Risk-based authentication and biometrics: are your controls keeping up?

TL;DR: Risk-based authentication still depends on step-up methods like OTPs and push approvals that can be phished, intercepted, or socially engineered, while attackers increasingly use AI-enabled impersonation and session abuse to bypass them, according to iProov. The real gap is assurance, not challenge frequency: organizations need identity verification that confirms who is behind the login, not just which factor was presented.

NHIMG editorial — based on content published by iProov: Biometric verification closes the RBA assurance gap in high-risk login

Questions worth separating out

Q: How should security teams reduce MFA bypass risk in high-risk login flows?

A: Use MFA as one layer in a broader assurance model, not as the final proof of identity.

Q: When does step-up authentication stop being enough?

A: It stops being enough when the attacker can phish, intercept, coerce, or replay the step-up factor faster than the programme can detect abuse.

Q: What do teams get wrong about risk-based authentication?

A: They often assume that a successful challenge means the right user is present.

Practitioner guidance

• Prioritise high-risk interactions for stronger verification Use biometric liveness or equivalent identity proofing for account recovery, privileged access, and new device authorisation.
• Reclassify OTP and push as weak assurance Update risk models so one-time passcodes and push approvals are treated as challenge mechanisms, not final proof of identity, especially where fraud, help desk abuse, or impersonation is plausible.
• Hard-check support workflows that can override authentication Review help desk and telecom procedures that can reset access, transfer numbers, or approve new devices.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

• The specific biometric assurance model used to distinguish liveness from simple image matching.
• Practical guidance on where to place stronger verification in account recovery and privileged access flows.
• The article's step-by-step explanation of how passive verification can reduce friction without weakening assurance.
• Implementation considerations for integrating biometric controls into existing identity stacks.

👉 Read iProov's analysis of how biometric verification closes the RBA assurance gap →

Risk-based authentication and biometrics: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →