On-line service providers, for example a banking website, may need to properly identify on-line customers and clients to prevent fraudulent transactions. In some situations the use of a registered username and a password associated with the username may provide sufficient security for an on-line transaction to proceed. In other situations an on-line service provider may need additional identification information to safely permit an on-line transaction to continue. For example, a bank website may employ a risk engine of a risk-based authentication system to assign risk scores to banking transactions where higher risk scores indicate higher risk. The bank may use an adaptive authentication engine to determine if a step-up authentication process is needed in order to safely approve a particular transaction having a higher risk score.
A step-up authentication process may include requesting more identifying information from the on-line customer in addition to the registered username and the password associated with the username, or may include contacting the on-line customer via an out-of-band communication method. As an example, the on-line service provider may text the client using a registered cell phone number. An on-line service provider may choose to use a step-up authentication process if something about a transaction indicates that the transaction is not as expected. For example, the amount of the transaction may be larger than any previous transaction executed by that particular customer, or the time of the transaction may not be typical, or the location of the transaction may be from a different continent than a transaction by the same customer on the previous day. A step-up authentication may be done by software code installed on a server hosting the on-line service.