IDSync — identity software buyer platform
Run Stack Finder

Authentication

Risk-Based Authentication (RBA)

Risk-based authentication scores each login or action using signals like device, location, IP reputation, and behavior, then decides whether to allow, challenge, or block — rather than treating every request the same.

Last reviewed 5/30/2026

Key points

  • Combines device, network, behavior, and threat-intel signals
  • Outputs an allow / challenge / deny decision per request
  • Reduces MFA prompts on trusted contexts, increases them on suspicious ones
  • Underpins Conditional Access (Entra), Adaptive MFA (Okta), and similar features
  • Effectiveness depends on signal quality and policy tuning, not just the engine

What it is

Risk-based authentication (RBA) — also called adaptive or contextual authentication — uses runtime signals to evaluate how risky a given sign-in or sensitive action is, then applies a policy: allow silently, challenge with MFA, force a passkey, or block.

How it works

The IdP collects signals on each request: device fingerprint and posture, IP and ASN reputation, geo and impossible-travel checks, known-bad credential intelligence, time-of-day patterns, and behavioral biometrics. A scoring engine (rules, ML, or both) outputs a risk level. Policies then map risk to outcomes — e.g. high risk → require passkey; medium → push MFA; low → allow.

When buyers care

  • Reducing MFA fatigue without lowering security
  • Defending CIAM apps against credential stuffing and account takeover
  • Meeting compliance frameworks that require risk-aware access (NIST 800-63, FFIEC)
  • Replacing brittle allow-list / IP-restriction policies

Common misconceptions

  • RBA is not a replacement for MFA. It decides when MFA is required.
  • More signals are not always better. Noisy signals create false challenges that drive users to support.
  • Vendor risk scores are not interchangeable. Tuning, signal coverage, and labeling vary widely between IdPs.

FAQ

Is risk-based auth the same as Zero Trust?

No. RBA is one control inside a Zero Trust strategy. Zero Trust also covers device posture, segmentation, and continuous evaluation across resources.

Can RBA replace passwords?

Not on its own. Combine RBA with passwordless (passkeys / WebAuthn) for the strongest UX-security trade-off.

What signals matter most?

Device trust, IP reputation, and impossible travel are the highest-signal-to-noise inputs for most B2B and B2C deployments.