[David Strom's Web Informant] December 16, 2014: Stepping up to better authentication

David Strom david at strom.com
Tue Dec 16 10:41:22 EST 2014

Web Informant, December 16, 2014: Stepping up to better authentication

The days of multifactor security tokens may be numbered, just as they are
moving beyond hardware form factors. While they are clever solutions, users
don’t always like to use them in whatever guise. Tokens do get in the way
of the actual transaction itself. IT staffs tolerate tokens but they do
require a fair amount of programming effort to integrate into their
existing systems. Tokens also have their limitations and typically only
address a single access threat vector. For example, some authentication
methods are great at protecting e-commerce connections but don’t handle
remote connections to in-house systems or pre-paid debit card exploits

What is catching on is to use what is called risk-based authentication,
context-aware or adaptive access controls The idea is to base any access
decisions on a dynamic series of circumstances. These count as the
additional authentication factor, rather than rely on a particular set of
tokens or pieces of smartphone software. Access to a particular business
application goes through a series of trust hurdles, with riskier
applications requiring more security so that users don’t necessarily even
know that their logins are being vetted more carefully. Moreover, this all
happens in real time, just like the typical multifactor methods.

What are the typical ways that this works? Logins to your account are
scored based on a series of metrics, including the role you have (such as a
network admin), if you are connecting from a particular country (just as
the credit card companies examine their transactions) and if you have
changes to particular transaction patterns or spending patterns. If a user
is doing something that doesn’t match his or her history, that becomes a
riskier transaction so that authentication requests and logins can be
challenged with an additional authentication measure. Challenging unusual
login or transaction patterns creates a barrier that a hacker or fraudster
cannot easily circumvent, while not doing the customer the disservice of
demanding such authentication in a blanket manner.

Or you could have a system that detects geo-locations in a series of logins
(such as one from a Chinese-based IP address and another from Canada a few
minutes later).

Firewalls and intrusion prevention products have had similar step-up
risk-based rules for years to analyze and block particular network
behavior. But now a number of vendors are including risk-based
authentication into their security tools, including Symantec's VIP service,
Vasco, RSA, SecureAuth and CA. Expect to see more of them in the near
future, as the notion gains traction. I have begun to review these tools on
SearchSecurity.com for a series on multifactor authentication.

Finally, I wrote a white paper on this topic for Vasco
that you can read here. If you are interested in having me write or speak
on this topic, let me know.

Comments always welcome here:  http://blog.strom.com/wp/?p=4650
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20141216/1c0deae3/attachment-0002.html>

More information about the WebInformant mailing list