MULTI-FACTOR AUTHENTICATION VS CONTINUOUS BEHAVIORAL AUTHENTICATION
The process of onboarding a suitable candidate to an organization perhaps offers the best analogy to understand the meaning of Authentication Factors. To ensure the ‘right’ person for the position, organizations carry out a variety of tests to ascertain the background, bona fides, technical knowledge and acumen, cognitive ability, personality, and health of the candidate. Multi-Factor Authentication (MFA) and Continuous Behavioral Authentication (CBA), currently at the top of the chain of authentication systems also do that – systematically and comprehensively verifying the ‘right’ user is accessing the network. However, unlike recruitment processes, they go above and beyond, performing ‘identity checks’ and authenticating the user across all sessions.?
Let us now look at the evolution of Authentication Systems.
Binary Authentication?
Binary Authentication is the precursor of all identity authentication systems. Also known as Single Factor Authentication (SFA), Binary Authentication (BA) deployed an Authentication Factor based on knowledge. Users were required to submit evidence at the start of the session to identify themselves – by ‘logging in’ using a username, followed by a password known to them (knowledge). – before being granted complete access to the system, until they end the session by ‘logging out'.?
Single Factor Authentication refers to using a password or another authenticator that only requires a single authentication factor for authentication.
Though still widely followed, stolen credentials, shared passwords, and weak password management show why BA is considered the weakest of authentications.?
Two Factor Authentication
As the obvious limitations of single-factor BA or SFA were felt, Two Factor Authentication (TFA) saw the light of day. TFA goes one step further than its predecessor, introducing a second authentication factor based on possession. It required the user to ‘further’ authenticate their identity with a second piece of evidence in their possession -a One Time Password (OTP).?
Two-factor authentication refers to the use of authentication methods from two different factors. Today’s banking and e-commerce portals frequently employ TFA.
TFA however, suffers from the same limitations as its predecessor. For one, it only identifies the user at the start of the session, and secondly, it is fraught with the possibility of being undone due to both stolen credentials (passwords) and stolen devices (that provide the OTP necessary to continue the session).?
Multi-Factor Authentication?
Intended to shore up TFA, Multi-factor Authentication (MFA) (1) is a form of authentication requiring a user to prove their identity using two or more identity factors at once. It endeavors to address known methods of cyber activity like brute force attacks, credential stuffing, phishing, keylogging and man-in-the-middle attacks, by adding a third or fourth authentication factor.??
Typically, MFA factors would include:
领英推荐
The banking industry offers a 'best practices' example of MFA at work. MFA systems are providing banks with a continuous risk profile for the session, allowing financial institutions to take real-time action when anomalies are detected. Working in the background, MFA allows for a smooth and seamless user experience, while simultaneously diminishing the threat of an attack.??
Clearly an improvement on its predecessors BA and TFA in terms of authentication, MFA however once again provides threat protection only at the start of the user session.
Continuous Behavioral Authentication?
Continuous Behavioral Authentication(2) (CBA) is an authentication technology that uses other compatible authentication strategies to verify users’ identities on an ongoing, real-time basis, as they carry out everyday computing tasks. CBA addresses the fact that cybercriminals are at work throughout the user session. It attempts to provide a comprehensive solution to Identity Access Management (IAM) by addressing the vulnerable areas associated with earlier authentication systems. Taking off from where MFA ends (at the start of the user session), CBA carries out authentication of the user during the entire session, until they log out.??
How CBA works
An improvement on MFA, in that it provides threat protection across the user session, CBA uses?machine learning technology like Behavioral Biometrics to further analyze user behavior throughout the session. Users are continuously monitored for factors such as body movements, gait, keyboard strokes, typing speed, screen swiping patterns, access using unidentified devices etc.
CBA responds instantly when it encounters unrecognized user behavior or devices, generating ‘step-up’ authentication prompts and triggering alerts, requiring user action to continue further access.
The Future of User Authentication
Forbes makes the case for the advantages of Behavioral Biometrics by calling it The Future Of User Authentication(3) and states, “Behavioral biometrics offers a distinct advantage over other methods of personal security because it’s a passive means of identification that does not require any time or technical know-how from users.”
Conclusion?
Unlike human resource processes which largely end with the onboarding of the ‘right’ candidate – save for occasional behavioral issues that may arise during the candidate’s career, CBA runs for the entire duration of the user session. It ensures the ‘right’ access to the ‘right’ user and is in line with ZTA policies and strategies.?
Continuous user authentication using behavioral biometrics is undoubtedly a step in the right direction.
Sources:
Deputy Security Advisor | Protecting £7 Trillion in Assets at HM Land Registry | 15+ Years in Government Security Leadership
2 年Interesting, but could CBA slow responses? If say an incident forces personnel to conduct disaster recovery actions, which may be out of usual behaviours. I can see the advantages of it. But could it also slow pivots which may be interpreted as out of usual behaviour? I can also see this being quite difficult for small buissness to implement.