W H I T E PA P E R

Context-Based Authentication
Enterprises With Sensitive Data or Critical Applications
Should Upgrade Their Authentication Procedures

W H I T E PA P E R

If youre a senior officer or manager at your organization, or have anything to do with IT or information
security, you probably arent sleeping too well lately. The news features story after story of companies
being breached. Customer records, including credit card data and other personal information, are
constantly stolen. Intellectual property is being siphoned, and mission-critical systems are at risk for
expensive or even devastating disruptions.

Traditional Authentication Systems

Dont Work Against Todays Attacks
Why are so many companies being breached? The leading cause of the problem is that user
authentication systems are failing to do their job.
Recent studies have shown that the most damaging and expensive cybercrimes all have one thing
in common: their perpetrators defeat the organizations user authentication systemi. Criminals use
cracked or stolen user credentials to log in and gain direct accessthrough authorized and normal
methodsto privileged accounts, financial records, sensitive personal data, and intellectual property.

Passwords Alone Are Not Effective

Authentication systems, especially those based on user login credentials and static passwords,
have never been markedly strong or secure. But today, when so much is online and subject to
constant attack from a growing number of sophisticated cybercriminals around the globe, the inherent
weaknesses of static passwords should no longer be tolerated by any enterprise that stores sensitive
data or hosts critical applications.
Expert fraud rings and hackers use numerous strategies to crack, discover, and steal login
credentials like passwords. Countless victims fall prey to social engineering, spear phishing, and
pharming attacks, and cunning cyberthieves are proficient at secretly deploying malicious software
capable of capturing IDs and passwords. Its known that 30 to 50 percent of all laptops and PCs are
infected with some sort of malwareii, and the amount of malicious code found on mobile devices is
growing at astonishing ratesiii. While we dont know what percentage of malware infecting devices
today is capable of capturing login credentials, we do know that its substantialand increasingiv.
Indicators show that capturing credentials is now the main thrust of malicious code development.
But phishing and malware arent the only ways login credentials are obtained. Workers frequently share
their passwords with unauthorized individuals, and weak passwords, easily cracked or guessed, are
still commonly used. In spite of experts emphasis on strong passwords, its estimated that over 30
percent of all passwords are weak and easily compromised. But not even strong passwords are
necessarily secure. Numerous reports have shown that most strong passwords can also be cracked
by skilled cybercriminalsv. Research from Deloittevi demonstrated that, with the right tools, 90% of
user-generated passwords can be discovered or cracked in a matter of seconds, including passwords
2

W H I T E PA P E R

once thought to be strong. Now, even passwords with at least 8 characters including both upper and
lower case, plus at least one symbol and number, are at risk.
Even worse, users tend to have the same password among many different accounts. Studies show
that upwards of 50% of users choose the same password for all or most of their login accounts,
including work, online retail, banking applications, and social networking sitesvii. This situation is
dangerous for a number of reasons. Crime rings exploit social networking or other sites with relatively
weak security in order to crack passwords. Sites without velocity checks to detect automated scripts
or botnets are repeatedly attacked until valid credentials are discovered. Once passwords are
ascertained on these weaker sites, the credentials can be used to gain access to numerous other sites.
In spite of these security weaknesses, passwords are still valuable identifiers and serve as the
foundation for user authentication, and will likely do so for some time. Its clear however, that
passwords or other login credentials are not sufficient. Businesses need an effective way to detect
imposters that have stolen but valid credentials.

