IBM® Security Verify Adaptive Access uses the following risk indications to manage continuous adaptive authentication.
The system detects whether the user has a deviation from the user's or the organization’s usual behavioral patterns. For example, an anomaly in the user’s login time, based on the user's login history and from the activity hours in the user's organization.
The system detects whether the device is new in the account. A number of device indicators are examined during assessment. A significant change in a device such as browser type, which includes browsers that are installed or embedded inside of native apps on mobile devices, might indicate a new device. Additionally, device characteristics such as screen type and dimensions might indicate a new device. If the device is not new and is frequently used in the account, it is considered normal behavior and the system does not issue an alert.
- A known fraudster device
- Spoofing device attributes
- Other similar conditions
The system detects whether the session connection is finished with the hosting service, such as CyberGhost or Hola.
To attempt fraud, the perpetrator might use hosting service to stay anonymous and avoid showing the perpetrator's real IP address and location. This attribute is based on a calculation of known suspicious IP addresses. As more sessions are marked as fraudulent, the more valuable this logic becomes.
The system detects whether the user’s location is new in the account. It also detects whether this location is not a frequent location change in the account. If the location is new or not a frequent location in the account, the system sends an alert. If the location is not new and frequently used in the account, it is considered normal behavior and the system does not issue an alert.
Device MFA status
- New (new)
- The first observation of the device in the account.
- MFA pending (pending_authentication)
- The system didn’t identify a successful MFA result of the device in this account.
- MFA completed (authenticated)
- The device previously passed an MFA challenge.
The system identified the presence of a remote access tool (RAT) in the current session.