Authentication and Anomaly Detection: 3 Ways to Identify When an Access Request Isn’t What It Seems

User behavior can tell you when an access request is out of the ordinary, so you can get more information to confirm that it’s legitimate. It can also tell you when an access request is likely just business as usual, so you don’t have to bother the user for further information. By watching behavior to see what is normal and what is not, you can unleash broad capabilities to improve both security and the user experience. That’s why anomaly detection is so important to crafting a successful identity assurance strategy.

Identifying Abnormal Access Requests

How do you know an abnormal access request when you see one? All you have to do is answer this simple question: “Is this access request unlikely to be legitimate?” Arriving at the answer can require information from multiple sources. However, your multi-factor authentication (MFA) solution should be able to perform basic anomaly detection at the very least. Some examples of MFA capabilities for anomaly detection include:

1.      Isolate bad IP addresses. When you see a known bad IP address being used in access attempts, you can actively block attempts from that address.

2.      Recognize velocity anomalies. If you know a user’s location, you can make a correlation between the access request and other recent requests. For example, if a user logs in from Colorado and then ten minutes later from Moscow, you should get more proof that the user is who he or she claims to be – or simply deny the request.

3.      Flag untrusted locations.  If a geolocation for an access request comes from a place where it’s uncommon for someone to need access, you can ask for additional authentication. Or you can just deny the request, especially if it’s from a location from which no one has business getting access.

An identity system with capabilities like these built into it allows security policies to leverage the information to automatically deny access or require additional authentication.  

Spotting the Norm

Recognizing abnormal behavior is important for achieving identity assurance, but so is recognizing normal behavior. It starts with employing the capabilities above, but without pre-determining what to trust through static rules. Instead, you examine each user and their attributes (device, location, network, time of day and access patterns). You’re looking for a common pattern of successful authentication attempts where these attributes are consistent. For example, is the user signing on from the same place using the same devices at the same time as they normally do? When you can recognize enough consistency, you can gain some assurance of this user’s identity without further authentication

Putting It All Together

Anomaly detection involves recognizing situations that could heighten the risk that an access request is not legitimate, allowing you to take appropriate action. It involves looking at normal as well as abnormal user behavior in the effort to achieve identity assurance. Learn more about identity assurance in this white paper.