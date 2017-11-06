Recently I read a security report about a researcher who was offered a targeted phishing service for only $7 per user. The service included a choice of specifying the target to be attacked or simply providing the type of victim. This is the commercialization of Identity Theft-as-a-Service—and it should scare you as much as it scares me.

I’m concerned because most companies are still using outdated and obsolete security practices. As recently as last week, Bill Burr, who pioneered password policy standards, stated, “Much of what I did I now regret.” He now concludes that by advocating for stricter password policies, he actually may have made the situation worse. Passwords simply do not work in the modern workplace. The more complex you make the requirements, the more users find ways around them.

So how do we solve the password problem? We change the dynamic of authentication to include authorization. This is more than simply adding two-factor authentication, which only provides a challenge at the front door and does not continually monitor user actions.

Until now, the conventional wisdom has been that two-factor authentication to protect the VPN, critical infrastructure, and servers is good enough. But today’s users expect more than “good enough.” Users are demanding a better user experience and the board is telling you to provide it (and not looking at the risk this introduces).

Consider the latest NIST guidelines, which speak to the idea of identity assurance. That’s different from identity management: it’s not about “Can a user meet a challenge?” so much as about “Can a user prove they are who they say they are?”

If we combine user and session attributes and relate that information to the application and related user permissions, we can determine risk. That risk should determine the type of authentication needed for access. Authentication is no longer “one size fits all,” but a challenge appropriate to the level of risk. The challenge needs to include options like push authentication, biometrics (fingerprint, eyeprint), FIDO and TOTP tokens, SMS, and phone calls. Users need to be able to choose the authentication method they want to use as long as it’s appropriate to the level of risk.

Systems also need to perform continuous authentication. While a username and password may be good enough for a low-risk application, when users pivot to another application, risk assessment needs to happen automatically and transparently, interrupting the session in real-time if necessary. The system must perform dynamic risk assessment through machine learning, in the context of normal and anomalous user behavior. This may stop rogue users in their tracks while letting appropriate users do their jobs.

I mentioned earlier the prospect of users getting phished for a low cost. But in the event a phishing scam reveals a user’s password, it won’t matter if we make the username and password useless through behavior analytics, continuous authentication, and risk-based authentication. The system will recognize imposters and stop them in their tracks. Ultimately, we can work towards removing passwords completely.