Biometrics, One-Time Passwords, and Challenge Questions

In addition to static passwords, other types of login credentials can be used to strengthen security.
Biometric fingerprints and voice recognition, one-time passwords (OTP), and question-based
challenges can all help. But these methods can be expensive and difficult to deploy, create user
friction, and increase support calls. The decision to use them must be carefully weighed.
Biometric authentication has gradually improved over the years, and is slowly making its way toward
protecting access to select personal devices and laptops. But until fingerprint or other biometric
readers become ubiquitous and standard among most workforce devices, biometric authentication
is not practical for the majority of enterprise applications and systems, and will remain a niche
solution. Even then, its registration hassles and added costs will throttle its use, as will issues with false
negatives and false positives. Another major challenge facing biometric solutions is that, in the end, a
fingerprint template or other biometric measurement is still a static value subject to capture and replay.
One-time passwords sent to phones, or generated by handheld tokens, USB devices, or in software,
can also help strengthen login credentials. However, organizations need to carefully evaluate whether
their benefits justify the added expense and friction they add to the authentication process. For many if
not most enterprises, the costs and problems of OTP solutions outweigh the benefits.
OTP solutions do help solve problems associated with weak passwords. Since they are not
human-generated, one-time passwords are more difficult to guess or crack; and because they
constantly change, they have to be constantly broken. OTP solutions also mitigate some of the
problems of password capture. Considering that these passwords are only valid for a single use,
cybercriminals must intercept and use them immediately. But man-in-the-middle (MITM) or
man-in-the-browser (MITB) attacks can still defeat OTP systems.

W H I T E PA P E R

Although OTP can be beneficial, there are downsides too. Hardware tokens are expensive to acquire
and deploy, and some need to be replaced every year. Both hardware- and software-based OTP
solutions require a complex infrastructure. Even SaaS solutions need a significant amount of
management to deploy, maintain, and support end users. Tokens can be lost or forgotten, creating
support issues as administrators disable lost tokens, register and deploy new ones, and provide
workarounds until replacement tokens can be delivered. Perhaps most important, many end users
dont like using OTP solutions, especially if they entail carrying hardware tokens. And all OTP solutions
take extra steps to log in, which users find annoying.
One-time passwords sent via text message (SMS) to mobile phones offer the benefits of reduced cost
and infrastructure, and eliminate the need for users to carry tokens. SMS messages, however, are not
always sent in a timely fashion. A common complaint among SMS-based authentication users is that
messages are occasionally delayed for long periods, sometimes hours. Thats a showstopper for many.
Coverage issues can also be a concern. Mobile phone signals are not always available,
especially in buildings with wide outer walls, in basements, and in computer rooms that give off a
lot of RF noise. Another problem is battery drain, particularly on heavily-used smart phones. Although
sending one-time passwords to mobile phones via SMS can aid the authentication process, there are
so many potential issues that organizations need to carefully consider whether to deploy SMS-based
authentication for anything other than occasional use, or as a backup authentication method.
In short, OTP solutions, however generated or delivered, were critical back when passwords traversed
non-encrypted networks (where they were subject to capture), and authentication systems had no
velocity checks to prevent repeated guess attempts. But today, where communication channels
between users and target applications are generally encrypted and protected by velocity controls,
it can be difficult to justify the added costs and user friction associated with OTP solutions. This is
especially true with the advent of context-based authentication, which provides similar benefits
without the downsides. Well cover context-based authentication later in this paper.
Challenge questions, sometimes referred to as dynamic knowledge-based authentication
(DKBA), can also help strengthen the authentication process, although they are generally used as
secondary or backup authentication. If primary authentication is unavailable or not sufficient to
establish the necessary trust, users can be asked to answer questions that theoretically only they
should know. Common examples include What is your mothers maiden name? or What is the last
name of your first teacher? Social networking has made a lot of formerly private information publicly
available, so challenge questions need to be carefully selected. But, when used prudently, DKBA can
be a useful and effective backup authentication method.

