Level of Assurance (LOA)
Internet Protocol (IP)
Active Directory (AD)
Classless Inter-Domain Routing (CIDR)
Nearly all of us live in a digital landscape. Businesses, schools, home users, and those who use cellular phones and smart appliances depend on networks and the Internet to “do their business”. As such usage has and will continue to grow, securing interactions and transactions across the wire has become cardinal.
As it pertains to securing computer resources, explanations of “Zero Trust” are everywhere, so for this piece, I’ll bank on the principle of “never trust, always verify.” But how does an organization implement a Zero Trust policy while maintaining a positive user experience and releasing users from potential password fatigue? Layering MFA pushes on top of every process, application, and login is no longer achieving elevated security. This, among many other outdated techniques are actually opening attack vectors and creating a poor user experience.
Enter the Arculix Risk-Engine.
The Arculix Risk Engine by SecureAuth driven by biobehavioral AI/ML can consider several pieces of user information, including but not limited to a visitors’ pre-shared phone number and email address, IP address, VPN status, recent speed of travel, and even the way they tend to slide their mouse across the pad. A combination of such required and optional items gets translated into a Level of Assurance (LOA) score. If a user’s LOA drops below a preset score due to changes in the fingerprint, then step-up authentication can kick in and require more information from the user to allow their digital journey.
Arculix’s invisible multi-factor authentication (MFA) is a next-gen authentication method that removes the friction of traditional MFAs including sms, email, one-time codes, etc. for the user. Even though we still use multi factors, those checks are occurring behind the scenes without any interaction from the user. User behavior, proximity, previous authentication successes/failure, phone/desktop/browser hygiene, and matching, are all excellent data to point AI and Machine learning toward in an effort to significantly improve the security posture of the authentication layer often completely invisible to the valid user while being quite the opposite to nefarious actors. This not only strengthens security but provides a much better user experience and increases productivity. Invisible MFA is accomplished with an architecture that enables device trust on the user’s device making it the root of trust combined with a behavior-based risk engine that is continuously authenticating the user based on their level of assurance (LOA) score. The key here is that passwordless authentication should not be a one-time event but a continuous one that provides pre-authorization, at-authorization, and post-authorization capabilities.
Here, we look at three such use case scenarios:
- Arculix allows access to an application outright based upon group restrictions.
- Automatically approves application access based on AD group membership.
- Aculix requires a high LOA score for highly sensitive access.
- Deny access to an application when LOA drops below a preset policy setting.
- Arculix notices cross-town movement and asks for step-up authentication.
- Step-up when IP no longer whitelisted (user’s IP changed in session to one that isn’t specificallly whitelisted)
Abe Lincoln (email@example.com) is in the group named ‘O365AllowGrp’
Grover Cleveland (firstname.lastname@example.org) is NOT in the group named ‘O365AllowGrp’
Acme Ltd. uses Google to host their email, but a small subset of employees need access to a simple, non-sensitive spreadsheet hosted at Microsoft 365.
Abe logs into Arculix and is presented with app icons which are bound to each respective target application.
When he clicks on the “Microsoft 365” tile, he’s immediately presented with a list of his documents and is ready to roll. No further authentication is necessary since his account is in the group flagged as “easy access”.
Grover logs into Arculix and is presented with app icons which are bound to each respective target application. Since he is not in the ‘O365AllowGrp’, he is not presented with the ‘Microsoft 365’ tile.
This app restriction will apply even in the event that Grover goes directly to Microsoft 365. In fact, if he does go direct and enters ‘email@example.com’ on the Microsoft side, he will be redirected to Arculix and will see the following message:
Users in Scenario 2:
Senior management personnel at Acme Ltd. are charged with reviewing and updating sensitive business information in a custom app, ‘C-Level (Sensitive)’. Because of the delicate content within this app, Acme Ltd. Arculix administrators have set a policy that a score above 3.7 (out of 4) is required to access it.
Grover (firstname.lastname@example.org) should be able to access this application, but his current LOA is 3.6. When he clicks the app tile, he is denied access since his score doesn’t meet the preset access level.
Grover’s Current LOA:
Grover’s audit logs show denial due to the lack of a large enough LOA:
Realizing that, although the content within the app is classified, the LOA threshold is higher than necessary and therefore a decision is made to relax it to a minimum score of 3.5.
After applying that policy, Grover attempts to login to the app again, and is granted access.
To further the security posture of Acme Ltd., a policy has been added that should only allow access to the ‘C-Level’ application from company headquarters in Dallas, TX. This Internet connection to this office has a static public IP address of 188.8.131.52.
Now, each appropriate user who has an appropriate LOA and is coming from the static IP of the Dallas office still gleans access to the ‘C=Level’ application.
Notice, now, what happens when Grover, who has a good LOA, gets denied when trying to access the application while vacationing at South Padre Island, TX. The hotel wifi gives Grover an Internet IP address of 184.108.40.206.
When attempting to access the application, the authentication is denied since Grover is no longer at the office and coming from the appropriate IP address.
Grover returns from vacation, goes to work in the Dallas TX office, and attempts to access the “C-Level” application. Since he now comes from the preset IP address, access is gleaned.
These examples are just the tip of the iceberg. A well-thought-out (password-less) Arculix implementation, leveraging its risk engine and continuous authentication in combination with administrator-defined policies, can allow organizations to achieve the best-in-class security posture while giving end users the least amount of friction. As shown above, Arculix is built on the Zero Trust premise to protect your credentials today, and those that you’ve yet to create, have already been compromised. Your identity should not simply be based on a password or a one-time token or only your biometrics but a combination of your digital DNA and behavior.
Request a demo of Arculix. Click here.
About Dallas Ray Smetter
Dallas Ray Smetter is a Professional Services Consultant at SecureAuth. He is responsible for architecting and implementing next-gen authentication and access management for enterprises and large organizations worldwide. He has more than 20 years of expertise in strategy and implementation for enterprise project management. Previously, he held positions as IT Director of San Benito CISD, Solutions Engineer at Identity Automation and IT Specialist / Computer Science Teacher at South Texas ISD. He is a U.S. Army infantry veteran and earned his M.Ed. in Educational Technology from the University of Texas, Brownsville, and a BS in Communication Disorders from the University of Nebraska at Lincoln. Dallas holds several technical certifications such as Microsoft Systems Engineer and Systems Administrator.