On Japanese ecommerce sites, “risk-based authentication” is an increasingly important fraud prevention measure. According to a Japan Credit Association report, the estimated losses from credit card fraud in 2025 were approximately ¥51 billion. Although this represents a decrease from the previous year, continued prevention measures are still needed. It’s important to note that most cases of credit card fraud involve the theft of card numbers, with incidents occurring primarily in remote transactions, such as those on ecommerce sites.

In this context, risk-based authentication is gaining attention as a measure that ensures security without compromising the user experience.

This article will provide a clear explanation of the mechanisms and types of risk-based authentication, how it differs from multifactor authentication (MFA), and the benefits and key considerations when implementing it, all within the context of Japan’s ecommerce environment.

Key takeaways

• Risk-based authentication evaluates risk based on user behavior and access environment; it requests additional verification only when necessary.
  
• While multifactor authentication (MFA) requires additional verification for every login or transaction, risk-based authentication dynamically adjusts the presence and strength of authentication based on risk level.
  
• Active authentication requires user interaction, whereas passive authentication analyzes user behavior in the background without requiring any action from the user.
  
• Risk-based authentication can help balance security and user experience, but its effectiveness depends on proper design and implementation.
  
• In Japan’s ecommerce market, fraud prevention has become increasingly important, and risk-based authentication is being adopted as one of the key approaches to address it.
  

What is risk-based authentication?

Risk-based authentication is a system that analyzes user behavior and access environments to assess risk. Based on this analysis, it determines whether additional authentication is required.

For example, additional authentication is required only when unusual behavior patterns are detected, such as access from a different IP address, device, or browser, or from a time zone that differs from a user’s usual one. This mechanism makes it possible to prevent unauthorized access before it actually happens.

Differences between risk-based authentication and multifactor authentication (MFA)

Multifactor authentication (MFA) is a system for verifying a user’s identity by combining two or more authentication factors drawn from three categories: knowledge (e.g., a password or PIN), possession (e.g., a security token), and inherence (e.g., biometrics such as fingerprints).

Whereas risk-based authentication dynamically adjusts the requirement for—or the strength of—authentication based on the specific context, multifactor authentication generally requires additional verification every time a user logs in. While multifactor authentication can enhance security, it tends to increase the burden on users.

Types of risk-based authentication and how they work

There are two types of risk-based authentication—“active authentication,” which requires the user to perform an explicit action, and “passive authentication,” which processes the authentication in the background without requiring user action.

Active authentication

Active authentication requires users to perform an explicit authentication action.

For example, if the user is logging in to online banking from an unusual location or making a large purchase on an ecommerce site, they might be asked to enter a one-time password or provide additional authentication via 3D Secure 2.

A key feature of this system is that it performs additional verification only in situations deemed high-risk. This can prevent fraud without compromising the convenience of everyday transactions.

Passive authentication

Passive authentication is a method of assessing risk based on information about a user’s behavior and access environments, without requiring the user to perform any specific actions.

For example, on an ecommerce site, the user’s IP address, device information, browser, access times, purchase history, and user behavior patterns are analyzed in the background, and the system continuously monitors for any unusual activity. This mechanism makes it possible to detect signs of fraud without requiring users to be aware of security measures.

In addition, the system detects behavior such as a sudden surge of orders within a short period of time or unnaturally rapid operational speeds, thereby helping to mitigate the risk of fraudulent orders and prank orders placed by bots.

While passive authentication allows for enhanced security without compromising user convenience, in cases where it’s difficult to make a determination, it’s generally used in combination with active authentication.

Benefits of risk-based authentication

Risk-based authentication allows for an optimized balance between security and user experience. On ecommerce sites, this plays a key role in maintaining and boosting sales.

Mitigates unauthorized access and fraud

With risk-based authentication, additional verification is triggered only when suspicious activity is detected based on the login environment or transaction patterns. This effectively mitigates risks such as unauthorized logins and fraudulent orders.

This is particularly valuable for ecommerce sites, helping to reduce incidents such as fraudulent orders using stolen card information, account hijacking, and prank orders.

Does not compromise user convenience

Instead of requiring two-factor authentication for all users, the system allows for authentication to be skipped in cases deemed low-risk, enabling smooth logins and payments.

This makes it possible to ensure security while also minimizing friction for legitimate users.

Reduces cart abandonment and helps maintain conversion rates

On ecommerce sites, a cumbersome authentication process can lead to cart abandonment. With risk-based authentication, additional verification is required only for high-risk transactions. This helps prevent customer churn caused by unnecessary verification.

The effective use of risk-based authentication makes it possible to maintain conversion rates while ensuring a high level of security.

Points of caution for risk-based authentication

While risk-based authentication strikes a balance between security and convenience, a single misstep can negatively impact both the user experience and revenue.

Potential for enhanced authentication to backfire

With risk-based authentication, additional verification is required when a high-risk situation is detected. If this occurs frequently, it can be quite burdensome for the user.

In particular, if customers are asked to provide authentication multiple times during the checkout process, they might lose the desire to make a purchase. When running an ecommerce site, it’s necessary to prioritize security, but being so aggressive about it that it compromises the user experience could defeat the purpose.

Impact of false positives on legitimate users

Depending on the accuracy of the risk assessment, legitimate users’ behavior might be flagged as suspicious, resulting in false positives.

For example, if a legitimate user is accessing the service while on a business trip or vacation, or if they’ve changed devices, their activity might be flagged as occurring in an atypical environment. Since such false positives can easily lead to user frustration, caution is required.

The effectiveness of risk-based authentication depends heavily on its design and implementation. It’s important to use it in a way that carefully balances user experience.

Key considerations when implementing risk-based authentication

The key points for effectively implementing risk-based authentication are as follows:

Design based on your business’s risk profile

The optimal design of risk-based authentication varies depending on the characteristics of the service and user behavior.

For example, for ecommerce sites, it’s important to design the system with an eye toward high-value orders and times when fraudulent activity is most likely to occur. On the other hand, for membership services, the focus should be on preventing unauthorized access during the login process.

Make ongoing improvements

Implementing risk-based authentication isn’t a one-time task. The criteria used for risk assessment must be reviewed periodically and updated to reflect the specific characteristics of the service and prevailing trends in fraudulent activity. Both fraudulent tactics and user behaviors evolve over time.

Even after implementation, it’s important to continuously adjust risk assessments and improve operations by monitoring metrics such as authentication rate, churn rate, and fraud detection accuracy.

How Stripe Radar can help

Stripe Radar uses AI models to detect and prevent fraud, trained on data from Stripe’s global network. It continuously updates these models based on the latest fraud trends, protecting your business as fraud evolves.

Stripe also offers Radar for Fraud Teams, which allows users to add custom rules addressing fraud scenarios specific to their businesses and access advanced fraud insights.

Radar can help your business:

• Prevent fraud losses: Stripe processes over $1 trillion in payments annually. This scale uniquely enables Radar to accurately detect and prevent fraud, saving you money.

• Increase revenue: Radar’s AI models are trained on actual dispute data, customer information, browsing data, and more. This enables Radar to identify risky transactions and reduce false positives, boosting your revenue.

• Save time: Radar is built into Stripe and requires zero lines of code to set up. You can also monitor your fraud performance, write rules, and more in a single platform, increasing efficiency.

Learn more about Stripe Radar, or get started today.