W H I T E PA P E R

Out of Band Authentication

Authentication can usually be strengthened if multiple communication channels are used
simultaneously to establish identity. For example, imagine that Alice uses her tablet and connects over
the Internet to an enterprise application, where she provides her ID and static password. Her tablets
network session is one communication channel. If the authentication procedure wants further
assurance that its really Alice, it might send a one-time password via SMS to her mobile phone.
This cellular communication is the second channel, and because it uses a different communication
medium from her computer network session, its known as out-of-band authentication (OOB).
Its also important to note that OOB is not limited to SMS solutions. Static passwords, challenge
questions, OTP, or even biometric authentication can all be delivered OOB.
Although OOB can still be defeated by MITM attacksAlice receives the OTP on her phone, but
submits it via her tablet, where it is intercepted by a website between Alice and the enterprise OOB
generally aids the authentication process. OOB can be significantly strengthened if both halves of the
conversation are conducted over the alternate channel: for example, Alice responds to the challenge
question on her phone, using cellular technology, instead of through her Internet-connected tablet.
In this scenario, a MITM attack would not succeed.

Why Do So Many Companies Continue To Be Breached?

Never before have so many information system break-ins and serious data breaches occurred, and the
pace is accelerating. The vast majority of these serious attacks occur because authentication systems
fail. But why do they fail in the first place? The answer seems to be that most authentication systems
focus exclusively on evaluating login credentials, while entirely failing to detect or even look for
impostors with valid but stolen credentials
Traditional authentication systems, even those with OTP or DKBA capabilities, have a very limited view.
They see only conventional login credentials like static or one-time passwords. They are not capable
of seeing or detecting anything else that would reveal the true identity of the person or process
attempting to log in.
Its clear that a new authentication approach is neededone that can see the entire context or picture,
not just the login credentials that are so often compromised.

W H I T E PA P E R

ThreatMetrix Context-Based Authentication

Context-based authentication (CBA) from ThreatMetrix examines the entire scenario surrounding each
attempt to log in. CBA evaluates much more than just the users login credentials. Just as legitimate
users have specific characteristics and behaviors that can be detected and profiled, so do
cybercriminals. CBA collects all of these elements, allowing the entire situation to be seen and
analyzed, and an appropriate risk score to be generated.
CBA works by profiling devices that connect to the target application, analyzing the session and
connection paths, and leveraging behavioral and historical data captured from authentication
processes on your siteand from the worlds largest shared global trust intelligence network. This
allows the system to 1) develop a comprehensive view of everything pertaining to the attempted
connection; 2) intelligently establish the level of risk and trust; and 3) make an informed decision as
to whether access should be granted.

CBA Provides Powerful Features Not Found

in Traditional Authentication Systems
Utilizing advanced analytics, along with custom policies and rules for each application, CBA provides
the following major features and capabilities:
Specific Device ID: Using advanced technology, each PC, laptop, tablet, phone, or
other device attempting to connect is profiled and uniquely identified, and devices

are associated with specific individuals. Used in conjunction with other CBA features,
Specific Device ID is a powerful way to determine accurate levels of risk and trust.
Frictionless Two-Factor Authentication: Utilizing both device ID and user login

credentials, CBA provides transparent behind the scenes Two-Factor Authentication.

Theres no need to install anything on the device, or implement and manage a complex
infrastructure required by most two-factor authentication systems.

Malware Detection: CBAs SaaS approach accurately profiles devices attempting to

connect to protected web applications, identifying malware and other threats that can
compromise security.

Device HistoryTrust and Crime Associations: ThreatMetrix gathers shared

intelligence from organizations all around the globe. Devices that have been

compromised by malware and involved in crime or fraud attempts are identified, as

are devices intentionally attempting to penetrate unauthorized systems. Conversely,

devices with high levels of trust are also identified.

Detection of Suspicious Connection Paths: Devices using TOR networks, VPNs,

or other networks that attempt to hide or anonymize their location are identified.

W H I T E PA P E R

Legitimate User Behavior: CBA establishes normal and legitimate user behaviors,

including vital elements like IP addresses and geolocations normally used, language(s)
utilized, devices used and their configurations, login times, frequency and speed of
login attempts, and more.

Instant Recognition of Valid Users: Following initial or step-up authentication, Trust

Tags allow organizations to immediately label users and their devices (or existing

users new devices) as trusted for future encounters. Valid users dont experience

needless repeat step-up authentication, and can be granted access with minimal input
or friction.

The ThreatMetrix Global Trust Intelligence Network

An essential element of CBA is the ThreatMetrix Global Trust Intelligence Network. By leveraging the
combined experience and intelligence of thousands of organizations around the world, all battling to
detect and defeat cybercrime, ThreatMetrix can detect impostors and attacks that would otherwise be
unidentifiable.
ThreatMetrix profiles tens of millions of users and their devices daily, and regularly processes hundreds
of millions of logins and related transactions. The Global Trust Intelligence Network is the repository for
this wealth of data. Devices infected with malicious malware, or associated with botnets or crime rings,
are identified. In fact, any device involved in cyberattacks or suspicious activities is noted. When any
of those devices later connect to your site, ThreatMetrix informs you of its history and risk, intelligently
analyzes your custom policies and rules for the specific application, and helps you determine the
correct course of action.
The Global Trust Intelligence Network detects, not only high-risk situations, but elements of trust
as well. Imagine that one of your users is visiting her sisters home, and connects to your enterprise
application with her sisters device. The Network will likely reveal that the device may be new to your
user, but has been known by the ThreatMetrix community for many months with no suspicious history
or threats. In fact, the new device might be trusted by numerous organizations where its been
associated with step-up authentication or valid transactions. With this information and associated
trust scores from ThreatMetrix, you may elect to grant access without requiring step-up authentication,
allowing your user frictionless access without compromising security.
The worlds largest and most comprehensive trust intelligence network, created by ThreatMetrix,
makes all this possible.

W H I T E PA P E R

CBA Answers Critical Questions Traditional Systems Cant

Powerful features available only within CBA can answer critical questionsquestions traditional
authentication systems cant even begin to respond to. Because CBA understands the entire
authentication scenario, it can answer questions like these:
What is the risk tolerance of the target application? Low? Medium? High?

Is the device known to have been used by the legitimate user? Or is it an unseen and
potentially un-trusted device?
Has this user passed secondary or OOB authentication while using this device?
How long ago?

Has this remote device been associated with attempts to log into other user accounts
on my site? Is that normal?

When a user attempts to log in with a new device, has the new device been seen before,
either by your organization or by others in the shared Global Trust Intelligence Network?
Has it already been tagged as trusted? Has it been tagged as non-trusted?
Does malware exist on the users device? Has the device been compromised?
Has the users browser been infected and compromised?

Is this session protected by a secure browserone hardened against malware that may
exist elsewhere on the users device?
Has the page, data, or information submitted by the user been altered?

Is the same device being used throughout the session? Could this session have been
hijacked? Is there a man-in-the-middle attack occurring?
Is the device associated with suspicious users, botnets or other crime rings?
Where is the user or device located? What is the IP address or geolocation?
Is this normal for this user? For similar users?
Is the user attempting to hide anything? Using an anonymizing network?
Manipulating cookies? Using strange or abnormal device configurations?

All of the above questions ought to be answered before access to sensitive data or critical applications
is granted. But since most traditional authentication systems only evaluate user login credentials, they
cant answer any of them.

TrustDefender Cybercrime Protection Platform

ThreatMetrix provides CBA via its SaaS-based TrustDefender Cybercrime Protection Platform. This
scalable and cost-effective solution allows enterprises large and small to implement effective
authentication, without impairing the user experience.

W H I T E PA P E R

The solution is unique in that it contains all of the advanced analytics and processes necessary
for CBA in one platform, including the following:
Profile Devices: ThreatMetrix provides the most advanced device identification and

profiling available. Every device that accesses your website is positively and uniquely
identified, and screened for anomalies that indicate a high-risk login or transaction.

This profiling methodology leverages the Global Trust Intelligence Network of real-time

device, user, and behavior data, as well as sophisticated technologies to detect cookie
wiping, hidden VPN/proxy usage, and much more.

