Increases in roaming user populations and remote access to organizations’ confidential data are becoming a larger security concern, leaving organizations with choices to make about how to secure these resources. A conflict of interest between business groups and IT security can create a struggle to maintain usability while increasing security. Although instituting better password policies is a preliminary option, organizations are often over-steering towards rigid Two-Factor Authentication solutions.
Two-factor authentication (2FA) supplies a strong authentication method but is not always adopted easily by end users due to its inability to adapt to user access scenarios on the fly. What if there was a solution that not only matched an organization’s policies and compliance standards but provided a dynamic solution that applied context to the authentication process? Thus, providing a seamless and easy-to-use authentication option for all users. So, you must make a tough decision, do you institute better password policies? Or should you implement Two-Factor Authentication across the whole company? How about a completely separate option: implementing contextual authentication.
What is Contextual Authentication?
Contextual authentication is a form of two-factor authentication that takes into account the context of the end user’s access request. This is achieved by identifying various parameters about the user, such as their location, device, network, application, and time of day. These parameters are leveraged to give access to an authorized user while creating major obstacles for unauthorized users. By utilizing this approach, security policies can be configured to the context in which users are logging in down to the group, OU, or even individual. This can then require more or fewer authentication requirements. For example, it can easily require stronger authentication for individuals that are accessing company data outside of the office.
This method of authentication not only provides an added level of security but better usability to authorized users, such as users that are working within the company building. Contextual Authentication provides the ability for a company to be compliant, secure, and provide a user-friendly option for their employees. Deploying this authentication method allows you to “hassle the hackers, not the end users”.
Factors for Contextual Authentication
Configurations and specifics typically differ for each organization’s risk policy, but here are some of the standard parameters that are considered context about the user’s access scenario:
- IP Address/Network – The IP address of your client is something that cannot be easily spoofed or falsified. Rather than use a “black list” approach where certain blocks of addresses are deemed “bad,” a white list is much more manageable and assigns a positive credibility score to IPs controlled by the organization. The controlled confines of a LAN are a very different environment from an Internet café. The other caveat with this type of information is that proxy servers could be used to mask the IP of the end-user’s actual device. Some vendors can utilize client-side apps to determine what “type” of network connection the device is using. It can detect encryption strengths for Wi-Fi connections and treat those using outdated or weak encryption as a higher risk.
- Geolocation – There are a few ways to get a user’s location. IP-based geolocation is fairly easy to implement but does not have a high degree of accuracy. It may only be reliable to determine which country the user is in! HTML 5 now has built-in support for Geolocation and is supported by all major browsers. When used by “honest” users, this is generally more accurate since it could use a mobile phone’s internal GPS or the wireless access points available around a workstation. Due to privacy concerns, this information is only provided if the user allows it. The specification specifically states that the data may not return the actual location and some browsers even allow you to provide a specific latitude and longitude to requesting servers, so authentication decisions for sensitive applications should not rely on this type of data.
- Device Information – Certain information is available from each HTTP request your web browser makes. The browser vendor and version (aka “User-Agent”) are typically present as are capabilities or supported file types or fonts. Some device “fingerprinting” can be done using this information, but all this data can be completely spoofed. Some client-side apps can integrate directly into your device or browser, allowing it to get authoritative information and securely deliver it to the web server.
- Cookies – This can be considered a subset of the “device information” type but one that is a little more controllable. If the user chooses to “remember” their device, the server can generate an opaque, random identifier and set it as a persistent cookie in the user’s browser. The lifetime of this cookie is typically configurable. The presence or absence of this cookie can be used to establish whether the device has previously been used which can boost credibility. If HTTPS is used to communicate with the authentication server, then the cookie should be relatively safe from replay attacks.
- Time of day – Another factor that cannot be spoofed is the current time. Maybe a defined time window represents a slight increase in credibility. Any access outside this Monday through Friday time is deemed riskier. Historical usage patterns can be established for the user as well to help weight this factor more appropriately.
Contextual Authentication vs Static Authentication
As an alternative to static authentication solutions, PortalGuard understands the midpoint and handles the challenges of remote user access scenarios. By taking a cost-effective, flexible approach to authentication, PortalGuard offers five levels of authentication (Single Sign-On, Password-Based, Knowledge-Based, Two-Factor Authentication, and block a request).
Using PortalGuard’s Contextual Authentication, organizations can now gain insight into user access scenarios allowing them to make security and usability adjustments transparently to the user and dynamically adjust the authentication method to what is appropriate based on the user’s situation. Obtaining the user’s contextual data is optional with PortalGuard and all options can be configured down to the individual user, group, or application levels.
Does Contextual Authentication Prevent User Fraud
With Contextual Authentication, organizations can prevent user fraud. Since contextual authentication accounts for more than a static username and password, stealing confidential information is more difficult for threat actors. Imagine threat actors trying to break into your account in the middle of the night. While you may not notice, the barrier to entry is significantly harder to break. The security system understands you are typically online during your usual work hours, but not randomly at 3 am. That is when threat actors if attempting to compromise your account, will have to fill out secondary forms of authentication that they will not have access to, such as a hardware token or biometric.
Benefits of Contextual Authentication
- Increase security without impacting the end-user experience
- Increase usability for authorized users while creating barriers for unauthorized users
- Configurable – to the user, group or application levels
- Lower Total Cost of ownership than token-based Two-Factor Authentication alternatives
- Proactive approach to reducing threats – block suspicious users in real-time before a login attempt is made