December 2, 2019

Continuous Behavioral Authentication Is Best MFA

Multi-factor authentication has been touted as the only way to ensure your identity access management strategy will meet current protection level, but it has also come under scrutiny as fail in very specific situations (ahem…Microsoft). The real question you have to ask is whether or not it was MFA that is actually the issue or is it the nature of binary versus continuous authentication?

Binary Authentication Is A Thing Of The Past

With the advent of computers and especially the proliferation of the hundreds of devices and millions of applications that followed, the need to authenticate a user in order to access that system (i.e. login) has been a requirement. The original and still most prevalent method of doing this is binary authentication which is based on a simple username and password combination that then allows an individual complete access to the resource until they log out.  

The downside of binary authentication is best described by Roger Grimes in his CSO article titled “What is continuous user authentication? The best defense against fraud”:

“Binary authentication allows you to do nothing (not authenticated) or everything previously allowed (after a successful authentication). The biggest negative of this type of authentication is that if bad guys gets your credentials, they can do anything including deleting your account. If they create a new fake account on a legitimate system, they can use it as a base for all sorts of badness.”

Even the introduction of Multi-factor Authentication (MFA) didn’t change the binary nature of most authentication technologies. Typically, it involves two “pieces of evidence” which is a subset of MFA called Two-factor Authentication which could be:

  • Something that you know:g. password, PIN, pattern
  • Something only you have:g. smart card, mobile phone
  • Something inherent to you:g. biometric data such as fingerprint, face or voice
  • Some unique, contextual data associated with you: g. location, known device token

Unfortunately, these solutions impose significant friction through a variety of temporal (e.g., OTP, captchas, reset links) and binary (e.g., fingerprint) controls that have all still proven ineffective safeguards against credential stuffing and identity spoofing.  And, unfortunately, even if they succeed pre and during authorization, they leave the open session vulnerable post authorization.

Pre, During And Post Authorization

The only way to achieve a level of CARTA per Gartner’s definition of Continuous Adaptive Risk Assessment is to have some form of understanding that the entire process is made up of:

  • Pre-authorization: Before authentication even starts, you will need to prevent bots and password guessing
  • During authentication: In order to truly authenticate you as you, you need a form of immutable identity to ensure no imposters succeed
  • Post authorization: Once the session is active, you will need to ensure that someone else didn’t take over an open session.

It is the post authorization where most security liabilities show up if a continuous solution is not deployed. Roger Grimes continued in his article that:

“But with continuous user authentication, benign behavioral attributes are consistently evaluated and compared to an established pattern. Deviation from the established pattern may trigger a step-up authentication for higher risk application functions. It’s a fantastic idea that makes evaluating user behavior only at the logon sounds so horse-and-buggy. How did we ever survive with that archaic security model?”

Put more succinctly, cyber credentials are continuously being reauthenticated during a session to ensure you are still you and not a bad actor impersonating you. So, now is the time to revisit how we evaluate identity authentication solutions in order to impose a higher standard for selection that always include the requirement for continuous protection.

Continuous Behavioral Authentication

Acceptto recognizes that to be truly secure, your authentication solution has to continuously authenticate your users to prevent the eventuality of a bad actor hijacking credentials already authenticated. More importantly, reducing the drag associated with maintaining your identity access management policies aren’t compromised.

Our solution, eGuardian is built on the premise that your credentials today, and those that you’ve yet to create, have already been compromised. Your identity cannot simply be based on a password or a one-time token or only your biometrics. Your immutable identity is a combination of your physical behaviors, attributes and Digital DNA. We call it Continuous Behavioral Authentication. You can eliminate preventable harm with our Biobehavioral AIML technology that enables frictionless authentication, prevents credentials stuffing instantaneously, ensures your true immutable identity continuously, and dramatically reduces risk, likelihood of fraud and cost of helpdesk operations without the guesswork or latency.

By putting you in charge, we prevent hackers from stealing your identity and accessing your accounts and data even if they have your passwords or credit card information. See for yourself what Acceptto’s eGuardian can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy. Register for a free demo today.

 

 

MFA two factor authentication continuous behavioral authentication