Service providers receive login attempts from users wishing to gain access to applications, sensitive information and other resources. Some users attempt to gain access to such information and resources with credentials obtained fraudulently from a legitimate account holder. Multi-factor authentication requires that the user of a resource provide more than one form of verification in order to establish their identity and obtain access to the resource.
Multi-factor authentication requires the presentation of two or more of the three authentication factors: something a user knows (such as a password), something the user has (such as a security token) and/or something the user is (such as a biometric of the user). Password verification is often the first level of verification and adaptive authentication techniques are often employed as the second level of authentication. For example, if a user successfully provides a password, adaptive authentication techniques then often compare information associated with the login attempt, such as the time and originating location of the login, with a historical record of expected login behavior.
When invalid first level credentials are submitted, however, the first level authentication server rejects the user. Thus, the second level authentication server is not contacted and no second level authentication occurs. As a result, the second level authentication server is not aware of failed login attempts, which can affect risk detection capabilities for adaptive authentication.
A need therefore exists for improved security techniques that reduce the susceptibility of a legitimate user and protected resources to such attacks. A further need exists for improved multi-factor security techniques that collect device data for each login attempt for risk assessment.