How to limit cyber risk with adaptive authentication
- By Robert Griffin
- Sep 02, 2015
Risk-based, or adaptive authentication grew out of the recognition that single- and multiple-factor authentication methods were based on an erroneous assumption: that identity could be absolutely confirmed and, once confirmed, used as a basis of trust for all subsequent access decisions for the authenticated identity. It is clear that even the most robust multifactor authentication mechanisms do not give this level of assurance, though certainly one-time password methods are still most effective in approaching that goal.
In order to address this inherent limitation, adaptive approaches were developed that viewed authentication as establishing a certain level of trust, which could then be factored into subsequent decisions regarding access – decisions that also factored in the context of that decision (such as differences from typical patterns of access for that user or for all users) and the value of the resource being requested. These factors could result in a response tailored to the authentication, such as requiring additional (step-up) authentication or limiting the extent to which the resource was provided (for example, permitting only partial access to particular information, even if full access had been requested).
Adaptive authentication technologies are well established in government, in response to both regulatory and application requirements. For example, the passage of the United States Telework Enhancement Act of 2010 resulted in the proliferation of products that provided risk-based authentication as a way to meet the new regulatory requirements for multifactor authentication for end-user remote access. Some of these products had already been available and were provided by agencies to their users. But the passage of the Telework Enhancement Act accelerated the availability and adoption of adaptive authentication.
Adaptive authentication typically includes support for multiple authentication factors and for step-up authentication based on evaluation of risk, both in terms of the level of confidence in the authentication achieved and in relation to a particular resource or transaction request.
For example, suppose that an end-user has logged into an online government service with a valid username and password. Before allowing the user to perform any activity, the application can evaluate context related to the user, such as whether the device, IP address and user location are the same as in previous logins. If any of those factors do not match (indicating that this might be a fraudulent login using a compromised username and password), the application can require step-up authentication such as answering challenge questions, using an authentication token or entering a code provided via email, SMS or telephone.
This kind of authentication is very widely used for end-user access to online government services, and has been successful in reducing the incidence of fraud. The range of information used as context for the risk decision continues to increase, expanding from the limited geolocation, IP address and device identifier to behavior profiles (what has this user done in the past, or what do all users generally do), device profiling (device configuration, low-level hardware characteristics), biometrics (not only fingerprints, but also gesture, facial recognition, voice recognition) and various forms of shared intelligence (vulnerability information, threat intelligence, phishing attack patterns).
The term “infinite factor” is sometimes used to reflect this ongoing expansion of the context used in making the risk decision. The use of this broad range of factors, especially compared to just using challenge questions or codes provided in SMS or email, has significantly improved the effectiveness of authentication.
An important development in adaptive authentication is the recognition that authentication is part of a continuous process of managing access to resources. That is, instead of applying risk evaluation and response techniques only during the authentication process, they are applied as part of the process of determining whether to allow any request for a resource, transaction or interaction. The importance of this kind of continuous process of managing access is one of the lessons from the massive Office of Personnel Management data breach.
Consider, for example, an agency user who has been authenticated for access to an online government system, perhaps one managing personal information for applicants to an agency service. But before the first screen showing the list of applicants is displayed, the risk of a compromised credential is evaluated in order to determine whether that data should be shared. If the user then selects one of those applicants, risk may be once again evaluated (factoring in the greater impact of exposure of the details for an individual compared to the display of a list of applicants) before displaying the individual applicant information. In such a case, additional authentication may be required, such as requiring the user to answer challenge questions.
This model of continuous adaptive authentication and access control is extremely valuable across agency resources, where the risk for a given interaction can vary significantly -- depending on the value of the information, the impact of fraudulent access to that information and the level of difficulty of remediation.
Adaptive authentication has clearly emerged not only as an effective technology, but as a paradigm that reflects the risk-based world in which we live. As the joint research published in April 2015 by ISACA and RSA on the current state of cybersecurity shows, phishing and other kinds of social engineering attacks were the most common attacks within enterprises in 2014. Nearly 70 percent of respondents cited phishing as having resulted in exploits in the enterprise, while 50 percent cited other social engineering attacks, including watering hole attacks, SMS phishing (SmiShing) and voice phishing (vishing). In a world in which end-users are being so aggressively targeted by fraudsters, adaptive authentication with its risk-based approach is an essential technology for authentication and access control.
Robert Griffin is the chief security architect at RSA.