It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.
Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods, especially as the typical enterprise attack surface has expanded and evolved. The expansion takes on several different dimensions:
- Endpoints are getting more diverse. Thanks to more capable mobile devices and more susceptible embedded internet of things (IoT) products, attackers have more leverage and entry points. Botnets of thousands of these devices are quite common, and entire malware campaigns (such as Mirai in 2016) are a major threat vector.
- More mobiles on enterprise networks means that users are mixing more personal and business activities on their phones and tablets. This erodes the boundaries between these two domains and makes it easier for attackers to leverage entry into the business network.
- Social networks make it easier for hackers to use social engineering tactics to figure out users’ logins. As a result, authentication challenges are getting more sophisticated, with attackers compromising one-time passwords and weak MFA methods with better tools and the acquired social engineering knowledge.
- Cloud computing has helped to leverage malware-as-a-service, and a number of malware construction kits and services are available for purchase that don’t require much in the way of skill beyond clicking on a few buttons.
- Malware is getting more sophisticated at hiding in plain sight, being able to disable protective methods and establish themselves deep within a typical enterprise network.
- Attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications, making them very hard to track if viewed as separate and independent events.
- Shadow IT operations continue to proliferate, making it harder for IT to police and protect endpoints. Adding to this difficulty is that the average enterprise network is getting more complex and harder to defend. One study shows that the average bank had 30 domain configuration issues, 42 SSL configuration issues, 87 IP reputation issues, and 81 threat indicators across their digital footprints. That is a lot of different touch points to monitor and maintain.
- Finally, ransomware is a growth business, with increasing number of attacks and pinpoint targeting on specific businesses and transactions.
Passwords are no longer secure
As the number of logins and password-protected services increases, it makes passwords more difficult to remember. That encourages more reuse or picking weaker ones that are easier to compromise. Users are experiencing more password fatigue, and they need better tools that can avoid passwords whenever possible without compromising security. All static passwords are now vulnerable, and RBA has become the best mechanism to introduce security and avoid further password reuse and fatigue.
These trends are forcing IT managers to more seriously use RBA methods and move from traditional binary login/logout practices to more nuanced user access. Authentication has to adjust to different circumstances. When a user is doing something particularly risky, such as a funds transfer or adding a new payee to their online banking account, they need more stringent authentication.
An enterprise needs to have more granular authentication tools, not just a simple yes or no process. Security blogger Brian Krebs says in a recent post, “Nobody has any business using these static identifiers for authentication because they are for sale on most Americans quite cheaply in the cybercrime underground. Most U.S. adults have had their static personal details on sale for years now.” RBA is needed to make sure that subtler yes/no decisions can be made for various authentication activities, and to be able to distinguish between the genuine user and a hacker try to force their way in.
The new generation of RBA solutions
RBA isn’t new. Various authentication vendors have been selling risk-based solutions that scored particular transactions on simple linear scales for years. What is new is a series of innovations that can make RBA more attractive and more secure. Here are a few of the RBA vendors:
- Easy Solutions DetectID
- Gemalto Assurance Hub
- HID Global Risk Management
- RSA Adaptive Authentication
- Transmit Security
- Vasco Identikey Risk Manager
The innovations found in these products include the following features, and IT buyers of RBA solutions should carefully examine how each of these are implemented before choosing one that fits their needs:
- Continuous authentications and account monitoring that provides automated risk profiles and assessments. RBA needs to understand a user’s typical behavior, life and account patterns. For example, some software knows that you always use a particular neighborhood ATM for cash withdrawals, so that when you go visit an ATM across the country, you are presented with authentication challenges or get conditional access until you prove your identity. Unlike the older linear risk scales, these continuous methods are adjusting risk dynamically, and cover a wider collection of circumstances.
- Real-time analysis. Helping this continuous assessment is being able to do so in near real-time. When someone is trying to use my credit card illegally (which actually happened to me last week), I should receive a notification from my bank within moments of the attempted transaction.
- Orchestration across various diverse applications and environments. The best orchestration technologies can examine a wide variety of inputs and combine everything together to make a decision about whether a user is acting appropriately or if fraud or account takeover is happening.
- Ability to work with various self-service portals. This allows users to reset passwords or deal with lost devices without having to call the enterprise help desk for support
- Behavioral biometrics. RBA should also keep track of how the user behaves with the authentication application itself, so that a user’s collection of devices becomes part of its sensor network to perform the actual risk assessment. The ways in which we walk, stand, sit, and interact with our applications and devices (choosing menus, typing and touch cadence) turns out to be quite predicable and all can be used as authentication mechanisms.
- Better integration of MFA methods. MFA is just one piece of the RBA puzzle. While it is an important one, it isn’t the only game in town. RBA tools need to determine when not to use MFA logins as much as when to use them. It used to be that we considered biometric methods as an additional MFA factor, akin to a better one-time password generator. However, biometrics and MFA are just additional inputs to the overall RBA decision process, and both need to be better integrated into an enterprise’s functional processes to handle the newer continuous risk-scoring methods.