X

Easy Access to WSO2's Online Resources During COVID-19 Lockdown.   Read More

4 Reasons to Upgrade Your MFA to Adaptive Authentication

  • By Chamath Samarawickrama
  • 8 Oct, 2018

What is Multi-Factor Authentication (MFA)

About two decades ago where people began to use online services and came across the need of authentication, the concept of user ID and password was more than enough. Although with the growth of online businesses and the user count who use these services have increased dramatically in this time and now this simple method seems not enough. Processing speeds of CPUs have increased, so brute force attacks are a reality and dictionary attacks have become a common threat. GPGPU password cracking and rainbow tables have provided similar advantages to attackers.

Multi-factor Authentication (MFA) emerged as an answer to this problem where it created a layered defense and made it more difficult for an unauthorized person to access a target such as a physical location, computing device, web service, network or a database. MFA concept is based on the assumption that if one factor is compromised or broken, an attacker still has at least one more barrier to breach before successfully breaking into the target and therefore it’s more secure.

Authentication factors in MFA rely on two or more independent credentials of the three categories.

  • Knowledge factors - Things only the user knows, such as passwords
  • Possession factors - Things only the user has, such as ATM cards
  • Inherence factors - Things only the user is, such as a fingerprint

With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.

Challenges with Legacy MFA

Even though multi-factor authentication provided additional and better security for enterprises, it wasn’t perfect. There were some practical problems with the implementation of this concept from the beginning, but they seem to have become severe with the increase of consumers and services.

People Just Don’t Use MFA

During the last few years, well known social identity providers such as Facebook and Google have tried to enhance setting up two-factor authentication (2FA) for their services and as a result, they’ve managed to streamline setting up 2FA far above the competition. Hence, users coming from such environments expect a similar level of streamlined experience with every other service.

Having any sort of MFA means the user will have to be redirected to a separate service in order for him to get authenticated. Even for a fairly simple SMS OTP, a user has to get out of the flow of actions with the actual system and check on his phone for the SMS. Other measurements are even worse. Checking on an email, using a fingerprint device, physical key device, etc. all have the same impact. This would hinder the user experience and as a result, the users will be driven away.

It has been more than seven years since Google introduced 2FA for google accounts but apparently no one is using it. Google software engineer, Grzegorz Milka revealed that more than 90 percent of active Gmail accounts don’t use two-factor authentication (2FA). This leaves these 90 percent of the users vulnerable to cyber attacks. Although google boasts in advanced cyber security, virtually all of its users are susceptible to attacks. These details were revealed at Usenix Enigma 2018 security conference in California. [1]

Inherent Security Vulnerabilities in MFA Mechanisms

Although the concept of multi-factor authentication (MFA) introduced having a more secure digital world in mind, the implementation of it contains inherent security vulnerabilities in itself. For example, we can consider the use of SMS based MFA, which is the most popular multi-factor authentication we use today. Attacks on political activists in Iran, Russia, and even in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. "SMS is just not the best way to do this," says security researcher and forensics expert Jonathan Zdziarski. "It’s depending on your mobile phone as a means of authentication [in a way] that can be socially engineered out of your control." [2] As it turns out, the SMS OTPs have become the weakest link in the so-called secure authentication process.

Legacy multi factor authentication solutions, due to its static nature, lack the ability of continuously processing the dynamic context of an authentication procedure. Hence, these solutions prompt the exact same, pre-configured authentication steps disregarding the contextual risk scores and threat vectors in the authentication flow. This invites the attackers to devise sophisticated attacks to target this predictable nature of a legacy MFA solution and breach its security mechanisms.

OTP based multi-factor authentication is vulnerable to man-in-the-middle attacks as well. For an example, an attacker can simply thwart this type of out-of-band, two-factor authentication by tricking a user into visiting a counterfeit website. As it looks exactly like the site the user intended to visit, they enter their login credentials into the fraudulent site believing it to be the real thing. The attacker actually forwards these credentials onto the legitimate site, which then sends the user an OTP. The user, still unaware anything is wrong, enters the OTP in the fake website and the attacker sends them to the legitimate website, having gained full access to the account in the process.

