Beruflich Dokumente
Kultur Dokumente
Context-Based Authentication
Enterprises With Sensitive Data or Critical Applications
Should Upgrade Their Authentication Procedures
W H I T E PA P E R
If youre a senior officer or manager at your organization, or have anything to do with IT or information
security, you probably arent sleeping too well lately. The news features story after story of companies
being breached. Customer records, including credit card data and other personal information, are
constantly stolen. Intellectual property is being siphoned, and mission-critical systems are at risk for
expensive or even devastating disruptions.
W H I T E PA P E R
once thought to be strong. Now, even passwords with at least 8 characters including both upper and
lower case, plus at least one symbol and number, are at risk.
Even worse, users tend to have the same password among many different accounts. Studies show
that upwards of 50% of users choose the same password for all or most of their login accounts,
including work, online retail, banking applications, and social networking sitesvii. This situation is
dangerous for a number of reasons. Crime rings exploit social networking or other sites with relatively
weak security in order to crack passwords. Sites without velocity checks to detect automated scripts
or botnets are repeatedly attacked until valid credentials are discovered. Once passwords are
ascertained on these weaker sites, the credentials can be used to gain access to numerous other sites.
In spite of these security weaknesses, passwords are still valuable identifiers and serve as the
foundation for user authentication, and will likely do so for some time. Its clear however, that
passwords or other login credentials are not sufficient. Businesses need an effective way to detect
imposters that have stolen but valid credentials.
W H I T E PA P E R
Although OTP can be beneficial, there are downsides too. Hardware tokens are expensive to acquire
and deploy, and some need to be replaced every year. Both hardware- and software-based OTP
solutions require a complex infrastructure. Even SaaS solutions need a significant amount of
management to deploy, maintain, and support end users. Tokens can be lost or forgotten, creating
support issues as administrators disable lost tokens, register and deploy new ones, and provide
workarounds until replacement tokens can be delivered. Perhaps most important, many end users
dont like using OTP solutions, especially if they entail carrying hardware tokens. And all OTP solutions
take extra steps to log in, which users find annoying.
One-time passwords sent via text message (SMS) to mobile phones offer the benefits of reduced cost
and infrastructure, and eliminate the need for users to carry tokens. SMS messages, however, are not
always sent in a timely fashion. A common complaint among SMS-based authentication users is that
messages are occasionally delayed for long periods, sometimes hours. Thats a showstopper for many.
Coverage issues can also be a concern. Mobile phone signals are not always available,
especially in buildings with wide outer walls, in basements, and in computer rooms that give off a
lot of RF noise. Another problem is battery drain, particularly on heavily-used smart phones. Although
sending one-time passwords to mobile phones via SMS can aid the authentication process, there are
so many potential issues that organizations need to carefully consider whether to deploy SMS-based
authentication for anything other than occasional use, or as a backup authentication method.
In short, OTP solutions, however generated or delivered, were critical back when passwords traversed
non-encrypted networks (where they were subject to capture), and authentication systems had no
velocity checks to prevent repeated guess attempts. But today, where communication channels
between users and target applications are generally encrypted and protected by velocity controls,
it can be difficult to justify the added costs and user friction associated with OTP solutions. This is
especially true with the advent of context-based authentication, which provides similar benefits
without the downsides. Well cover context-based authentication later in this paper.
Challenge questions, sometimes referred to as dynamic knowledge-based authentication
(DKBA), can also help strengthen the authentication process, although they are generally used as
secondary or backup authentication. If primary authentication is unavailable or not sufficient to
establish the necessary trust, users can be asked to answer questions that theoretically only they
should know. Common examples include What is your mothers maiden name? or What is the last
name of your first teacher? Social networking has made a lot of formerly private information publicly
available, so challenge questions need to be carefully selected. But, when used prudently, DKBA can
be a useful and effective backup authentication method.
W H I T E PA P E R
W H I T E PA P E R
are associated with specific individuals. Used in conjunction with other CBA features,
Specific Device ID is a powerful way to determine accurate levels of risk and trust.
Frictionless Two-Factor Authentication: Utilizing both device ID and user login
Theres no need to install anything on the device, or implement and manage a complex
infrastructure required by most two-factor authentication systems.
connect to protected web applications, identifying malware and other threats that can
compromise security.
