October 21, 2019

FBI Advises Using Behavioral Authentication

It is highly likely that you have already implemented some form of Multi-Factor Authentication (MFA) in your identity access management strategy, but did you take the correct path? In fact, a ZDNet article titled “FBI warns about attacks that bypass multi-factor authentication (MFA)” reported a number of specific past incidents of MFA bypasses that you should evaluate to take heed for your own identity access management strategy refresh. So, perhaps it’s time to reevaluate your strategy in order to shore up potential weak spots.

MFA Defeated

Despite the strong recommendations that MFA is required for better security, it turns out that even that can be defeated. According to a Forbes articled titled “FBI Issues Surprise New Cyber Attack Warning: Multi-Factor Authentication Is Being Defeated

“Even though companies worldwide are struggling to protect systems and data from incessant waves of business email compromise attacks—with losses doubling year-on-year to $26 billion, the latest warning from the FBI still comes as a surprise. One of the primary defences against such cyber attacks is multi-factor authentication (MFA), the use of a secondary token or one-time code to assure the identity of staff. But the FBI has now warned that it “has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”

And it’s this accelerating sophistication of employee manipulation, so-called social engineering, that’s prompted the warning.”

Given that we have already accepted that username and password combinations is clearly not enough, it makes sense that some form of multifactor authentication is still viable. So, what is needed is something that can’t be circumvented with social engineering.

Biometric Or Behavioral Is Better

The good news is that there are new forms of MFA that aren’t dependent on data that can be gleaned from social engineering techniques. As pointed out later in the Forbes article cited above, the following recommendation is made:

“But according to the FBI, this use of secondary tokens or one-time codes to back-up usernames and passwords still isn’t enough. Unless companies employ “biometrics or behavioral information—such as time of day, geolocation, or IP address,” there is a risk that an attack can either trick a user into disclosing a multi-factor authentication code or use technical interception to create one for themselves.”

While biometrics may not be as safe either, it turns out that behavioral-based authentication can deliver the immutable identity you desire.

Continuous Behavioral Authentication Is Best

Acceptto was the first to understand, develop and deliver continuous authentication. Our company was built on the foundation that the only way to ensure digital credentials are being used only by the person who those credentials represent and not some imposter or someone hijacking a device correctly authenticated by that person. More importantly we recognized that the only immutable credential would have to be based on the unique behaviors of each individual.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Enterprise Management Associates’ Ten Priorities For Identity Management in 2019  today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download EMA Top 3 Identity Management Report

MFA identity Access Management behavioral authentication