Adaptive authentication uses several risk factors to evaluate the authenticity and security risks associated with a login attempt. Identifying the origin of a login attempt is critical to any adaptive algorithm. We have already discussed how adaptive authentication analyzes the risks for a login attempt in our blog. Let’s discuss what are the most common adaptive authentication factors used in identifying the end-user, generating the user’s risk profile and risk score.
Most used adaptive authentication factors for risk management
Adaptive authentication proposes the concept of ‘infinite factors’, which says that the authentication algorithm can use any number of factors to verify the authenticity of a login attempt. That said, each added factor increases friction in the algorithm and uses more resources. The lag in the system will increase with an increase in the number of factors that have to be evaluated for a login attempt. Hence, security providers only focus on the critical and efficient adaptive authentication factors. We will cover some of the most commonly evaluated factors.
The activity time varies from user to user. Users typically access the Web or web services in a specific time frame. This window of activity is mostly unique to each user and can be learned to predict when a user is most likely to be active. E.g. in corporate sectors, employees will definitely access the services during their working hours. Adaptive authentication algorithms detect unconventional and suspicious behavior in timings of user activity.
Most attackers try to hack other users through their login credentials. In rare cases, an attacker may gain access to the user’s multi factor authentication system and break into their accounts. Even though, it is tough to mimic a user’s behavior mostly because of the complexity in patterns and routines. Adaptive algorithms learn from these patterns to detect anomalous/bot-like behavior and distinguish login requests between genuine user and an attacker.
Each user has access to a limited set of devices, of which they own a few specific devices. Each device has its own unique ID, OS, applications etc. And mostly, users access their services and accounts from these specific devices, this information is used to build the user’s unique device profile. Hence, any request originating from an unknown device calls for action. The authentication server may step-up the security if it is unable to identify the device.
Authentication server locates the end-user and matches it to the user’s location history. Any login attempt from a new location is most likely to be subjected to further verification. This factor is helpful for restricting the access to a limited set of locations. E.g. organizations may limit access to their servers only from select locations. Plus, requests from remote or dubious locations may be scrutinized further.
Login attempts that may be a result of a highly improbable travel event cause suspicion and such requests are subjected to further authentication or are redirected to safe zones. Let’s say, Mark logs into his company’s portal from his home in Houston at 11:00 PM. Now three hours later the authentication server receives a request from Mark, and this time he’s logging from Seattle. Something is definitely suspicious about this request. Now depending on other factors, the security may either be stepped-up, or the request may be entirely denied.
IP threat detection tools identifies the IP address of the authentication request. If a request originates from a blacklisted or malicious IP, it may be denied altogether. This tool may come in handy for organizations who want to limit access to resources only their own servers or specific IP addresses. A request from any other source for such servers will not even go through.
Shared intelligence is a practice where security providers share information about threats and attacks with each other to successfully identify attacks from similar sources and thwart them easily. Blacklisted devices, IPs, malicious servers, etc. can easily be identified and blocked from gaining access.
The best thing with adaptive authentication is that it is highly customizable. 2FA providers, like REVE Secure, tailor adaptive authentication factors to fit the needs of the organization and adapt to the end-user’s behavior. It can be easily modified for different workflows and groups depending on the type of vulnerabilities. As you know, adaptive authentication works in the background, out of the user’s knowledge, hence it reduces any interruptions or annoyance to the user. It can continually monitor user activity and behavior, learning and protecting from any incoming threats.