Identify Malware and Other Threats: When a user accesses your website,

cloud-based technologies detect the presence of malware that can facilitate fraud

or jeopardize the security of your applications and data. Man-in-the-Browser, Trojan

Horses, and other malware threats are identified in real time for your protection.

Client-based solutions can also be deployed, for applications that require a secure
browsing solution.

Examine Users Identity and Behavior: ThreatMetrix analysis incorporates

comprehensive details about online user identities and behaviors, such as usernames

and passwords, email addresses, and more, into a dynamic Persona ID, the foundation
for precise risk assessment.

What Does It All Mean? What Guidance is Recommended?

Every organization is different, and has its own security needs. But in light of the continuous assaults
and attempted data breaches we are seeing today, and considering that traditional authentication
systems are no longer adequate, the following general guidelines and recommendations might be
helpful in determining your own course of action.
1. No enterprise with sensitive data or critical applications should base its authentication

procedures on static fixed passwords alone. The world has become too dangerous for
that.

2. Following static fixed passwords, CBA with frictionless two-factor identification should
be the next line of defense for most organizations. Its secure, cost-effective, and
frictionless for both users and the IT department.

3. When a user is connecting with a new device, Trust Tags, and other data from the

shared Global Trust Intelligence Network can help determine if step up authentication
is needed.

W H I T E PA P E R

4. When new and completely unknown devices are being used to connect in moderate
and high-risk environments, they should be validated via step-up authentication

before access is granted. For many and maybe most organizations, DKBA is adequate
for step-up authentication when used prudently. In high-risk environments, step-up

authentication should be performed OOB. In very high risk environments, the entire
step-up authentication conversation, both to and from the user, should be OOB, to
prevent MITM attacks from succeeding.

5. In high-risk environments, one-time passwords should be added to context-based

authentication if user devices are connecting to the authentication process over
unencrypted channels.

Concluding Thoughts
While numerous security measures are needed to protect an organization, effective authentication is
perhaps the most important, because it is the key to everything else. Encryption is meaningless if an
impostor gains access to accounts that are capable of bypassing, disabling or decrypting the data.
Audit trails dont help if they can be modified or erased by cybercriminals who have hacked into
privileged accounts. Requiring administrative rights to access sensitive applications or additional
security systems is a useless endeavor if fraudsters can become administrators. In short, if the
authentication mechanism can be breached, everything else is at risk.
Organizations must strengthen their authentication systems for protection from todays cybercriminals
and data breaches. Traditional systems that focus entirely on login credentials like passwords are
limited, and no longer suffice for any enterprise with sensitive data or critical applications.
Context-based authentication significantly strengthens overall security and is effective at detecting
impostors, even if they have stolen but valid credentials. Furthermore, context-based authentication,
with its built in two-factor identification capabilities, is cost-effective and does not degrade the user
experience with added steps.

For more information about context-based authentication solutions, please visit

www.threatmetrix.com

Trustwave 2012 Global Security Report.

Consumer Report Annual State of the Net Report, May 02, 2013; Panda Labs Quarterly Report, April June 2012.
Juniper Networks, Third Annual Mobile Threats Report, Jun 26, 2013; McAfee, Mobile Malware Growth Continuing in 2013.
iv
Panda Labs Quarterly Report, April June 2013.
v
ZDNet, Cheap GPUs are rendering strong passwords useless, Jun 1, 2011; Ars Technica, Why passwords have never been weaker and crackers have never been stronger, Aug 20, 2012.
vi
Deloitte, 2013 Predictions: PC Domination, Password Vulnerability and LTE Kickoff, Jan 22 2013.
vii
CSID Sept 2012, Consumer Survey Regarding Password Habits.
i

ii

iii

2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Client, TrustDefender Cloud, TrustDefender Mobile, ThreatMetrix SmartID, ThreatMetrix
ExactID, the ThreatMetrix Cybercrime Defender Platform, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other
countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

V3.19.2014

10