Identity is what defines a person/object in the digital space. It is a term devoid of any human affinity. But, to a human being, his/her identity is the gateway to everything today. From social networks logins to money withdrawal, from logging in on their work profile to accessing critical business data, your identity enables you to do it all. Yet, according to a study, there is a new victim of identity theft every 2 seconds. Yes, you read that, right!
It is intimidating to think that identity theft happens ever so often. In the 10 seconds that you took to read until here, five identities have been stolen.
Thus, it is exceedingly vital to protect identities at all costs.
How are identities protected?
Through authentication and authorization. These are your identity’s best friends. They know your identity well. They ensure no one can impersonate it and take advantage of the privileges that lay within your identity’s capabilities.
Authentication is the process of verifying the legitimacy of your identity using the parameters of something you know, something you have, and something you are.
What are they? They can be passwords, PINs, mobile, OTP, voice, fingerprint and so much more. These attributes are mapped to you, and only you ought to know/have them.
This authentication proof is supposed to be stored in a safe place within your servers.
Authorization is the one step after your authentication to ensure your identity is entitled to the access you have requested. The access control token after the authentication provides information about the identity’s validation.
What is MFA?
These attributes that belong to you are verified whenever you need access to a Service. Between the Identity Provider and the Service Provider, the authentication and authorization processes happen to ensure you are who you claim to be. You can learn more about how they happen here.
This verification used to happen in one layer, just your username, and password. That is one-factor authentication. But as the threats advanced, it became seemingly easier to access passwords from an array of stolen passwords available on the dark web.
Then came Multi-Factor Authentication (MFA) to provide multiple layers to your security.
MFA considers several parameters. Two-Factor authentication, for example, could be something you have (your phone) along with something you are (your fingerprint). It could be something you know (your password) along with something you have (the generated one-time password).
In-band and out-band MFA
In-band authentication is where the first and second factors of authentication are within the same device. For example, if you want to access your mobile application, the first factor being your fingerprint, and the second layer may be an OTP requirement. If the OTP is sent to your phone, then both these factors are within the same device.
However, with out-band authentication, the two factors are verified on different platforms. After entering the password on your laptop to login to an internet service, another PIN generated on your phone is required then this constitutes two different devices and a higher chance at security.
Yet, hackers overcome MFA
The cybercrime industry is growing at an unprecedented rate today. And despite the best efforts of MFA, which still provides security in the majority of the use cases, it has failed.
There are several methods out there, using which hackers have overcome the power of MFA:
- Social engineering is a con of sorts where a person claims to reach out to you from a trusted authority and extract critical information. They might know your bank details, yet would need an OTP to utilize your bank account. They can pose to be the bank requesting the OTP and get it from you. They rely on people’s naivety.
- Security questions which are used for MFA, are sometimes openly available. You would’ve selected your pet’s name as a security question. What happens when the hacker comes across your social media profile where you have affectionately put up a picture of little Marley? You have openly given out essential details to your hacker.
- Session hijacking is when the hacker allows you to authenticate yourself and takes the show away from you. They steal the access control tokens and will now be authorized to use your entitled resources.
Several such instances have shown how MFA is compromised despite it being largely secure as compared to one-factor authentication.
This is where the Adaptive MFA comes into the picture.
What is Adaptive MFA?
Adaptive MFA adds context to multifactor authentication. Once a user is authenticated, the risk level of the user is calculated using cognitive technologies, and a risk score is generated. The multiple levels and factors of authentication are applied. Once the assurance level of the user is more than the risk level, the identity is authenticated and authorized.
This also applies levels of safety to the resources. The authenticating factor can be more or less depending on the resource, which is to be provided. If it is login to the internet service, then that can be considered to have lesser importance as compared to customer data in an organization.
Context is everything!
Adaptive MFA adds context to all your authentications.
- Location: It considers important factors like location to define your assurance. If you generally request access from one location and suddenly a request is made from your identity from a different location, then provides enough reason to prompt additional authentication requirements. Although this might seem counterproductive to the ones who are always traveling, the technology learns the behavior of individuals and adapts accordingly.
- IP address: If you have logged in from a new IP, this prompts additional layers of security.
- Behavioral changes: The time of login, is an essential aspect of employee behavior. When there is a deviation from this pattern, the risk score increases.
Essentially, adaptive MFA is a technology that is made to decrease the possible faults that can occur in MFA.
Best practices to ensure adaptive MFA is free from fallacies:
- Whenever a user is enabled with MFA, he/she must be informed of the possible frequent attacks like phishing and social engineering.
- User training in line with this is crucial.
- External signals must be utilized to ensure your risk scores are calculated from many parameters beyond your data point.
- Include geo-velocity, which shows the probability of someone logging in from one place and then from another. If someone logs in from a country in Asia and then from a country in Europe within 2 hours, this is clearly an impossible situation. Thus, such details must be taken into consideration.
- Methods like the FIDO alliance must be included for authentication.
Despite the incidents of recent times, Microsoft states that MFA still blocks out 99.9% of the attacks. The power to remain secure, in the majority of the cases, is with the user.
With the combination of the right knowledge and technology, hackers can always be kept at bay. Ilantus’ Xpress Password is one such technology that can keep you empowered with security.