Getting Started with Risk-Based Authentication
Getting Started with Risk-Based Authentication
October 30, 2020
- Over 80% of breaches involve brute force or the use of lost or stolen credentials.
- Multi-factor authentication is an essential component of any identity access solution, but MFA alone isn’t sufficient.
- By layering MFA with contextual risk-checks, organizations can mitigate IAM threats and better focus on digital initiatives and business outcomes.
In June of this year Gartner noted that by 2023, 60% of large and global enterprises and 80% of mid-sized enterprises (an increase from 10% and 25% respectively over today) will deploy multi-factor authentication (MFA) capabilities consolidated with access management or similar tools. Diverse requirements, as well as varying user preferences from employees, partners, contractors and customers, are driving organizations to reevaluate their current identity and access management (IAM) solutions to ensure the strongest available security and best user experience (UX) – especially for customer-facing revenue generating applications.
Managing risk is also important to an IAM solution, a critical function for every organization and an absolute business requirement. Most of us would agree that not all risk is the same and therefore should be properly evaluated and assessed.
Evaluating Risk for IAM
Every login request submitted by a user to access valuable company assets inherently has some level of risk. Just because you recognize the username and password doesn’t necessarily mean the individual behind the credentials is the actual user.
Over 80% of breaches, according to the 2020 Verizon DBIR study, involve brute force or the use of lost or stolen credentials. While protecting the business is essential, maintaining business continuity and a good user experience is just as important for the overall health of the organization.
The challenge for IT Security and Risk professionals is building a model to efficiently assess the risk each access request presents – and implementing it in a way that doesn’t cause friction for valued customers, partners or associates.
Risk Scoring provides a pragmatic approach to assessing each access request's risk without introducing unnecessary friction to the user UX as the users are trying to single sign-on (SSO) into the portal or mobile app. The user risk score then serves as a critical signal in access decisions made by the IAM system. In practice, IAM professionals can implement unique login workflows to support different types of users and take the correct actions based on the resulting risk scoring to grant the appropriate access.
Considerations for Multi-Factor Authentication in IAM
Verizon’s 2019 DBIR report advised us to “2FA everything. Use strong authentication on your customer facing applications, any remote access, and any cloud-based email.” The underlying message was clear: a basic username/password combo isn’t sufficient to secure valuable resources.
Simply put, multi-factor authentication is a security system that verifies a user’s identity by requiring multiple credentials (or factors) in order to access to resources. MFA should be considered an absolute must for any SaaS app, website or SSO portal.
Here’s what you, as an IAM professional, should consider in common authentication scenarios:
- Customer IAM: In addition to a username and password, require that user/customer provide a second factor in the form of a PIN number to be sent via email or SMS to verify identity.
- Workforce IAM: In addition to a username and password, put in place a one-time password (OTP) mobile app mandate with push-to-accept or symbol-to-accept for users to verify their identity without unnecessary friction.
Two-Factor Authentication Shortcomings – What to Know
It’s important to understand that no single second factor authentication method is perfect – each comes with its own weaknesses. Let’s look at several popular 2FA methods:
- One-time SMS passcodes, probably the most popular method used today, are no longer recommended by the National Institute of Standards and Technology (NIST) because of known vulnerabilities. However, due to the relatively easy implementation and minimal technical requirements for users, SMS code will remain popular for CIAM use cases.
- Hard tokens, historically the most popular method in the corporate world, also have proven vulnerabities and sophisticated attackers have devised ways to get around them.
- Security questions, sometimes referred to as knowledge-based answers, are susceptible to social engineering and should not be considered a strong 2nd factor option. However, in certain situations, such as K-8 education, they will remain the go-to option simply because of the convenience for young students.
- Push-to-accept, an increasingly popular method in mobile OTP apps, is often erroneously acknowledged as users simply push “accept” to get the notification off their phone screens.
None of these methods on their own provide adequate protection against a determined bad actor intent on breaching your environment. If someone wants to gain access to your data, systems and resources, chances are they’re going to ... unless you have a comprehensive security strategy, with the appropriate authentication and risk checks in place, greatly reducing the vulnerability of these methods.
Layered Security: Adaptive Authentication
Adaptive authentication, or risk-based authentication, provides the highest level of security and user verification when deployed in conjunction with MFA.
A modern IAM system deployed in 2020 and beyond should meet the following criteria:
- Perform contextual risk checks before access is granted. The checks should include behavior/pattern analysis, device recognition and IP address assessment.
- Provide reporting on contextual risk checks for further analysis by your IAM security and risk team.
The contextual risk checks help build a profile of user behavior over an extended period. When the user is first created the risk scoring system has no information on “usual behavior.” However, as the risk engine ingests information about when, what the user does (and how), the profile becomes more accurate and the engine is able to spot anomalies. In human language, the risk engine looks at characteristics like this:
- Why is Suzy trying to login at 3 AM?
- The laptop Larry is using to request access is not a recognized device associated with him...
- The IP address associated with Mary’s access request is not the expected address...
- Miguel never requests access on a Saturday morning...
- Why is Alissa tying to login 6x her normal attempts in the past hour?
Based on results from contextual risk-checks, the IAM system can take appropriate actions based on the workflow policies enabled – deny access outright, prompt user for MFA or let user sign in without MFA. Enabling risk scoring as part of the authentication process exponentially increases an organization’s security profile.
Benefits of Adaptive Authentication
Malicious actors will continue to break corporate cybersecurity defenses, leveraging methods like brute force, password spraying and credential stuffing attacks. By layering multi-factor authentication capabilities and functionality with contextual risk-checks, organizations can mitigate these threats and better focus on digital initiatives and business outcomes.