How can user behavior analytics kill the password?
Andy Zindel
Last time, I wrote about adaptive authentication and briefly touched on behavior analytics being an integral part of adaptive authentication. For true behavior analytics, you need some smart AI-powered Multi-Factor Authentication (MFA). Now, if you think about it and put the pieces of the puzzle together, you might be able to kill passwords altogether.
Wouldn’t that be nice? You no longer need to remember any passwords and all you need is access to one of your MFA tools when authenticating. With the increased use of smartphones and other devices for MFA, businesses now more than ever have the ability to move away from password-based authentication towards a less invasive, but more secure access control model and get rid of passwords in that process.
Let me elaborate a bit on why you should care, how it works, how it affects your users, and most importantly, how it affects your data.
Why you should care
Most users complain they must remember so many different passwords with uppercase, lowercase, symbols, and numbers. As cyberattacks became more common and increased in sophistication, one good defense is to make the password more complicated. However, increased password complexity causes usability to take a big hit. I shouldn’t have to remember a 10 character password comprised of upper / lower case with numbers and symbols that do not contain any “dictionary” word.
Quite frankly, I can’t. So, I write my password down somewhere, which is a big security risk in itself. And with brute-force password hacking tools like THC Hydra, Ncrack, SAM, and so on, a password alone doesn’t really protect anything anymore. It all depends on the determination of the cyber criminal and how valuable is the data you have to them. It has become a daily news line that someone has been hacked.
Additionally, users do not want to authenticate all the time. Authentication should be a process that runs autonomously in the background without being constantly in my face. If I have to authenticate every five minutes because I am accessing a new piece of information, I will not get any work done. Ideally, authentication runs alongside without interfering with user experience.
How does it work?
Identity platforms (should) combine known biometrics, like fingerprint or iris scans from smartphones, with information derived from the monitoring of all user systems and behavior. Starting with device location in correlation to the “usual” user behavior. For example, I always log on from the office between eight and nine in the morning and there is GPS data available from my phone and/or laptop. The user behavior analytics (UBA) system now can collate my logon attempt with the physical location of my devices to make an assumption, or better said a risk evaluation, how likely it is to me or how likely it is to be someone else.
If a login attempt is made from, say from Europe, but my phone and laptop GPS is showing that I am in the U.S., one can make a fair assumption that this deserves a higher risk level assignment and authentication should be elevated to include many factors for verification. Or, the system has seen me log in from San Francisco at eight in the morning, but an hour later there is an authentication attempt made from Italy. The system can deduce that I cannot travel from San Francisco to Italy in one hour.
But at the same time, if I access data that requires authentication, from the same location one hour after I have authenticated, the system should evaluate my user behavior; for example, the way I type and my mouse movements, the type of data that I access, posture of my phone and laptop and other details of the operational computing environment that I am using on a daily basis, which are distinctive user characteristics that are unique to me and authenticate me silently in the background without my interaction.
Over time the system learns where my office, my home and other common locations I work from are, what time of day I usually log on, what systems I am using, and how I behave. So, instead of being a one-off challenge-response process in the beginning, authentication becomes a continuous process of MFA, which uses a range of factors to establish and reconfirm identity, sometimes without the direct involvement of the user.
How does it affect your users? First, it makes their lives easier. They do not need to remember complex passwords that they need to change every 90 days or so. Now when they authenticate, they simply click an "approve" button in a push notification on their smartphone, place their finger on a fingerprint scanner, provide a voice sample or answer an automated call on a verified phone number. But more importantly, it protects them from becoming a victim of accidental data compromise because they made a mistake (after all, if they are accessing something that they normally don’t, they should be stopped by the UBA system).
How does it affect data?
As I pointed out earlier, hacking has become commonplace and we are almost numb to the news headline that some big cooperation was hacked and gigabytes of data has been stolen or that some hospital is being blackmailed to pay a ransom in form of bitcoin. With a sophisticated UBA system, hacking will become exponentially more difficult -- if not close to impossible.
So in conclusion UBA based adaptive authentication should look at the following…
- Device Profile: What system is the request coming from? Is this a system I have seen before, is this a corporate-issued device?
- Location Awareness: Where is this request coming from, is this a “risky” IP address range, is this coming from a “risky” country? How did the user go from San Francisco to some other country in one hour? This isn’t the usual location from which this user is logging on.
- User Behavior: Why is the user accessing those servers/applications/data? He has never done that before.
Adaptive authentication is the recognition that authentication elevation is part of a continuous process of managing access to applications and resources. In other words, instead of applying risk evaluation and elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource, transaction, interaction or to elevate the authentication and challenge for additional authentication factors at any point in time if suspicious behavior is detected. If suspicious behavior is detected, it should prompt the user then and there to provide an additional factor of authentication.
Identity automation with user analytics behavior adaptive authentication is part of a broader intelligent multi-factor / multi-data-point-analysis authentication approach for all applications and resources. This strategy is the most secure way of managing identities and accessing corporate applications, networks, and resources because with adaptive authentication, you make low-risk activities easy and high-risk activities protected without the use of passwords. Resulting in a “happier” user force all the while protecting your enterprise.
Outsmart Cybercriminals