How much does it cost organizations to protect their firms from Cyber Crime? Having Multi-Factor Authentication (MFA) in an application, is one way to secure the users' credibility to a given application. Even though security is increased, this reduces the usability aspect of the application. The user has to go through a lot of hassle just for a single login, every time he/she tries access the given web application. Haven't you felt annoyed to be doing this every time, where applications seem to don't trust you at all? This is where Adaptive Authentication comes into play. This builds a trust level with the user and identifies a trusted user, the next time he/she tries to log in. If the trust level is high, the authentication layers can be simplified whereas, if the trust levels are low (risky logins), then the security layers can be tightened a bit more. This is what most applications we see today want to have, where adaptive authentication is still a buzzword in the industry. This is still an open research area and many IDPs already provide this feature with different kinds of implementations among them.
This article will address some of the key aspects on Adaptive Authentication by going through the important topics. It also includes implementations being carried out by various services on calculating risk score of an authenticating user. At the end of this article, I have mentioned some of the IDPs who already provide this feature in the Service Application.
1) Introduction
Adaptive Authentication is all about adapting the levels of security, based on the situation. In certain cases, this is also known as Risk Based Authentication (RBA), where RBA is a non-static authentication system which takes into account the profile of the agent requesting access to the system, to determine the risk profile associated with that transaction. The risk profile is then used to determine the complexity of the challenge. Many applications now posses different layers of security which is also known as Multi-Factor Authentication (MFA). Whenever a user tries to log in to the application, the MFA comes into play, and the user will have to go through the usual security check every time.
To get a general idea on what adaptive authentication looks like, have a look at the below image. Adaptive authentication allows the trusted user to seamlessly access the online application without having to go through different layers of security. If the user is a regular user, the security will be minimized, whereas if the user is untrusted, the security will tighten itself automatically.
MFA systems are solely based on three different factors to authenticate a user.
Something you know (eg: password)
Something you have (eg: mobile/ token)
Something you are (eg: bio-metrics)
Let's look at a small analogy to understand what this really means. Just imagine you are a shop-keeper and you see a few people walking in. If you know the customers well, you will let them enter and shop without hesitation. But if they are complete strangers, you would be vigilant on how they will act inside the shop. This is a natural instinct that all humans posses.
What will happen if we look at out regular users, in a doubtful manner? He or she will feel very uncomfortable and betrayed, for being treated as a complete stranger. This is where the power of identifying a customer beforehand comes into play. Adaptive authentication can asses the credibility of a user when the user is logging in, and adapt automatically to provide the user with a better usability.
2) How Does it Happen?
Adaptive authentication happens in the background without the users consent. This will be calculating the users risk level, and deciding the level of security required. According to Identity Automation, there are three ways in deploying adaptive authentication.
One can set static policies defining risk levels for different factors, such as user role, resource importance, location, time of day or day of week.
The system can learn the typical activities of users based on their tendencies over time. This learned form of adaptive authentication is similar to behavioral correlation.
A combination of both Static and Dynamic policies.
But, if we look into the reality, there is no specific way to identify a user's risk level with certain factors like network, day, time and device. Someone could easily break into the user's house and access the laptop during normal hours, where the risk level could seem very normal when the hacker tries to log in with a known password. Hence, adaptive authentication itself is a risk where it is a trade off between usability and security. Adding behavioral characteristics into the risk calculation can make this process much more reliable, where factors like speed of typing, time taken etc, can influence the level of risk included in the transaction. Nevertheless, IDPs provide the capability for the user to pick this option depending on the needs of the application.
According to Secure Auth, Adaptive Authentication runs through different kinds of security layers, to calculate a risk score of the user. IDPs provide the capability to define what kind of layers can be omitted and what can be added. Given below are some of the important security layers we see in many IDPs today.
1) Device Recognition
This will recognize whether the user is using a known device or a new type of device. This can be defined in different granularities where the user's browser can also be taken into consideration.
2) IP Recognition
This is where ip addresses can be compared against a known list of ips, where blacklisted ips could be detected to provide a higher level of security. In certain cases, the ip address can be compared with other ip addresses to detect bad actors who are trying to log in
3) User Profile
The IDP can double the user's profile with a known user directory. If the user profile is known and less suspicious, the security can be loosened to provide better usability. This flags user's who attempt to create fake profiles and access a given application.
4) Geo-location
Every user has a typical location that they use to log in to certain applications. It could be a workplace, home or even a certain geographic location. If the location seems suspicious, the IDP can enhance security as required.
5) Geo Velocity
Assume a user logged in from home. A few minutes later, the same user logs in from far office. This is highly unlikely because the user cannot physical travel to office in a short time. Hence, the Risk factors can be adjusted accordingly.
6) Geo Fencing
If your application is only meant to be accessed by people within a certain geographic area, you can draw a fence around the trusted area, and restrict access to outsiders. If a user is trying to log in from outside the fence, the IDP can decide what level of security is required to handle the situation.
7) Fraud Prevention
The users credibility can be identified by behavioral patterns as well. If the user is trying to enter a password multiple times, if the network connection is different than before etc. Factors like this can detect unusual activities of the user within the given application. Impersonation can cause for higher levels of security.
8) Behavioral Biometrics
A regular user uses a device or application in a unique way. The typing speed, cursor speed etc. The user may seem suspicious, if the user is having unusual activities when trying to log into the application. This identification requires a study on the user which may even go into levels of training models to identify user's bio-metric factors.
3) IDPs that support Adaptive Authentication
Given below are a few of the Identity Providers (IDPs) that provide adapative authentication as a key feature.
1) SecureAuth
2) Janrain
3) Centrify
4) RSA
5) OneLogin
6) CyberArk
7) Okta
8) WSO2 Identity Server
References