Risk indications

IBM® Security Verify Adaptive Access uses the following risk indications to manage continuous adaptive authentication.

Behavioral anomaly

The system detects whether the user has a deviation from the user's or the organization’s usual behavioral patterns. For example, an anomaly in the user’s login time, based on the user's login history and from the activity hours in the user's organization.

New Device

The system detects whether the device is new in the account. A number of device indicators are examined during assessment. A significant change in a device such as browser type, which includes browsers that are installed or embedded inside of native apps on mobile devices, might indicate a new device. Additionally, device characteristics such as screen type and dimensions might indicate a new device. If the device is not new and is frequently used in the account, it is considered normal behavior and the system does not issue an alert.

Risky device

The system detects whether the browser version that is used in the session is risky. A browser version can be risky because it is
  • Old
  • A known fraudster device
  • Spoofing device attributes
  • Other similar conditions
To attempt fraud, a perpetrator might use an old browser version that is different than the browser of the legitimate user. These browsers, especially old Internet Explorer versions are less secure and riskier than newer browser versions.

Risky connection

The system detects whether the session connection is finished with the hosting service, such as CyberGhost or Hola.

To attempt fraud, the perpetrator might use hosting service to stay anonymous and avoid showing the perpetrator's real IP address and location. This attribute is based on a calculation of known suspicious IP addresses. As more sessions are marked as fraudulent, the more valuable this logic becomes.

New location

The system detects whether the user’s location is new in the account. It also detects whether this location is not a frequent location change in the account. If the location is new or not a frequent location in the account, the system sends an alert. If the location is not new and frequently used in the account, it is considered normal behavior and the system does not issue an alert.

Device MFA status

The system defines the current device’s authentication status within the scope of the account, based on information received in the current and previous logins. This field can contain one of the following values
New (new)
The first observation of the device in the account.
MFA pending (pending_authentication)
The system didn’t identify a successful MFA result of the device in this account.
MFA completed (authenticated)
The device previously passed an MFA challenge.

RAT indication

The system identified the presence of a remote access tool (RAT) in the current session.