How to limit cyber risk with adaptive authentication

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Robert Griffin
 

Connecting state and local government leaders

By Robert Griffin

|

After establishing a baseline level of trust, subsequent decisions regarding access should factor in the context of that decision and the value of the resource being requested.

Risk-based, or adaptive authentication grew out of the recognition that single- and multiple-factor authentication methods were based on an erroneous assumption: that identity could be absolutely confirmed and, once confirmed, used as a basis of trust for all subsequent access decisions for the authenticated identity. It is clear that even the most robust multifactor authentication mechanisms do not give this level of assurance, though certainly one-time password methods are still most effective in approaching that goal.

In order to address this inherent limitation, adaptive approaches were developed that viewed authentication as establishing a certain level of trust, which could then be factored into subsequent decisions regarding access –  decisions that also factored in the context of that decision (such as differences from typical patterns of access for that user or for all users) and the value of the resource being requested. These factors could result in a response tailored to the authentication, such as requiring additional (step-up) authentication or limiting the extent to which the resource was provided (for example, permitting only partial access to particular information, even if full access had been requested).

Adaptive authentication technologies are well established in government, in response to both regulatory and application requirements. For example, the passage of the United States Telework Enhancement Act of 2010 resulted in the proliferation of products that provided risk-based authentication as a way to meet the new regulatory requirements for multifactor authentication for end-user remote access.  Some of these products had already been available and were provided by agencies to their users. But the passage of the Telework Enhancement Act accelerated the availability and adoption of adaptive authentication.

Adaptive authentication typically includes support for multiple authentication factors and for step-up authentication based on evaluation of risk, both in terms of the level of confidence in the authentication achieved and in relation to a particular resource or transaction request.

For example, suppose that an end-user has logged into an online government service with a valid username and password.  Before allowing the user to perform any activity, the application can evaluate context related to the user, such as whether the device, IP address and user location are the same as in previous logins. If any of those factors do not match (indicating that this might be a fraudulent login using a compromised username and password), the application can require step-up authentication such as  answering challenge questions, using an authentication token or entering a code provided via email, SMS or telephone.

This kind of authentication is very widely used for end-user access to online government services, and has been successful in reducing the incidence of fraud. The range of information used as context for the risk decision continues to increase, expanding from the limited geolocation, IP address and device identifier to behavior profiles (what has this user done in the past, or what do all users generally do), device profiling (device configuration, low-level hardware characteristics), biometrics (not only fingerprints, but also gesture, facial recognition, voice recognition) and various forms of shared intelligence (vulnerability information, threat intelligence, phishing attack patterns).

The term “infinite factor” is sometimes used to reflect this ongoing expansion of the context used in making the risk decision. The use of this broad range of factors, especially compared to just using challenge questions or codes provided in SMS or email, has significantly improved the effectiveness of authentication.

An important development in adaptive authentication is the recognition that authentication is part of a continuous process of managing access to resources. That is, instead of applying risk evaluation and response techniques only during the authentication process, they are applied as part of the process of determining whether to allow any request for a resource, transaction or interaction. The importance of this kind of continuous process of managing access is one of the lessons from the massive Office of Personnel Management data breach.

Consider, for example, an agency user who has been authenticated for access to an online government system, perhaps one managing personal information for applicants to an agency service. But before the first screen showing the list of applicants is displayed, the risk of a compromised credential is evaluated in order to determine whether that data should be shared. If the user then selects one of those applicants, risk may be once again evaluated (factoring in the greater impact of exposure of the details for an individual compared to the display of a list of applicants) before displaying the individual applicant information. In such a case, additional authentication may be required, such as requiring the user to answer challenge questions.

This model of continuous adaptive authentication and access control is extremely valuable across agency resources, where the risk for a given interaction can vary significantly -- depending on the value of the information, the impact of fraudulent access to that information and the level of difficulty of remediation.

Adaptive authentication has clearly emerged not only as an effective technology, but as a paradigm that reflects the risk-based world in which we live.  As the joint research published in April 2015 by ISACA and RSA on the current state of cybersecurity shows, phishing and other kinds of social engineering attacks were the most common attacks within enterprises in 2014.  Nearly 70 percent of respondents cited phishing as having resulted in exploits in the enterprise, while 50 percent cited other social engineering attacks, including watering hole attacks, SMS phishing (SmiShing) and voice phishing (vishing). In a world in which end-users are being so aggressively targeted by fraudsters, adaptive authentication with its risk-based approach is an essential technology for authentication and access control.

NEXT STORY: Air Force outlines initial steps to protect embedded systems

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.