Authentication Can’t Be One-Size-Fits-All Anymore

The most alarming fact about the multi-factor authentication as we understand is the static nature of it. You can setup MFA in your organization where all users have to enter an SMS OTP for login or use fingerprint device or any other available MFA mechanism. But the process kind of stops there. If you set up SMS OTP, then everybody has to enter SMS OTP. Even for a fairly small task such as accessing their own profile info, users have wait on their mobile phones and enter the SMS OTP.

The time has come where we need different authentication mechanisms that are carefully drafted for each use case. These use cases should be different depending on the user; his location, his behavior, the type of tasks he intends to do, etc. As a simple example, we can consider the above-mentioned use case where a user tries to view the basic details of his account. We can simply request for basic authentication in these kinds of scenarios. If he wants to view more sensitive information or change something in his account, then we can prompt for a second authentication.

The world is complex; a user can have multiple smartphones, a laptop, a tablet, and a desktop computer to access his digital life. What if your system has set up strong multi-factor authentication for better security and the users have to enter a second OTP when logging in from all of his devices? This results in a total four devices and four separate OTPs for each one. How would this impact the user experience when working and consuming your services?

Extensive Authentication Mechanisms Affect Productivity

At the beginning where MFA was first introduced, there were only a handful of logins for a system to manage. But now this amount has been multiplied by several factors and we’re in an era where a medium sized business has about 100 logins per second to deal with. It's true that the processing powers and memory resources of our servers have also increased as well. But we have to agree that it’s not going to be enough for the requirements we’re going to face in the near future. The problem gets worse when we have to process multi-factor authentication for each login as well.

On the other hand, think about the time a user has to spend just to log in to your online service. It takes about 30 seconds to a minute on an average for a SMS to be received by a user. And with the numbers we’re dealing with, the 30 seconds spent waiting has to be multiplied by hundreds or thousands. Can you imagine the extent of valuable business hours we’re wasting in the name of security?

What if we could use simple usernames and passwords for the users that are in secured environments and ask for MFA from others? Employees who want to log in to the system from the internal network can simply use their credentials and those who are in an external network has to enter the second factor. If only we had a flexible mechanism to keep both the productivity and the usability in a balance with security.

Well turns out, there is!

MFA & adaptive authentication: what’s the difference?

Ensuring maximum security while providing reasonable usability is a continuous tradeoff. When using Customer Identity and Access Management (CIAM) or Employee Identity and Access Management (EIAM), it’s always important to provide your users with a frictionless experience to log on to applications and devices. But, given the volatile nature of user devices, networks, locations and usage contexts, you may have to provide various measures as Multi-factor authentication (MFA) to authenticate users appropriately.

This is where Adaptive Authentication comes. In adaptive authentication, authentication steps can be configured and deployed in such a way that the system would decide which steps to prompt during the authentication process depending on the user’s risk profile and the behavior. This enables an organization to apply precisely the right level of gateway security to each and every login request instead of issuing static procedures for everyone to follow, under all circumstances.

How Adaptive Authentication Overcomes MFA

Diminish the Imbalance between Security and User Experience

OTPs can be obtained via an SMS channel or can be generated by the user himself with an app like Google Authenticator which makes use of a predefined algorithm. In either case, it requires a change in the UI of the application which we are trying to secure, and the user is forced to switch to another service to obtain this OTP. Then the user would have to copy this OTP, and switch back to the original application and re-enter the obtained OTP. Verifying the OTP can take up some time as well. Repeating this process over and over results in an overall degraded, sub-optimal user experience.

UX must be a key focus for every digital business. “a well-designed user interface could raise your website’s conversion rate by up to a 200%, and a better UX design could yield conversion rates up to 400%.” [3] However, maintaining a good UX without compromising the security and the functionality has been a challenge.

Adaptive authentication acts as an extra layer of security where it will interfere only if the risk evaluation for that specific scenario deems high. In simpler terms, a user has to enter the second factor to the system only if the risk evaluation has decided so. This will lessen the friction in low-risk activities and provide a relatively better UX.

Improved Security

Adaptive authentication is capable of providing enhanced security with contextual data considered during authentication. It continuously processes risk vectors and manages access to applications and resources accordingly. Meaning, instead of applying risk evaluation and elevation only during the authentication process once, they are continuously evaluated as part of the process while accessing information to determine whether to allow any request for a resource.

Adaptive authentication can elevate the level of authentication at high-risk scenarios by prompting for additional authentication via OTP MFA. This would be the case if the risk vectors result in a high-risk scenario. For examples, authenticating in certain geo-locations, authenticating via a network which shows suspicious activity, high profile online transactions, etc. can be considered.

A risk score can be continuously calculated according to an algorithm (a predefined set of rules). This process would count in the behavior of each user when evaluating a risk score. According to the evaluated risk score, the level of authentication to be prompted would be decided.

Risk evaluation process may consider the location and time of the request for a resource as well as the keystroke dynamics of the user. After this information is factored in, the evaluation algorithm should then be able to detect any suspicious behavior.

Flexibility To Meet Corporate And User Needs

The major drawback of the traditional MFA method, which is solved by the new adaptive authentication is flexibility. Adaptive authentication can apply diverse and different authentication methods to unique use cases. Based on security strength, IT benefits, user benefits and cost, we can set up the authentication process to figure out the best method of authentication for a particular user trying to do a particular task, from a particular geolocation in a particular time period.

Let’s talk about some example use cases. Do you remember the use case mentioned above where a user logging in from internal network versus a user logging in from an external network? Well with adaptive authentication, you can achieve the solution discussed in here. Based on a number of factors on the authentication attempt, the system can decide whether letting the user access just with username and password or not.

Another example would be a user doing a fund transfer using the bank mobile application installed on his smartphone. If it were just MFA with SMS OTP, the system will send the OTP message to the same phone. Would it be practical to send an OTP SMS to the same device? What if the phone was stolen? The system has to be intuitive to decide not to send the second factor to the same device.

Improved Productivity

As discussed earlier, providing multiple factors of authentication each time can consume a lot of time and therefore affects the productivity of everyone. What if we can reduce these time overheads while keeping the security in place together? Adaptive authentication can do just that. It’s capable of responding to the context of the user and device, enabling them to improve productivity by stepping down authentication requirements in low-risk situations.

Since the mechanism considers other external factors about the authentication attempt such as the behavior pattern of the user, the location of the user, time period, etc. adaptive authentication can accept a login skipping 2FA.

Summary

As discussed above, adaptive authentication can provide a more frictionless experience for the users compared to its legacy counterpart due to its dynamic contextual threat analysis and its intelligent use of precise level of security. Also, adaptive authentication can alleviate the aforementioned drawbacks of legacy MFA solutions and act as an extra layer of security for the system. Going forward, it would be obligatory rather than voluntary for a business to adopt adaptive authentication in their security solutions considering the escalation of the level of sophistication in cyber attacks in recent times. Hence, more intelligent solutions than the currently-in-place legacy MFA solutions would be required if an organization is perceptive towards its security posture. Due to its ability to mitigate the defections in legacy MFA solutions and its provision as a strong base for scalable, efficient security solutions, it’s high time that organizations upgrade from their legacy MFA solutions to adaptive authentication.

References

  1. Thomson, I. (2018, January 21). Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication. Retrieved from https://www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_authenti...
  2. Greenberg, A. (2017, June 03). So Hey You Should Stop Using Texts for Two-Factor Authentication. Retrieved from https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentica...
  3. Paunovic, G. (2017, November 28). The Bottom Line: Why Good UX Design Means Better Business. Retrieved from https://www.forbes.com/sites/forbesagencycouncil/2017/03/23/the-bottom-l...

About Author

  • Chamath Samarawickrama
  • Software Engineer
  • WSO2