Making Passwordless Possible
How SecureAuth is eliminating passwords while improving security and user experience
What do the breaches at Target, LinkedIn, and Home Depot have in common? Compromised passwords. In fact, compromised passwords and credentials were used in 81% of reported data breaches. What’s more, it is painful for users and drives up helpdesk costs. Trying to shore up passwords by adding a second factor, such as Knowledge-based answers (KBAs), One-time passcodes (OTPs) via Text/SMS, and hardware tokens, can significantly increase the burden on users and your budget, but cannot deliver the security needed against modern cyber threats.
The time has come to say farewell to the password. Fortunately, there is a better way. This technical brief explores how to finally implement secure passwordless authentication — while also streamlining the user experience and controlling costs.
Read this paper to understand
- How attackers compromise organizations
- How you can more quickly detect attackers
- How you can increase security without disrupting users (Go beyond 2FA).
The password may not be the root of all evil, but it is undeniably the root of many serious problems for organizations today. The top two drawbacks alone are sufficient reason to kill the password: the serious risk of breaches and the high costs. According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 81% of confirmed data breaches involved the use of weak, default, or stolen credentials. Organizations often try to mitigate this risk by implementing stronger password complexity and requiring more frequent password changes. Unfortunately, that approach does far more to increase helpdesk costs and user frustration than it does to actually improve security.
Some organizations try to salvage the password by buttressing it with additional authentication factors, such as a hardware token or a one-time password (OTP) delivered by email or text/SMS. But these factors are less than ideal from a user experience perspective, and token-based authentication in particular is notorious for high costs. More important, however, is the fact that vanilla two-factor authentication simply cannot deliver the security organizations need today. For example, KBAs can easily be social engineered, and OTPs delivered to a mobile phone are vulnerable to man in the middle attacks, when phone fraud prevention techniques are not used. We have seen many well-documented cases of breaches in which OTPs were stolen from mobile devices or directly from the carrier network.
With No Password, There Are No Password Resets If we take a typical 5000 user organization and assume one helpdesk call per user per month, so 12 calls a year. That means 60,000 helpdesk calls a year. Let’s assume 30% of those are for password resets, which means we have 18,000 password reset calls a year. Let’s also assume each call costs the organization $35 (We’ve seen anywhere from $20 to $70), We get an annual cost for password resets at $630,000
Moving beyond the password
The problem, as Gartner analyst Ant Allan noted at the 2015 Gartner Security & Risk Management Summit in London1, is that counting factors is not a reliable indicator of trust. In particular, if you base authentication on a password (something you know), adding a second or third knowledge-based method (such as a PIN or your mother’s maiden name) adds very little security. Adding methods based on something you have (such as a hardware token) is better, but it is still not enough.
The solution, he argues, is to add biometric data. By combining hardware and biometric data, organizations can achieve a level of trust far beyond a knowledge-based factor like a password alone, or even a password plus a hardware token. In fact, Allan said, “If we had enough contextual data, we could allow log in without a password.”
This is exactly the passwordless future that SecureAuth delivers today
“the combination of passive biometric authentication and contextual authentication will provide sufficient trust”
“In the midterm to long term, the combination of passive biometric authentication and contextual authentication will provide sufficient trust, without the need for a “gateway” authentication event using passwords or tokens (given some mechanism to reliably identify jailbroken or other untrustworthy endpoint devices) and perhaps without an explicit claim of identity (that is, no need to enter a user ID).”
Ant Allan & Tom Scholtz, Take a People-Centric Approach to Simplify IAM, Foundational, Nov 2015
How SecureAuth’s passwordless authentication works: a high level view
The anatomy of an attack
To understand why contextual information is so critical to improving security, we need to step back and get the bigger picture. How can a single compromised password lead to massive data breaches like those experienced by Target, Anthem, and Home Depot? Simply put, it gives attackers the foothold they need. By gaining access to the corporate network, often through its weakest link, attackers can begin to move laterally and elevate their level of access, often by compromising more and more powerful legitimate credentials or creating new ones from scratch. Then the attackers can move freely and complete their mission to steal intellectual property, destroy data or encrypt it for ransom, or do other damage. And, according to the Verizon DBIR, the vast majority of the time (92.9%), they do all this in less than an hour.
That’s what the SecureAuth Identity Platform advanced risk analysis (adaptive authentication) is designed for. The SecureAuth Identity Platform adaptive authentication blends a variety of risk checks for determining a user’s aggregated risk score that determines how a particular authentication request is handled. Here are the risk checks the Identity Platform can take into account:
SecureAuth can determine whether the device is recognized and associated to a known user.
Check group membership and user attributes, credentials created by attackers often lack appropriate group membership and other attributes.
