Risk-based authN

Philip Brusten philip.brusten at kuleuven.be
Tue May 9 10:39:57 EDT 2017


we are thinking about making a service which collects information from 
trusted sources with information like: timestamp, application, userid, 
user-agent, browser-fingerprint, IP (+geo-ip), etc. We could then ask 
that service during a login to calculate the risk involved for that 
login (e.g. geo-distance, same browser, etc). If the IdP decides the 
risk is too high it could enforce multi-factor-authentication.

If we could get enough assurance that the IdP session comes from the 
same user/browser, we could perhaps disable the consistentAddress-check, 
and elevate the authentication level when necessary.

Is anyone doing the same thing?
Are there any existing services out there which we could use?

Kind regards,


More information about the users mailing list