April 21, 2016

Continuous Adaptive Authentication with ThisData

Adaptive authentication is a relatively new buzzword which basically means: "get the user to prove its them in a way appropriate to the risk of what they're doing", and Continuous means "do it all the time"! It's becoming more and more common, but still a bit hard to understand.

What is Continuous Adaptive Authentication?

Let's apply it to the real world, and pretend we're running a banking website. Here are the different authentication approaches we might use:

Login with a username and password

Logging in with a username and password is the most basic way to let someone in. Once they give the right username and password, they can see balances, transfer money, order new credit cards, anything!

Login with a Username, Password, and 2FA

After getting the username and password right, we want to further secure accounts by prompting for a Two Factor Authentication code. We might use a two-factor service like Authy to achieve this. Users have to get the code right to get in. But once in, they can still do anything you like.

Login with a Username, Password, and adaptive 2FA

Adaptive 2FA will adapt to the risk of the person logging in. Do they look suspicious? Are they coming from a new location? Or have we seen them just the other day? If they're risky, prompt them for a 2FA code when they log in. But if they look normal, let them go straight in. (Some banks might use security questions instead. We won't, because those are too easy for attackers to guess!)

Continuous Authentication

Building on that, perhaps logging in to the bank and seeing an account balance is low risk, but transferring money is higher risk. So when users try to do that, they have to enter their password again. Or every 5 minutes they need to re-enter their password. We continuously make sure they're still authorized.

But since it's not adaptive, it adds a lot of friction. You're continuously annoying legitimate users, which leads to them choosing less secure passwords, or finding other ways around the security prompts.

Continuous, Adaptive Authentication

Combining the two, the bank will look at every action the user is making. And when something begins to look unusual, or the action is higher-risk, it chooses the best way to ensure the user really is who they say they are. Legitimate users go about their business without any friction. If you begin to look a little suspicious, you might need to re-enter your password when you head towards the money transfer page. If you seem quite suspicious, you have to enter a 2FA code. If you're super duper oh-my-gosh suspicious, you are immediately logged out, and your account is locked until you ring the bank.

Adaptive = taking action appropriate to the perceived risk of the actor, and the perceived risk of the action.
Continuous = do it all the time, not just on the login screen.

Achieve Continuous & Adaptive Authentication with ThisData

You can use ThisData to achieve adaptive continuous authentication right now. Here's how:

  • Sign up for a free ThisData account
  • Start sending events to ThisData with our API, or by using one of our pre-libraries
  • Make your app listen for our webhooks
  • When we send a webhook about suspicious activity, don't wait for the user to respond
  • On their next request, ask them for a 2FA code.
  • If a user says "It Was Not Me" we'll send you another web hook, immediately log them out, and lock down their account!

If you do this you've kept out of the way of your legitimate users, but are continuously monitoring the risk and adaptively making it harder for attackers to compromise user accounts in proportion to that risk.

What's next?

ThisData has a realtime API in private beta, which will mean: A) you have much more control over the "continuous" side of the process: you ask us what the current risk is and we tell you right away, without waiting for webhooks, and B) you have more room to decide how to adapt, because we return a real score which you can treat according to your needs.

We think this is going to be a game changer and if you think so too reach out to us and ask to get in on the beta!

YOU MAY ALSO BE INTERESTED IN

Introducing custom security rules

For the past few years we’ve been working hard to create a plug and play adaptive risk engine. We designed our core service using a mix of b ...

Cloudbleed - ThisData's Response

Late last week Cloudflare announced that a pretty serious bug had been found in the way they handled their traffic. The bug allowed private ...