Security teams have a tough time finding ways to increase security that doesn’t create a lot of whining and complaining from their end users. You can put users through training, you can explain how clever, well funded and persistent the bad guys are, but they quickly forget and fall back into old bad habits. Most employees don’t think about security as their priority, especially when it’s the end of the month and there are orders to process, calls to make, or services to deliver.
Traditional security strategy encourages multiple layers of security – since adding additional security checks forces attackers to defeat multiple systems in order to break in and do their mischief. Defeating multiple systems is not impossible, just harder – so the odds are in your favor when you have multiple layers.
This line of “more is better” thinking however can get quickly out of hand, if those additional security precautions rely on your users to participate in the active defense. For example, using “strong” passwords that include letters, numbers and special characters is good, but making those password 10 characters long is probably more than a typical user can remember. Then ask them to change their password monthly, and you will start to see creative memory aids appear – typically in the form of yellow sticky notes.
Now add an additional layer of security: give them a hardware token for their keychain that generates a one-time use pin code. This is a very effective second factor technique, assuming the user has it with them, and doesn’t lose it. Your overall access security has improved, but so has the burden on your end user. What if you could add a second factor, that didn’t require the end user to do anything?
At SecureAuth, we think about this problem a lot, and so we offer a variety of second factors that don’t require your end user to do any extra work. For example, we can register the endpoint device they are logging in from, so that we can recognize the device on subsequent logins. We can also store information about the physical location of a previous login, and compare that to subsequent attempts. Do your users move around, sure they do! So if the login location changes, we do a quick check of the time delay and distance between logins, and can determine if that change in location is an improbable travel event. We can check the IP address that the user is logging in from, and decline anyone coming from a known bad IP (botnet, Tor network, black listed IP, etc.) We can record and store a behavioral profile based on your typing speed and mouse movements – behaviors which are unique to specific individuals, and use that to verify the identity of the user.
All of these techniques represent security layers that collect context about the individual. This allows your organization to make real-time decisions to allow the login, to step-up the login by requiring a one-time pin code, or to decline the request all together. We call this Adaptive Access Control – because we adapt the login requirements based on the amount of risk that is detected. Users doing routine work activities are not asked to verify their identity, whereas high-risk behaviors are challenged to provide a second factor.
Will your users love you? We think so.
Do end users want to do the right thing? Yes, but if you make it easier, you won’t have to rely on their good behavior to protect the security of your business.
Learn more about SecureAuth™ IdP – Adaptive Authentication