With a never-ending stream of data breaches, and financial institutions reporting dramatic increases in account takeover fraud, it’s time for authentication to become more than just a one-time event
OneLogin, an online service that allows users to manage logins to sites and apps via a single platform, recently joined a very long list of companies that have found themselves in the news for all the wrong reasons. In June, the company reported a breach of its US data center, and while the number of records exposed and the extent of the breach remains undisclosed, OneLogin did reveal that the attacker gained access to database tables that contained information about users, apps, and various types of keys.
With billions of records breached each year, there’s no shortage of data for cybercriminals to use to their advantage. Financial institutions appear to be feeling the effects. In a recent survey of 83 executives at US financial institutions, the Aite Group reported significant increases in account takeover fraud involving demand deposit and credit card accounts.
Ironically, while companies such as OneLogin exist to help consumers eliminate “friction” from the login process, user authentication doesn’t have to come at the expense of a great customer experience. Yet too often resolving the tension between security and the need for a seamless customer experience has spawned authentication methods that keeps neither customers nor cybersecurity teams happy.
A More Refined Approach to Authentication
Delivering a smooth user authentication experience requires a new approach. Dynamic Authentication creates a multi-layered approach that combines two or more authentication and authorization technologies into a seamless solution that delivers just the right level of vetting based on assessed risk. Typically, it includes a lightweight, transparent method, like device-based authentication, and a more robust and interactive solution such as mobile multifactor authentication.
Employing a layered approach to authentication is not a new concept. Consider that many businesses automated their payment process to require signatures from multiple staff executives when transferring large sums. In the military, launching a warhead, involves a “two-man rule” that requires multiple officers to act together.
Dynamic Authentication embodies an approach similar to the approval of large transfers, or the launch of a missile. Most session – given the user’s request and their actions — dictate the easiest-to-use authentication. Yet, as needed, more complex and robust methods exist to provide a higher level of assurance that the system has sufficient authorization to conduct certain activities.
White Paper: Dynamic Authentication
It’s All About Context…
At its core, Dynamic Authentication provides context to approve or reject a login, or terminate a user session. It examines all possible risks rather than just the obvious ones, such as a mismatch between an IP address and a stated geographic region. For example, it determines whether the user’s device has been jailbroken or rooted. It can also examine screen resolutions and orientation on this supposedly “mobile” device. Is the real IP address for this transaction similar to the one being reported by the browser? What’s the CPU speed and the kernel version? It can analyze all of these factors in context as well as consider the risk of the transaction the user wishes to complete.
Another important element of context is “reputation.” If a user’s device is in all respects the same as it was the last time the user requested access, that’s an indicator that there should be a standard low-friction authentication experience. But if, in the intervening time, some other organization or company has attached evidence of account takeover or some form of online fraud against that device, a Dynamic Authentication solution can increase the level of authentication to a more rigorous one.
So context determines the level of authentication. Similarly, the level of authentication required can vary by transaction type. Cash transfers would require a higher level of authentication versus the level needed to view an account balance, for example.
Continuous, Rather Than a One-Time Event
If companies plan to prevent unauthorized access, they must change their view of authentication from a one-time event, to an ongoing or continuous process. Viewing authentication as a process instead of an event requires the ability to administer assurance any time during the user’s journey. By delivering the right level of authentication for the current level of risk, companies change their view of risk mitigation and create additional benefits in usability and the overall user experience.
This change is more than an interesting theory, it responds to a real threat — a rise in man-in-the-middle (MITM) attacks against mobile platforms. During a MITM attack, a Dynamic Authentication solution would be able to respond to the presence of a malicious VPN or inappropriate proxy and then ratchet up the level of assurance required. Policies can be implemented that request additional, transparent authentication steps, like a check of how well the user’s device matches previous images, at different waypoints along the user’s journey. By detecting these signals throughout the user’s session Dynamic Authentication becomes continuous, responding to changing conditions even in the middle of a session, without introducing additional friction.
Dynamic Authentication Complements Existing Technology
For Dynamic Authentication to work, it must bring together different technologies to work together seamlessly. It can be applied alongside or on top of existing authentication methods. This then allows for the selection and application of the authentication method best suited to the risk at hand. In order to manage risk effectively, Dynamic Authentication requires some form of policy manger or decisioning engine that calculates the request and risk, and provides the all-important context to invoke the appropriate authentication solution. This can be a static policy based on rules or an automated decision based on machine learning – or a combination of both — that evaluates risk, while also comparing returning devices to known device profiles and calculating rates of acceptable change according to a company’s risk tolerance.
As a system, Dynamic Authentication provides context, with a keen awareness of all risk signals surrounding an authentication request. It supports a continuous approach to authentication, eschewing the use of simplistic, one-time, front-door-only authentication and access schemes. It’s also complementary, as it sews together multiple authentication solutions that run the gamut from fully passive to highly interactive, to provide the best possible user experience given the situation at hand.
While OneLogin recovers from its breach, and financial institutions continue to experience dramatic increases in account takeover fraud, Dynamic Authentication presents a compelling alternative to the convoluted and often ineffective approaches to authentication that inconvenience customers and still allow fraud to take place.
[su_box title=”About Michael” style=”noise” box_color=”#336588″][short_info id=’103146′ desc=”true” all=”false”][/su_box]
Director of Machine Identity Strategy
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.