Security teams have a tough time finding ways to increase security that doesn’t create a lot of whining and complaining from their end users. You can put users through training, you can explain how clever, well-funded and persistent the bad guys are, but they quickly forget and fall back into old bad habits.
Most employees don’t think about security as their priority, especially when it’s the end of the month and there are orders to process, calls to make, or services to deliver.
Traditional security strategy encourages multiple layers of security – since adding additional security checks forces attackers to defeat multiple systems in order to break in and do their mischief. Defeating multiple systems is not impossible, just harder – so the odds are in your favour when you have multiple layers.
This line of 'more is better' thinking however can get quickly out of hand, if those additional security precautions rely on your users to participate in the active defence. For example, using 'strong' passwords that include letters, numbers and special characters is good, but making those passwords ten characters long is probably more than a typical user can remember.
Then ask them to change their password monthly, and you will start to see creative memory aids appear – typically in the form of yellow sticky notes.
Now add an additional layer of security: give them a hardware token for their keychain that generates a one-time use pin code. This is a very effective second factor technique, assuming the user has it with them, and doesn’t lose it.
Your overall access security has improved, but so has the burden on your end user. What if you could add a second factor, that didn’t require the end user to do anything?
There are a number of methods businesses can employ to do this. For example, by registering the endpoint device users are logging in from, the device can be recognised on subsequent logins.
Additionally, information about the physical location of a previous login can be used to compare to future login attempts. If the login location changes, this data can be analysed to look at the geo-velocity, to determine if an improbable travel event has occurred (for example, a user logs in from London at 9:00 am and logs in the same day from China at 11:00am).
The IP address that the user is logging in from can also be checked to decline anyone coming from a known bad IP (for example bott net, Tor network, blacklisted IP.)
Many businesses are also adopting behavioural biometrics which collects information about how the user interacts with a device type, including keystroke and curser movement to create a unique behavioural biometric user template. These behaviours are unique to specific individuals, and can be used to verify the identity of a user.
All of these techniques represent security layers that collect context about the individual. This allows your organisation to make real-time decisions to either allow the login, step-up a suspicious login by requiring a one-time pin code, or to decline the request all together.
The term for this is adaptive access control – as the login requirements are based on the amount of risk that is detected, users doing routine work activities are not asked to verify their identity, whereas high-risk behaviours are challenged to provide a second factor.
Ultimately, there is no silver bullet when it comes to access control but by layering multiple methods of authentication, security teams can rest assured that the security of their business isn’t completely reliant on good user behaviour and users won’t be affected in their day-to-day work.
Sourced from Craig Lund, CEO, SecureAuth