Best Practices for Adaptive Authentication

April 10, 2019

This is part four in a series of four posts on adaptive authentication and the KuppingerCole Leadership Compass Report. You can read the other posts as they are available here, here, and here.

Today is our last blog post in our series on the KuppingerCole Leadership Compass for Adaptive Authentication 2018 report. So far we’ve talked about the benefits of adaptive authentication, evaluating solutions for your organization, and how adaptive authentication functions during an attack. We’ve also recently talked about why SecureAuth was named a market leader for SecureAuth IdP, which the report called a “compelling product with their broad support of authenticators, granular risk engine, and threat intelligence utilization.”

Hopefully by now you realize how much adaptive authentication can be an asset to your organization’s security. Today we want to share some best practices to ensure you get the most from your solution.

The point of adaptive authentication is to provide seamless access to legitimate users while blocking malicious users, using context-based workflows that include risk analysis. Adopting the right risk checks is vital, but keep in mind that these checks should also be quite imperceptible, providing for a frictionless user experience.

With that in mind, consider these best practices:

  • Balance verification with user convenience. Context is king. Your employees might not be prompted for credentials when using their laptop in the company facility, but need to complete multi-factor authentication (MFA) the first time they work from home. Adaptive authentication can recognize their home network and allow them to skip MFA after that.
     
  • Use adaptive authentication across the enterprise and eliminate multiple security solutions. Adopting a patchwork approach to adaptive authentication will only increase both cost and complexity. Instead, consider dispensing with multiple disparate solutions. You’ll simplify the user experience and reduce password fatigue, while cutting costs.
     
  • Use a solution that can detect authentication attempts from command and control (C2) servers and botnets. According to the 2015 Verizon Data Breach Report, 84.13% of crimeware or malware uses C2 infrastructure. In fact, 15.87% of ALL attacks involved C2. By identifying authentication attempts from these servers, you can escalate workflow requirements and block a large percentage of malicious users.
     
  • Use your threat service to detect and mitigate anonymity networks. A SecureAuth study found 94.59% of all attacks involve anonymity networks such as Tor, and are repeat offenders. Using a threat service to detect and mitigate attacks from anonymity networks inhibits attackers.
     
  • Optimize risk evaluation order for your environment. This requires a bit of knowledge of your network topology and the threats you may be facing. A consumer facing portal may be facing a lot of anonymous and bot traffic, so putting threat service checks first eliminates them from being considered by other risk evaluation immediately. This may reduce overhead on other resources, such as your data store.
     
  • Use entitlement risk for vigilance around highly privileged credentials. Another way to calculate user risk is considering their level of access, a concept known as entitlement risk. A financial services manager might have a high entitlement risk score based on their access to customer funds, while a marketing assistant could have a low entitlement risk score. If the assistant’s account was given access to customer funds, the software would escalate to a higher entitlement risk score, which you could use to step up authentication requirements or deny access.

If you’re curious about our best practice recommendations for SecureAuth in particular, we’ve created a guide that explains how specific adaptive authentication risk checks are implemented in SecureAuth IdP. We also provide our recommendations for configuring them in “Adaptive Authentication Risk Checks” starting on page 4.

Watch KuppingCole’s March 21 Webinar

If you want more details on how adaptive authentication can strengthen your security, consider watching a replay of the March 21 webinar with John Tolbert of KuppingerCole titled “Mitigate Identity-Related Breaches in the Era of Digital Transformation.” Watch now!

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!