The present invention relates to techniques for dynamically determining user authentication and/or authorization.
Authentication and authorization are widely used procedures that, respectively, enable a user to access an application or system by confirming the user's identity and to verify the authority of the user to perform certain operations, actions or tasks (henceforth referred to as transactions). For example, the user may provide information, such as a username, a password, or a pin number during these procedures to confirm the user's identity (authentication) and/or the user's right to transfer funds from a bank account (authorization). Note that authentication is a broader term than authorization, and authentication typically precedes or is coincident with authorization. In the discussion that follows authentication has a broad definition and, in some embodiments, includes authorization.
As security threats continue to grow, many applications and systems are significantly increasing such protection requirements. This is especially true in networked environments, such as the Internet or World Wide Web (WWW). As a consequence, many applications and systems utilize multiple authentication factors to perform authentication (also referred to as multi-factor authentication). Such multi-factor authentication may include something the user knows (for example, a password), something the user has (for example, a physical token), and/or something the user is (for example, a biometric feature).
Unfortunately, authentication for a given transaction is typically a Boolean or binary function, e.g., the user's identity is confirmed or it is not and/or the user is authorized to perform the given transaction or is not. This is a challenge when multiple authentication factors are used because these factors are often treated as equivalent in determining when to convert from one state (the user's identity is not confirmed and/or the user is not authorized to perform the given transaction) to another state (the user's identity is confirmed and/or the user is authorized to perform the given transaction).
Moreover, while there may be different thresholds for authentication that are associated with different transactions (some high-risk transactions may have a higher threshold), once confirmed the user's authentication remains valid (e.g., in the other state) until a pre-determined time interval has expired (such as a timeout) or until the user terminates a session. However, this makes it difficult to respond to dynamically changes in user behavior and/or in an overall security risk.