Question: If you’re going to federate my identity around the world, how are you going to know when it’s really me logging in?
IT Answer: That’s not my problem. The problem I solve is how to get the identity around to all these worldwide sites. Assuring it’s actually the authorized user is someone else’s problem.
“Our system knows who is logging in before they’re in,” said Craig Lund, CEO of SecureAuth. “Access Control should include bringing in seeds from potential threats. If a login attempt is coming from a city in Russia or a known bad URL, we divert them and don’t allow them to even attempt authentication.”
Authentication can only be three things…
- Something you know – password or key
- Something you have – token or card
- Something you are – fingerprint or other biometric
Most organizations use one factor, such as login and password, which are compared to a directory. Some use two factors. Even banks are happy with two-factor authentication– PIN and card.
SecureAuth began life as Multi-Factor Authentication Inc., with an objective to develop a browser based alternative to user name/directory and token.
“When we asked customers what they wanted help with, their problem was giving access to various pieces of information and resources, not all of which are sitting behind the firewall, “ Lund said. “Our customers told us they wanted us to integrate into a single solution to MS Exchange Server behind Juniper, and SharePoint, and redirect out to Salesforce.com or Google apps.”
The problem to solve was a combination of two factor authentication and single sign-on (SSO).
The next challenge is mobile – giving access to those same things from a phone.
Cloud single sign on has been led by frictionless user experience at the expense of security, using protocols like SAML and OpenID.
“We felt it got away from security and access control,” said Lund. “We’re a security company, and then the Target breach changed everyone’s mindset back to ‘preventing misuse of valid credentials to access your resources’. Security and real access control became sexy and important.”
With the cloud SSO user experience and single login, lack of user friction is obviously key. The goal is to develop more, better, stronger access authentication solutions.
Many attacks start with misuse of a valid credential that’s somehow been compromised via social engineering. Yet organizations are still very slow to put real access control around significant resources.
“We believe that access is about context,” Lund said. “Whatever the situation is, the individual is a dynamic individual – even retina scan or thumbprint can be compromised.”
To evaluate a login attempt and authorize the user, SecureAuth examines…
- Login name
- Biometric identification
- How does User X behave?
- What are his typical geo locations and velocities?
For example, if User X normally logs in from the GTA and suddenly now he’s logged in from China, it may not be a legitimate login. So let’s ask him to re-authenticate.
Or maybe he got a new phone not yet recognized. Authentication can involve taking the overall context. Even Facebook identities can be used as a piece of a dynamic authentication puzzle, especially if it comes from the same iPhone User X always uses. If that’s the case, User X is allowed in.
Dynamic authentication is more concerned with context than with typical user name and password. Lund managed to convince Gartner that authentication is the same as web access, and the categories belong together.
Next up is adding how a user uses his or her phone, so that each user is as individual as a snowflake. SecureAuth is putting together some portals, which when fully deployed will have over 1 million users accessing. Currently no enterprise can control all clients and endpoints.
“The phones give so much accurate data now – how you hold the phone, how you walk, and your typing patterns,” said Lund. “Behavioral aspects – gait, motion, typing, even how you hold your phone become a recognizable pattern unique to you. By doing it that way there’s nothing we put on the phone. It’s just too hard to manage when you’re installing endpoint agents on huge scales. We also don’t collect any user identifiable data, because we don’t want to hold it and become a target ourselves.”
Better than a MAC address are the different applications and settings a person puts on their phone. All of that is 100% unique. It can be more accurate than a MAC address, because bad guys have figured out how to spoof those and reuse them.
“Using all of these characteristics makes an identity un-spoofable,” Lund said. “You can’t get them and replay them, nor can you reuse them. We’ve been testing internally other factors too, that help us determine the user, so some guy in Russia can’t pretend to be you.”