Wednesday, March 16, 2011

Stronger Authentication Isn't The Answer

It seems practically every day I hear the same question. “My company needs a strong form of authentication for users of our web applications but we don’t like the downsides of hardware tokens/smart cards/etc, what type of strong authentication is better?” The problem with this question is it’s generally based on the false assumption that adequate protection for web applications can be achieved by deployment of “strong” credential based authentication alone. Of course, I am not disparaging anyone asking this question since the underlying assumption has been engrained in us all and it’s been enforced by various regulations and corporate policies to boot. So what is the best answer to this question?

Let’s start by breaking this down a bit. To clarify, I am using the term “credential based” authentication to refer to all authentication forms that verify a user’s identity by asking them to provide a credential. It really doesn’t matter if the “credential” is a password, one time password, biometric (typing rhythm/fingerprint/hand veins/iris/etc), or something else, they are all really just different types of authentication credentials in the end. So if a company chooses to simply substitute one form of credential for another they are not really increasing their security by much when considering all the types of threats. Some types of credentials and flows are stronger than others but there are threats that can’t be prevented even by the strongest of these. As well, there are soft and hard costs with such a change so a business better be substantially increasing their security not just swapping apples for nicer apples.

Just a few of the threats that credential based authentication of any strength cannot address are insider fraud and session hijacking. How can a credential prevent an employee/contractor/user from misusing the access they have been granted? Likewise how can a credential prevent someone/something from taking control of a valid user’s session and misusing it? The reality is that credential based authentication and authorization alone simply can’t. To address such threats, contextual risk analysis must be part of the solution to be effective.

A solution must actively “watch” the entire context of an access request to see what a user does and see how far their current behavior varies from their past “normal” behavior and/or the past behavior of all users. A solution must “learn” from past incidents what fraud/misuse looks like and identify how closely a situation matches to these past incidents. Also, a solution should be able to proactively interdict if the risk of a situation becomes too high. This risk-based interdiction may employee forms of credential based authentication that are both easy to use and an appropriate strength for the resource and level of risk at that moment. As well, interdiction could take the form of dynamic authorization policy adjustments based on the level of risk. To summarize, a company that wants strong access security for their web applications must take a more holistic approach which includes contextual risk analysis, risk-based strong authentication and risk-based authorization controls.

No comments: