Continuous Adaptive Trust
Risk-based Authentication: User-friendly, but insecure?
We already spend an average of 11 hours a year entering and resetting passwords 1). And more frequently, another authentication factor such as a one-time password (OTP) is added. While this improves security and helps prevent account hijacking, the extra step adds a layer of complexity. On the other hand, the additional step increases friction. Risk-based authentication (RBA) tries to remedy this by reducing the frequency and strength of the login as much as possible. However, this can lead to dangerous compromises because the risk is evaluated only once at login and thus user behaviour after authentication is not taken into account.
Man-in-the-middle attacks are increasingly being used to circumvent two-factor authentication (2FA) 2). The hackers sneak into the communication between user and provider via 2FA phishing without being noticed. They undermine 2FA by pretending to be the respective counterpart for both sides. When the user notices the mistake, the damage is usually already done. Modern login procedures such as FIDO2 prevent these attacks, but they are not yet widely supported.
Authentication is not a Carte blanche
To ensure that security does not suffer at the expense of convenience, risk analysis must be continuous. User behaviour is analysed even before the identity has been verified. And also after the authentication, all available risk sensors continue to be evaluated. Is there perhaps a bot involved? Then an additional security factor or the completion of a captcha can be requested. In a suspicious case, the user is logged out or even his account is blocked. After all, a successful login must not be a Carte blanche!
Low entry barrier thanks to different security levels
Not all data and applications have the same security needs. Even within an application, there can be areas and functions with different levels of risk. By dividing the application into several security levels, as much security as required is guaranteed at all times. Access to sensitive areas occurs only rarely or not right at the beginning. This means that strong authentication can be delayed or omitted altogether. This keeps the entry barrier low and users waste less time with security interventions.
Security and Ease of Use
with Continuous Adaptive TrustContinuous Adaptive Trust means more security and fewer tedious interactions at the same time. Thanks to continuous risk analysis, security can remain more in the background.
Risk sensors and trust providers
Continuous risk assessment requires a stream of risk and trust signals from different sources:
- User identity: Is the user still anonymous? Has he already been weakly or strongly authenticated? Has his identity been verified, e.g. by badge check?
- Access context: Is the access from a known device? At the usual time? Where is the user located? Is the device up-to-date with the latest software? Or is it even infected with malware? To ensure that compromised systems do not cause any damage on the server side, their access should be prevented at an early stage.
- Reputation analysis: Unwanted clients from suspicious IP addresses, botnets or TOR addresses are quickly detected and blocked. For this purpose, Airlock relies on the BrightCloud® Threat Intelligence Service from Webroot®.
- Anomaly detection: Suspicious user behaviour is detected using machine learning. Airlock Anomaly Shield can block automated attack tools, vulnerability scanners or bots, for example.
Thanks to the high level of usability with the new central security infrastructure, we have created a unique Raiffeisen identity for our customers. Customer focus and trustworthiness have top priority in our e-banking solution. With the Airlock Suite, we were able to meet these high requirements.
Stevan Dronjak, Team Lead Web Application Security Raiffeisen Schweiz
Cooperation between IAM and WAAP
Continuous risk analysis is only possible by constantly inspecting all data traffic. A WAAP solution such as Airlock Gateway is therefore the ideal component to orchestrate the various risk sensors. Depending on the risk signal, the trust level is lowered accordingly. The IAM, on the other hand, is an ideal trust provider. It ensures that the minimum security level is respected, which depends on the risk appetite of the respective application or function. If the current trust level is below this threshold, the IAM requests a proof of trust from the user: This can be, for example, a login or the entry of an additional authentication factor.
Minimum risk with maximum convenience
For combining security and user convenience, IAM and WAAP work together. This is the success formula of Airlock Secure Access Hub: Airlock IAM and Airlock Gateway jointly ensure that the trust level is always above the required security threshold. Communication between Gateway and IAM takes place via Airlock Control API.
Gartner calls this principle Continuous Adaptive Trust (CAT) 3).
MFA can reduce identity-related risks, but a naïve focus on counting authentication factors can diminish efficacy and add user friction. IAM-focused security and risk management leaders should move analytics to the fore to enable continuous adaptive trust and thus optimize risk mitigation and UX.
With CAT, the security mechanisms can stay in the background, which means that user experience is not compromised. This creates trust, because users and customers are not annoyed by tedious security interactions and feel more secure at the same time.