The process of onboarding a suitable candidate to an organization, perhaps offers the best analogy to understand the meaning of Authentication Factors. To ensure the ‘right’ person for the position, organizations carry out a variety of tests to ascertain the background, bona fides, technical knowledge and acumen, cognitive ability, personality, and health of the candidate. Multi Factor Authentication (MFA) and Continuous Behavioral Authentication (CBA), currently at the top of the chain of authentication systems also do that – systematically and comprehensively verifying the ‘right’ user is accessing the network. However, unlike recruitment processes, they go above and beyond, performing ‘identity checks’ and authenticating the user across all sessions.
Let us now look at the evolution of Authentication Systems.
Binary Authentication
Binary Authentication is the precursor of all identity authentication systems. Also known as Single Factor Authentication (SFA), Binary Authentication (BA) deployed an Authentication Factor based on knowledge. Users were required to submit evidence at the start of the session to identify themselves – by ‘logging in’ using a username, followed by a password known to them (knowledge). – before being granted complete access to the system, until they ended the session by ‘logging out’.
Single Factor Authentication refers to using a password or another authenticator that only requires a single authentication factor for authentication.
Though still widely followed, stolen credentials, shared passwords and weak password management show why BA is considered the weakest of authentications.
Two Factor Authentication
As the obvious limitations of single-factor BA or SFA were felt, Two Factor Authentication (TFA) saw the light of day. TFA goes one step further than its predecessor, introducing a second authentication factor based on possession. It required the user to ‘further’ authenticate their identity with a second piece of evidence in their possession -a One Time Password (OTP).
Two-factor authentication refers to the use of authentication methods from two different factors. Today’s banking and e-commerce portals frequently employ TFA.
TFA however, suffers from the same limitations as its predecessor. For one, it only identifies the user at the start of the session, and secondly, it is fraught with the possibility of being undone due to both stolen credentials (passwords) and stolen devices (that provide the OTP necessary to continue the session).
Multi Factor Authentication
Intended to shore up TFA, Multi-factor Authentication (MFA) (1) is a form of authentication requiring a user to prove their identity using two or more identity factors at once. It endeavors to address known methods of cyber activity like brute force attacks, credential stuffing, phishing, keylogging and man-in-the-middle attacks, by adding a third or fourth authentication factor.
Typically, MFA factors would include:
Knowledge factors – something the user knows, such as a password or an answer to a security question (this factor is inherent in SFA)
Possession factors – something the user has such as the OTP sent to the user’s mobile device (this factor is inherent in TFA)
Inherence factors – something biologically unique to the user such as a fingerprint or facial characteristics using Biometrics
Location factors – the user’s geographic position
The banking industry offers a best practices example of MFAs at work. MFA systems are providing banks with a continuous risk profile for the session, allowing financial institutions to take real-time action when anomalies are detected. Working in the background, MFA allows for a smooth and seamless user experience, while simultaneously diminishing the threat of an attack.
Clearly an improvement on its predecessors BA and TFA in terms of authentication, MFA however once again provides threat protection only at the start of the user session.
Continuous Behavioral Authentication
Continuous Behavioral Authentication(2) (CBA) is an authentication technology that uses other compatible authentication strategies (such as Plurilock’s behavioral-biometric authentication) to verify users’ identities on an ongoing, real-time basis, as they carry out everyday computing tasks. CBA addresses the fact that cyber criminals are at work throughout the user session. It attempts to provide a comprehensive solution to Identity Access Management (IAM) by addressing the vulnerable areas associated with earlier authentication systems. Taking off from where MFA ends (at the start of the user session), CBA carries out authentication of the user during the entire session, until they log out.
How CBA works
An improvement on MFA, in that it provides threat protection across the user session, CBA uses machine learning technology like Behavioral Biometrics to further analyse user behaviour throughout the session. Users are continuously monitored for factors such as body movements, gait, keyboard strokes, typing speed, screen swiping patterns, access using unidentified devices etc.
CBA responds instantly when it encounters unrecognized user behavior or devices, generating ‘step-up’ authentication prompts and triggering alerts, requiring user action to continue further access.
The Future of User Authentication
Forbes makes the case of the advantages of Behavioral Biometrics by calling it The Future Of User Authentication(3) and states, “Behavioral biometrics offers a distinct advantage over other methods of personal security because it’s a passive means of identification that does not require any time or technical know-how from users.”
The Evolution of Authentication Factors
Conclusion
Unlike human resource processes which largely end with the onboarding of the ‘right’ candidate – save for occasional behavioral issues that may arise during the candidate’s career, CBA runs for the entire duration of the user session. It ensures the ‘right’ access to the ‘right’ user and is inline with ZTA policies and strategies.
Continuous user authentication using behavioral biometrics is undoubtedly a step in the right direction.
Choose Plurilock for CBA
Plurilock, Aurora’s parent company, in this article(4) states, “(We) consider all our products to be MFA solutions as they enable the use of several identity factors to confirm identity—some combination of things users know, things users have, and things users embody or “are,” in other words. Plurilock’s continuous authentication solutions in particular enable multi-factor authentication.”
Plurilock’s DEFEND helps organizations identify, thwart and negotiate identity threats, with across-session protection and support for Security Operation Centers (SOC).
Aurora, can provide organizations with innovative technology to meet their goals by offering a wide range of cybersecurity solutions and services, including Plurilock DEFEND.
Reach us at sales@aurorait.com or call +1 888 282 0696
Sources:
- Plurilock: https://plurilock.com/answers/multi-factor-authentication-what-does-multi-factor-authentication-mean/
- Plurilock: https://plurilock.com/answers/continuous-authentication-what-does-continuous-authentication-mean/
- Forbes : https://www.forbes.com/sites/forbestechcouncil/2019/05/13/behavioral-biometrics-is-the-future-of-user-authentication/?sh=4a1657c440d7
- Plurilock : https://plurilock.com/answers/is-continuous-authentication-a-type-of-multi-factor-authentication-mfa-or-is-it-something-else-entirely/