Larry Ellison’s yacht didn’t fare so well in the recently completed America’s Cup series in Spain, but he has continued to beef up the identity practice at Oracle with a new, shiny addition just last week.

Oracle acquired Bharosa, which the new owner described as “a leading provider of software that helps combat online identity theft and fraud.” Well, lots of companies can claim that. What excites me about Bharosa is how it goes about combating identity fraud.

The company’s lead product, Bharosa Tracker, performs “in-session risk analysis/scoring to verify users by their device, location and behavior.” In other words, it is one of the first context-aware authentication services.

Now authentication context has long been something I’ve advocated to minimize risk to high-value resources. Here’s an example:

Suppose your CFO has rights to transfer money from your corporate account to any other account up to $1 million. This would be useful when quick turnaround was necessary on a desirable purchase. But even if you had the CFO authenticate with password, security token and biometric – fraud could still occur. If your authentication system could tell, however, that the CFO was attempting to authenticate remotely from his laptop in Rio de Janeiro, at 2 a.m. on Sunday morning, you might want to be able to require some additional steps: a lowering of the dollar limit, a second “signature” on the transfer, a time delay on the transaction – or you might want to block it entirely.

Right now, Bharosa Tracker isn’t concerned with employee fraud as in the above scenario but it could easily be adapted to do that. What it does do, though, is verify the user's IP/geolocation, computer/device attributes, historical site usage, among a host of other factors, and compare these with an existing or predefined risk profile. Tracker can also generate a dynamic alert or even a programmed response to suspected fraud.

Oracle intends to keep Tracker available as a stand-alone product that can integrate with other vendors’ identity products, or be combined with Oracle’s established Web single sign-on and Web based-authorization offerings. The result would be a highly secure, low impact security offering that protects users from common, often costly, threats. Oracle continues to add to its lead at the top of the heap of complete identity services providers. Pay attention!

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.