W H I T E PA P E R
Legitimate User Behavior: CBA establishes normal and legitimate user behaviors,
including vital elements like IP addresses and geolocations normally used, language(s)
utilized, devices used and their configurations, login times, frequency and speed of
login attempts, and more.
users new devices) as trusted for future encounters. Valid users dont experience
needless repeat step-up authentication, and can be granted access with minimal input
or friction.
W H I T E PA P E R
Is the device known to have been used by the legitimate user? Or is it an unseen and
potentially un-trusted device?
Has this user passed secondary or OOB authentication while using this device?
How long ago?
Has this remote device been associated with attempts to log into other user accounts
on my site? Is that normal?
When a user attempts to log in with a new device, has the new device been seen before,
either by your organization or by others in the shared Global Trust Intelligence Network?
Has it already been tagged as trusted? Has it been tagged as non-trusted?
Does malware exist on the users device? Has the device been compromised?
Has the users browser been infected and compromised?
Is this session protected by a secure browserone hardened against malware that may
exist elsewhere on the users device?
Has the page, data, or information submitted by the user been altered?
Is the same device being used throughout the session? Could this session have been
hijacked? Is there a man-in-the-middle attack occurring?
Is the device associated with suspicious users, botnets or other crime rings?
Where is the user or device located? What is the IP address or geolocation?
Is this normal for this user? For similar users?
Is the user attempting to hide anything? Using an anonymizing network?
Manipulating cookies? Using strange or abnormal device configurations?
All of the above questions ought to be answered before access to sensitive data or critical applications
is granted. But since most traditional authentication systems only evaluate user login credentials, they
cant answer any of them.
W H I T E PA P E R
The solution is unique in that it contains all of the advanced analytics and processes necessary
for CBA in one platform, including the following:
Profile Devices: ThreatMetrix provides the most advanced device identification and
profiling available. Every device that accesses your website is positively and uniquely
identified, and screened for anomalies that indicate a high-risk login or transaction.
This profiling methodology leverages the Global Trust Intelligence Network of real-time
device, user, and behavior data, as well as sophisticated technologies to detect cookie
wiping, hidden VPN/proxy usage, and much more.
Identify Malware and Other Threats: When a user accesses your website,
cloud-based technologies detect the presence of malware that can facilitate fraud
Client-based solutions can also be deployed, for applications that require a secure
browsing solution.
comprehensive details about online user identities and behaviors, such as usernames
and passwords, email addresses, and more, into a dynamic Persona ID, the foundation
for precise risk assessment.
procedures on static fixed passwords alone. The world has become too dangerous for
that.
2. Following static fixed passwords, CBA with frictionless two-factor identification should
be the next line of defense for most organizations. Its secure, cost-effective, and
frictionless for both users and the IT department.
3. When a user is connecting with a new device, Trust Tags, and other data from the
shared Global Trust Intelligence Network can help determine if step up authentication
is needed.
W H I T E PA P E R
4. When new and completely unknown devices are being used to connect in moderate
and high-risk environments, they should be validated via step-up authentication
before access is granted. For many and maybe most organizations, DKBA is adequate
for step-up authentication when used prudently. In high-risk environments, step-up
authentication should be performed OOB. In very high risk environments, the entire
step-up authentication conversation, both to and from the user, should be OOB, to
prevent MITM attacks from succeeding.
Concluding Thoughts
While numerous security measures are needed to protect an organization, effective authentication is
perhaps the most important, because it is the key to everything else. Encryption is meaningless if an
impostor gains access to accounts that are capable of bypassing, disabling or decrypting the data.
Audit trails dont help if they can be modified or erased by cybercriminals who have hacked into
privileged accounts. Requiring administrative rights to access sensitive applications or additional
security systems is a useless endeavor if fraudsters can become administrators. In short, if the
authentication mechanism can be breached, everything else is at risk.
Organizations must strengthen their authentication systems for protection from todays cybercriminals
and data breaches. Traditional systems that focus entirely on login credentials like passwords are
limited, and no longer suffice for any enterprise with sensitive data or critical applications.
Context-based authentication significantly strengthens overall security and is effective at detecting
impostors, even if they have stolen but valid credentials. Furthermore, context-based authentication,
with its built in two-factor identification capabilities, is cost-effective and does not degrade the user
experience with added steps.
www.threatmetrix.com
ii
iii
2014 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Client, TrustDefender Cloud, TrustDefender Mobile, ThreatMetrix SmartID, ThreatMetrix
ExactID, the ThreatMetrix Cybercrime Defender Platform, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other
countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.
V3.19.2014
10