Forget two-factor authentication, here comes context-aware authentication

The stakes are high and cloud vendors know it. Is context-aware authentication the next safety net?

hacker hacked unsecure theft passwords
Credit: Thinkstock

Remember the good old days, when logging into your favorite web service (Geocities, anyone?) was a simple as entering a username and password? Back then, things were simpler and safer.

Today, the ante has well and truly been upped, and service providers, not to mention users, are in a perpetual battle to keep data safe. Of course, the easiest way to attack data is to use someone's login credentials -- kind of analogous to a thief walking into a house where the occupants helpfully left the door unlocked for them. Recent findings showed that fully 63% of confirmed data breaches involved leveraging weak/default/stolen passwords.

Analyst firm Forrester estimates that 80% of security breaches involve privileged credentials. It’s understandable why this is the case -- after an intruder gains access to the employees’ devices, they try to snoop the network and install keylogger to get higher privilege credentials. Privileged credentials provide greater scope for stealing data en masse than individual accounts do: With privileged credentials, attackers can dump the entire database, bypass network traffic limitation, delete logs to hide their activity, and exfiltrate data easier.

In the past year, we have heard much about two-factor authentication (2FA) a system whereby users need to enter two individual items to log in to a service -- their password and (generally) a randomly generated code supplied from a mobile application or via text message.

While 2FA is certainly secure, it is a rather blunt instrument and tends to introduce more drag into the logging on process than is ideal. That's why there is increasing talk around context-sensitive authentication. While it may seem like a complicated term, context-sensitive access is a simple concept.

The idea is to use the context of the user's accessing resources to determine a level of confidence that it is the user rather than a malicious actor that has compromised their account credentials. In the event that confidence is low or risk is high, under a contextual authentication paradigm, the service will automatically step up to other more secure (but also, more disruptive) authentication methods like supplying a multi-factor token. Contextual authentication is beneficial because it raises the bar by continually monitoring and assessing risk for every page viewed or resource accessed without interrupting the user unless suspicious activity is detected.

Contextual access is, at its essence, an evolution of adaptive authentication that replaces the use of static rules and blacklists with machine learning to assess risk based on user behavior and context. Indeed, many providers already do super simplistic “context,” such as blacklisted locations. These approaches. however, are far too coarse to be effective at balancing security with usability.

At the same time, 2FA adoption is hard -- users have to install an app or use insecure SMS. In fact, the U.S. government announced that it is set to phase out text-based 2FA. But contextual authentication can sit in the background and simply do its thing pretty much invisibly (unless higher risk is determined).

We're seeing contextual authentication in other settings. Google's Trust API, which is in private beta, will see users able to leverage proximity-based authentication relating to their phones. But the drivers for Google's approach equally exist for web applications -- we have a lot of contextual user information already, why can't we just leverage it to make our service, and our customers' use of our service, easier AND more secure?

Contextual authentication: Who should be doing it?

There are two obvious groups of organizations that would be ideal candidates to layer contextual authentication over their existing platforms. First are the two-factor authentication providers, since contextual authentication makes for smarter 2FA and covers a wider audience than standard 2FA. The second are vendors involved in the "identity-as-a-service" (IDaaS) space since they are a single point of failure and access so they should be doing more to assess risk of account compromise.

Contextual authentication is an idea whose time has come, and it will be fascinating to watch vendor movements in the space.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon