The protection of the information system (IS) has become all the more difficult as it no longer stops at the doors of the company. To respond to this problem, security is changing its approach by turning to the user and reinforced authentication methods (multi-factor authentication or MFA). But with systematic MFA authentication, there is a risk of losing user comfort. So how do you ensure security while maintaining a good user experience? Risk-based Adaptive MFA (AMFA) is the key to addressing this issue.
Until recently, companies essentially protected their information system through perimeter-type security. A barrier is erected around the infrastructure to prevent hackers from entering the IS. But once inside, anything goes.
This model no longer holds up today, because the notion of perimeter is becoming diffuse:
- More and more Cloud applications are used, provided by publishers of SaaS tools, or developed internally by the company;
- More and more third-party partners are connecting to the organization’s applications, which are often deployed in the Cloud;
- Company employees are connecting more and more regularly to the IS from outside. For example in the context of teleworking.
To adapt to this paradigm shift, security is focusing on a new perimeter: the user. The latter is recognized through an authentication process, previously based on entering an identifier and a password. However, this process is not secure, a large panel of attacks having been developed to break this type of security. Companies may organize awareness sessions or tighten the rules for defining passwords, but nothing helps: 80% of security breaches are due to compromised credentials.
MFA, for secure authentication
MFA. Behind these three letters is one of the most reliable authentication methods available today: Multi-Factor Authentication. It is based on information coming from different parts of a user’s identity:
- What he knows: password, secret phrase, pin code, answer to a question, etc.
- What he has: badge, card, security token, mobile phone, etc.
- What it is: fingerprint, retina, face, voice, …
For the system to be effective, it is necessary to request several authentication factors coming from different categories.
The virtues of this process are now recognized and regulations are pushing for the massive use of multi-factor authentication. It has thus become mandatory within the PCI DSS standard, the DSP2 and NIS directives, or even the LPM military programming law.
It should be noted that biometric factors are not yet very widespread due to the complexity of the deployment of the underlying technology.
In addition, care must be taken to properly select the authentication factors according to the sensitivity of the resource to which the user seeks to connect.
Indeed, the authentication factors are not equal in terms of security. For example, a one-time code received by SMS is less secure than the use of a physical token, since the SMS is sent over the network and is vulnerable to several types of attack (SIM cloning, number porting, etc.) . Likewise, the fact that the workstation used for the connection is uncontrolled (BYOD for example) should also lead to more security requirements.
Here are some classic examples of using multi-factor authentication:
- As part of access to a SaaS service, such as Office 365, where the password will be completed by a software (such as Google Authenticator) or hardware token (for example an RSA SecurID key).
- As an alternative or complement to a VPN when connecting remotely to the company’s IS, again with the use of a password and a hardware token.
- When changing a password, where the system will ask you for the old password (factor 1) and the entry of a unique code sent by SMS (factor 2).
Adaptive MFA: less restrictive, but still just as secure
Multi-factor authentication can become too intrusive and degrade the user experience. The solution is to adapt it to the context.
A well-known example is that of banking sites. The user only needs to enter his username and password to connect to the site and view the status of his accounts.
However, when he wants to carry out a banking operation, such as a transfer, the system will ask him for a second authentication factor. For example, entering a one-time code received by SMS or using a physical device responsible for generating a validation code.
The double factor is therefore not systematically required at connection.
The risk is assessed according to the context and will lead to requesting one, two or three authentication factors. To resume our previous case, if the connection is made with equipment unknown to the bank, from a foreign country or at an unusual time, then the second factor will be requested from the outset.
It is possible to go a little further still by monitoring the user’s session in real time. This makes it possible to detect his habits: use of the keyboard and mouse, way of navigating in the menus. This is behavioral biometrics. If the user deviates from his usual way of doing things, the system will immediately ask him to enter a new factor.
And if the level of risk becomes too high, and the fraud pattern too obvious, it will be possible to simply end the session.
With adaptive multi-factor authentication, the system adjusts authentication requirements based on requested action and user behavior.
A technology that is democratizing … and getting stronger
Multifactor authentication is democratizing very quickly, because its deployment has become much simpler, in particular with the arrival of adapted SaaS solutions, which make it possible to no longer have to set up a complex infrastructure. And all at an affordable cost.
The use of behavioral analysis is also tending to become widespread. Machine learning and artificial intelligence strengthen fraud detection systems and help identify deviant uses. Technologies which are also rapidly democratizing through the Cloud.