SecureAuth can determine if a request is coming from a known good location, where an organization has employees, partners, or customers.
Using a user’s geo-location and login history together, the solution can calculate improbable travel events, such as attempting to log in from a distant location only minutes after logging in locally (a good indicator that credentials have been stolen).
SecureAuth Threat Service
The SecureAuth Threat Service is a combination of multiple threat intelligence, information and blacklisted IP addresses for the industry’s most advanced protection from today’s threats including APT, Cyber Crime, Hacktivism as well as anonymous proxies and anonymity networks, such as Tor.
Phone Number Fraud Prevention
SecureAuth can negate the security flaws with one-time passcodes sent via SMS/Text with ability to block carrier networks, number class (e.g. virtual, landline, mobile), and mobile phones numbers that are involved in phone porting fraud. Also offers sophisticated spam and denial of service prevention to reduce number of OTPs.
Users are not burdened with MFA disruptions after they have successfully authenticated and not traveled outside of a customer-defined perimeter (e.g. 50 miles) for a specified time period.
Behavior Analysis via Machine Learning
Identify anomalous user behavior; logins at odd times, odd number of failed attempts, increase in sensitive system access, etc.
Individually, any one of these techniques may not provide sufficient protection against attackers, but when layered together, they can offer the industries’ best level of protection and is very effective at preventing attackers from gaining a foothold and moving laterally within the organization.Stolen credentials are rendered useless to attackers because multiple of these risk check will raise concerns and organizations can auto-require a multi-factor authentication step to prove validity or deny access requests outright.
Not all users are created equal. SecureAuth lets you determine the authentication workflow and thresholds for individual users, groups, or applications.
Flexible authentication workflows
Of course, if adaptive authentication were to block every authentication attempt that received a non-zero risk rating, it would be unusable. But the SecureAuth Identity Platform adaptive authentication is flexible, enabling you to tailor the authentication workflow for different groups of users. For example, you can set a higher acceptable risk value for users who have few rights to sensitive data, and a lower acceptable risk value for users with privileged levels of access, such as IT administrators, financial employees, or pharmacists who can dispense controlled substances.
Attackers look for the weakest part of the network as their foothold.
Broad coverage is critical
Most organizations have multiple points of authentication; for example, users might have to log on to particular machines, at the VPN, to individual applications, and to data stores. Attackers look for the weakest part of the network as their foothold. For example, in the 2014 JPMorgan breach — the largest breach in financial services history — attackers gained access to the network by using the stolen login credentials for a JPMorgan employee to gain access to a particular server where two-factor authentication had not been deployed.
Accordingly, the best practice is to deploy the SecureAuth Identity Platform widely across the enterprise and not just in a few pockets or selected departments. The greater number of applications and systems that are covered using a passwordless authentication approach, the greater the chance of eliminating an attacker from gaining a foothold or moving laterally inside your network
How SecureAuth’s passwordless authentication works: the details
Why The SecureAuth Identity Platform?
The SecureAuth Identity Platform is uniquely positioned to enable organizations to embrace passwordless authentication. We have already explored several of the key features:
- Adaptive authentication
- Flexible authentication workflows
- Biometrics (fingerprint on a mobile device)
But the Identity Platform also offers flexible deployment options:
- You can move toward passwordless authentication at your own pace. For example, you can continue using passwords with adaptive and multi-factor authentication and when confident you’re protected, phase out passwords.
- You don’t have to rip and replace. The SecureAuth Identity Platform plays nicely as part of the security ecosystem. The Identity Platform installs right into your environment, tying to your enterprise directories, applications, and VPNs, and using the same user accounts, profile information and policies you use today. The Identity Platform can even work with your hardware tokens.
And the SecureAuth Identity Platform beats the competition:
- No other vendor provides as many authentication methods as SecureAuth Identity Platform (25+)
- SecureAuth Identity Platform offers more risk-based adaptive authentication checks than any other vendor
- Very few other vendors offer flexible workflows for varying authentication requests
- Very few other vendors support as much technology as SecureAuth Identity Platform, meaning it’s easy to deploy and TCO is low.
- SecureAuth Identity Platform costs the same or less than most solutions on the market.
As Ant Allan noted at the Gartner conference referenced above, designing user authentication systems for applications is often seen as a trade-off between security and the user experience. SecureAuth also rejects this idea. With SecureAuth Identity Platform, you can secure your network and data while streamlining the user experience — and you’ll also eliminate the high costs of helpdesk calls for password resets, hardware tokens, and lost productivity. It’s a win-win-win.
Welcome to the passwordless era.
For information on support for this module, contact your SecureAuth support or sales representative: