How risk-based authentication has become an essential security tool

A new generation of risk-based authentication (RBA) products can improve both customer experience and security. Here's what to look for in them.

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplify a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods, especially as the typical enterprise attack surface has expanded and evolved. The expansion takes on several different dimensions:

  • Endpoints are getting more diverse. Thanks to more capable mobile devices and more susceptible embedded internet of things (IoT) products, attackers have more leverage and entry points. Botnets of thousands of these devices are quite common, and entire malware campaigns (such as Mirai in 2016) are a major threat vector.
  • More mobiles on enterprise networks means that users are mixing more personal and business activities on their phones and tablets. This erodes the boundaries between these two domains and makes it easier for attackers to leverage entry into the business network.
  • Social networks make it easier for hackers to use social engineering tactics to figure out users’ logins. As a result, authentication challenges are getting more sophisticated, with attackers compromising one-time passwords and weak MFA methods with better tools and the acquired social engineering knowledge.
  • Cloud computing has helped to leverage malware-as-a-service, and a number of malware construction kits and services are available for purchase that don’t require much in the way of skill beyond clicking on a few buttons.
  • Malware is getting more sophisticated at hiding in plain sight, being able to disable protective methods and establish themselves deep within a typical enterprise network.
  • Attackers are also getting better at conducting blended attacks that can cut across a website, a mobile phone app, voice phone calls, and legacy on-premises applications, making them very hard to track if viewed as separate and independent events.
  • Shadow IT operations continue to proliferate, making it harder for IT to police and protect endpoints. Adding to this difficulty is that the average enterprise network is getting more complex and harder to defend. One study shows that the average bank had 30 domain configuration issues, 42 SSL configuration issues, 87 IP reputation issues, and 81 threat indicators across their digital footprints. That is a lot of different touch points to monitor and maintain.
  • Finally, ransomware is a growth business, with increasing number of attacks and pinpoint targeting on specific businesses and transactions.

Passwords are no longer secure

As the number of logins and password-protected services increases, it makes passwords more difficult to remember. That encourages more reuse or picking weaker ones that are easier to compromise. Users are experiencing more password fatigue, and they need better tools that can avoid passwords whenever possible without compromising security. All static passwords are now vulnerable, and RBA has become the best mechanism to introduce security and avoid further password reuse and fatigue.

To continue reading this article register now

Microsoft's very bad year for security: A timeline