Multi-factor authentication needs a little Goldilocks

Companies cannot apply multi-factor authentication to everything a user does.

black bears

I recently read a story in CSO that explained how hackers can crack just about any password. The story didn’t surprise me. Security experts have known this for a while. Yet, passwords continue to serve as the go-to method for accessing just about everything online.

Most experts recommend adding multi-factor authentication, but with the wide range of cloud services available and the mobility of our workforce, how much is too much?  How little is too little to be effective?

Companies need to strike a balance between users reaffirming who they are without inhibiting their work. The best-case scenario entails an employee, who’s doing what she normally does, is left alone. If she suddenly does something out of the ordinary, she would need to verify it’s really her. Verify users are who they say they are when they are already inside doing something unusual, not only when they are at the door.

Credit card companies have become very good at this process. They understand cardholders’ regular purchases, and thus don’t bother them every time they use their card. However, if a purchase seems unusual, the card company will send a text asking the card holder to verify it’s her. If she cannot verify the purchase, they freeze her account. Sounds simple, right?

We need this kind of simplicity in cyber security. Companies cannot apply multi-factor authentication to everything a user does. It’s too much. There’s a Goldilocks zone for multi-factor. It can’t be too hot. It can’t be too cold. It must be just right. And companies can pull off just right by using behavior analytics.

Behavior analytics working in tandem with multi-factor authentication would enable companies to verify users are who they say they are when they are detected doing something unusual. For example, we often see a use case that we call “The Prospector.” Like a gold miner digging for gold, insiders will mine for valuable data assets, accessing applications and systems, looking for the crowned jewels. Behavior analytics would detect an employee digging around, accessing a system that he typically doesn’t access and/or isn’t authorized to access. Multi-factor authentication would then come into play asking the employee to verify it’s really him. If he does not verify within a certain timeframe, then his account is shut down before he accesses the jewels. On the flip side, if that employee is accessing a system that he typically accesses to do his job, he wouldn’t be bothered at all.

Call it “Smart Multi Factor Authentication.” A bad actor would fail the second layer of authentication while the trusted employee can do his job uninterrupted. Malicious insiders would also be hindered because they know they are being watched.

For example, “Joe” is planning to leave the company and take intellectual property with him to start a competing company. He tries to send an email with sensitive information attached to his future business partner on the outside. Behavior analytics detects the unusual behavior. Data loss prevention technology is about to block the document from leaving, but before it does, Joe gets a text message asking if it’s really him. There is a chance, albeit small, that Joe texts back, “yes,” and the email is sent. However, based on what we have seen in user behavior, once users know they are being watched, the vast majority stop what they are about to do. After all, texting back “yes,” affirms Joe’s intent, in writing, to compromise corporate intellectual property.

Smart multi-factor authentication is a deterrent for malicious insiders, a reminder for non-malicious users who innocently do something risky, and a blocker for bad guys. Most importantly, it enables trusted employees to do their jobs without being overly burdened by having to re-authenticate for business-as-usual activities.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations