Risk-based authentication: A pillar of a zero trust strategy
Joseph Carson
I’m betting your organization looks very different from what it did even a year ago.
Like most companies, you’ve got new business initiatives, tools, workflows, and people—a third of the workforce changes jobs every year! You’ve also got new security worries as cyber criminals hone their strategies to steal credentials and leverage AI to impersonate legitimate users.
When your risk profile is constantly changing, security controls can’t be static. You can’t wait for an infrequent manual review to change a security policy that’s no longer sufficient to protect you.
Adopting a risk-based approach to cybersecurity helps you navigate an unpredictable future in which change comes quickly. Risk-based authentication is a prime example of this flexible, dynamic approach to managing identity risk.
In this blog, we'll cover:
- How risk-based authentication reduces your risk of identity-based attacks
- How to implement risk-based authentication without causing friction for your users
- Examples of risk-based authentication in action
What is risk-based authentication?
Risk-based authentication is the process of verifying user identities using tactics that match the level of risk. It entails detecting potential identity-related risks, intelligently matching those risks to authentication requirements, and responding appropriately to minimize the risk of identity-based attacks.
Risk-based authentication is intelligent and adaptive. It automatically creates a behavior profile for each identity over time and compares activity with that baseline to determine a risk score. As the risk score increases, authentication requirements become more stringent, essentially raising the fence higher and higher. Users must meet those authentication requirements before accessing resources or conducting other privileged activities.
Think of risk-based authentication as a “continuous polygraph test for access.”
Benefits of risk-based authentication
By combining risk-based authentication with least privilege access policies, you can more effectively safeguard sensitive data and reduce the risk associated with compromised privileged credentials.
In addition, risk-based authentication's flexibility allows you to provide a better user experience. In most situations, authentication can be simple and seamless, so users don’t get frustrated or annoyed with multiple verification requests. Users will only be asked to perform more authentication steps when high-risk scores warrant additional requirements.
Examples of risk-based authentication in action
When and where should you apply risk-based authentication?
You can and should apply risk-based authentication at every access control point in the attack chain. This includes initial login to systems, privileged command or application execution, and privilege elevation.
Privileged identities may access every type of IT resource in your environment—your password vault, workstations, databases, servers, applications, etc.—both on premise and in the cloud. Therefore, your risk scores should account for behavior within each of those systems as well as when users move from one system to another. That way, if an attacker gains privileged credentials and escapes initial detection, you can interrupt lateral movement before they continue to do damage.
Not all privileged users or privileged behaviors are created equal. Risk-based authentication considers the context of an access request, based on numerous factors.
For example:
- The type of data the user is attempting to access. Is it confidential business information or sensitive PII subject to privacy rules?
- User status. Is the user an internal employee or an external vendor or contractor?
- Potential business impact: What would happen if the system or data being accessed were altered or damaged?
- The nature of behavior. Is the behavior unusual for this identity, or for identities with similar profiles? For example, are they on a new device, or logging in at an unexpected time of day, after a long time, or from an expected place?
If any of these answers are “yes,” risk-based authentication would override standard authentication rules, policies, or entitlements and prompt the user to meet additional requirements to verify their identity.
For example, a user logging in from the corporate network on a managed device might be granted access with a single factor, a password. However, a user logging in from an unknown network on an unmanaged device might be asked for a second or even a third factor.
In addition to the above examples, risk-based authentication solutions are developing abilities to learn from past behavior and recognize risky patterns that humans can’t anticipate.
Types of risk-based authentication
There are a wide range of methods you can include in your risk-based authentication strategy, including:
- Hardware Tokens: These are small hardware devices that a user carries to authorize access. They come in different forms, including smart cards, key fobs, and USB devices. The hardware device generates a one-time password (OTP) that the user enters when prompted.
- Single-Factor Cryptographic Devices: FIDO U2F and its passwordless successor, FIDO2, are authentication standards driven by the FIDO Alliance. They are designed to be open, secure, private, and easy to use.
Hailed as the next-generation Two-Factor Authentication, FIDO U2F, and FIDO2 include heightened security, as public key cryptography protects against phishing, session hijacking, and malware attacks, as well as ease of use and high privacy. - Soft Tokens: These are software-based tokens or applications that generate a one-time password (OTP). They are typically mobile apps installed on a smartphone and can use push notifications for improved user convenience. The widespread adoption of mobile devices has made soft tokens a popular option.
Soft tokens have two main advantages over hardware tokens. First, users are less likely to lose or forget their phones than a single-purpose hardware token. Second, soft tokens are easier and less expensive to distribute to users. - SMS/Text message: An OTP can be sent to a phone via SMS. Once received, the user enters it into the login screen.
- Phone call: A user receives a phone call to a registered phone number (landline or mobile number). The user then provides the correct response to the voice prompt to complete authentication.
- Email: A user receives an email with a link to verify the authentication request. Clicking on the link completes the authentication process.
- Security questions: Instead of tokens, users provide answers to security questions. These questions can be pre-defined, or the user can define their own questions.
- Biometric: These methods include fingerprints, retina scans, facial recognition, and more. Many of the latest smartphones support biometrics such as Touch ID on iPhones and Fingerprint for Samsung Galaxy devices. The latest FIDO2 standard includes the ability to use on-device biometrics such as Microsoft Hello or Apple FaceID.
Some authentication methods require two-way interaction with human users (they must respond to a question or click a button).
Others can happen behind the scenes to verify machine identities. Incorporating a wide range of authentication methods gives you flexibility and choice, which is especially important as workplaces evolve toward a passwordless future.
Risk-based authentication and zero trust
Zero trust is a cybersecurity strategy that operates on the principle of "never trust, always verify." This strategy ensures that no one is trusted by default, inside or outside the network, and verification is required from everyone trying to access network resources.
This approach is crucial for risk authentication as it minimizes the attack surface, improves compliance visibility, and reduces the risk of data breaches by requiring strict user and device verification, context-aware access controls, and least privilege access enforcement.
MFA at Depth
One way companies are implementing risk-based authentication is by requiring Multi-factor authentication (MFA) at every access gate, to verify users’ identity regardless of which system they are accessing.
With the Delinea Platform, you can implement consistent MFA challenges and requirements for identity assurance at multiple levels: when users access the vault or request a shared credential, at asset login, and at privilege elevation. IT and security teams maintain full visibility across all MFA enforcement requirements, challenges and activity leveraged across all solutions in the Delinea Platform in a single view.