafting the best action from these various signals can take some effort. Any biometric data is encrypted and stored in the endpoint secure enclave.

Duo supports a variety of identity providers including Okta, Google and Active Directory. It also supports the FIDOv2 standards and devices and is a key player in the shared signals working group of OpenID. As I mentioned earlier, Duo’s pricing is transparent and useful and should be a model for vendors that are still hiding their fee structure. The company processes billions of monthly transactions.

Entersekt Authentication 

Entersekt is based in Capetown, South Africa, and has been providing mostly financial services transaction security for the past decade. It has recently branched out into the workforce user authentication market. Entersekt doesn’t have its own identity provider but supports others through SAML and OAuth. It works with the endpoint secure hardware enclave to store private encryption keys and detect jailbreak and harmful apps installed on the phone.

Entersekt scores risk signals including location, fingerprinted hardware, and the NuData Security transaction corpus to build a risk profile for each transaction. It supports FIDO devices and standards. Entersekt offers both transaction and per-user pricing.

iProov

iProov is another decade-old security vendor that offers SDKs for developers rather than a turn-key application suite. Its network handles hundreds of thousands of daily transactions. iProov doesn’t store private data other than for a brief time to check a user’s initial login. Customers can specify a range from 12 hours to a month for the life of this temporary data storage.

iProov supports identity providers including ID.me, Ping Identity and Jumio.com. It offers both transaction and per-user pricing. iProov is involved in an interesting trial at London’s St. Pancras train station where passengers just need to have their face scanned to board Eurostar trains.

Lexis/Nexis Risk Solutions

The company acquired ThreatMetrix in 2018 and has since built a sophisticated RBA business, offering a line of mobile SDKs and Java-based tools that are now found in just about every large bank and most of the major insurance carriers. Lexis/Nexis Risk Solutions use its large corpus (the company processes more than 270 million hourly transactions across more than 8.5 billion devices) to detect transaction fraud and provide signals for identity verification.

It offers three different levels of endpoint identification: the ExactID based on cookies, the SmartID based on Java and the StrongID system using cryptographic signatures with a private key stored in the phone or desktop’s secure enclave. It supports the latest EMV 3DS protocols. Lexis/Nexis offers transaction pricing.

Okta 

Okta offers two product lines. First is the Auth0’s Adaptive MFA. Auth0 has a well-developed collection of risk signals, including “impossible travel” (where multiple logins happen in near succession from far-apart locations), known bad IP addresses, bot detection, and breached password detection through its separate attack protection and Credential Guard services, which are available to Enterprise plans. Pricing is transparent, with a forever-free plan and others that start at $23/month (not based on per users, but transactions). Any RBA/MFA features are only available on the Enterprise plan at an additional cost.

Okta’s own product line includes its MFA tool and a large collection of authentication policies for 7,000 different products and a large collection of API references for different programming languages and frameworks. Okta’s Risk Ecosystem API augments its built-in risk scoring system by ingesting external risk signals from new third-party solutions, including bot detection and web application firewall providers Fastly, HUMAN, F5 Networks, and PerimeterX. Okta’s FastPass passwordless product works with its single-sign on product.

The company also has a transparent pricing page that provides workforce plans that start at $5/user/month for RBA. Add $6/user/month for Adaptive MFA, and there are other extra-cost features. A separate pricing scheme for transactions starts at $36,000/year for enterprise-grade plans. 

OneLogin by One Identity/Quest 

OneLogin is now the access management component of One Identity’s solutions which span situations including privileged access and Active Directory connectors. The OneLogin RBA features are supplied by its Vigilance AI dynamic risk engine, which scores each authentication attempt and assigns the appropriate action and login flows. The product also offers dynamic Smart Factor Authentication and checks for compromised credentials to prevent users from password reused or part of a previous breach.

OneLogin doesn’t store any biometric data and supports on-device hardware fingerprinting. FIDO2/WebAuthn standards as an additional MFA (including using Yubico keys, FaceID and Windows Hello) are supported and are stored in the secure endpoint enclave. OneLogin can synchronize its own IDP as well as Google Workspace, AD, Azure AD, LDAP and others. Pricing ranges from $2-$6 per user per month for workplace users and transaction pricing for its fraud/transaction product line is also available.

OneSpan Intelligent Adaptive Authentication

The OneSpan product has been delivering RBA solutions for many years, and now supports both the user authentication and transaction markets. Its own Cronto hardware token to provide an encrypted channel for transactions was an early FIDO adopter, and it incorporates behavioral methods. OneSpan also has an integrated esignature and its own government ID verification applications. It covers a variety of MFA methods and token form factors and provides both SSO and RBA with a large collection of pre-configured rules and policies.

One place you should examine is its demo “My Bank” online application, where you can freely get to play around with its interface and see how the product works. OneSpan did not reveal pricing.

Outseer Fraud Manager

Outseer is the repository of RSA’s legacy fraud analytics business unit that primarily targets financial institutions. (RSA’s SecurID unit has its own RBA version based on similar technology.) It comes in either on-premises or cloud-based versions and can obtain signals from other behavior and location-based third parties. One of the new modules can protect fraud in installment “buy now, pay later” transactions, while another supports the latest EMV 3DS standard. The vendor also offers a FraudAction intelligence service.

PingID PingOne

PingOne is a series of identity products that can be used in various configurations to support RBA for both workflow authentication and for transactions. The company acquired SecureTouch last year and now calls that product PingOne Fraud, which looks at behavioral analytics and to identify compromised devices and other questionable signals. Ping is known for its wide collection of more than 1,800 different SAML integrations for its SSO tools. Other tools that are part of its offering include:

• PingOne Risk is its risk management engine that evaluates these various signals, PingOne Verify is its own ID verification tool,
• PingOne Authorize is its main RBA tool where you set up authentication rules and policies.
• PingOne DaVinci, its latest addition, is an identity orchestration tool that can be used to create automation routines using Visio-like flowchart diagrams. This is a big benefit, because setting up risk escalation scenarios using interlocking rule sets and policies can be difficult to debug.

PingID offers free 30-day trials of all components. It has a complete albeit confusing pricing page.

Silverfort

Silverfort takes a different approach to RBA by piggybacking on existing identity providers such as Ping, Okta and Azure AD. It has a comprehensive risk engine that can detect signals including behavioral changes and external risk indicators, such as from your network security management tools. it doesn’t use any software agents or proxies to suss out potential threats and authentication problems, which can be useful if you are concerned about IoT-based compromises or from network-based equipment that can’t be easily monitored or protected. An example of this would be to provide FIDO2 support for any endpoint device. It has user-based pricing.

Thales Safenet Trusted Access 

Thales has two business units for RBA: Its Safenet Trusted Access handles workforce RBA, and its Gemalto unit focuses on banking and transaction RBA. The Safenet product has been around for many years and has developed into a sophisticated collection of rules and policies for combinations of users, OSes and applications. It covers a variety of MFA methods and token form factors and provides both SSO and RBA. It was an early deployment of FIDO and supports its own identity provider and others through SAML. It has partnered with NuData Security for transaction intelligence. Safenet’s base price  is $3.50 per user per month, which includes all MFA and RBA options along with various access management features.