Continuous authentication heats up the market
In an effort to have their cake and eat it too, some forward-thinking CISOs have started looking past passwords to move towards continuous authentication based on behaviors and attributes. A key benefit of behavior- and attribute-based authentication is that it works seamlessly in the background without conscious action on the part of the user. In effect, it takes the onus of security off the user and puts it back in the hands of the security team. The initial login—username + password combination—may remain (though it doesn’t have to), but that first login is just one layer of security, not the final or authoritative word on access control.
In an attribute-/behavior-based world of authentication, additional factors are weighed more heavily in the decision to authorize system access: operating system, UUID of the BIOS, patch levels, trends for when the user/system resource is accessing (other) system resources (normal/expected vs. abnormal/unexpected), patterns of how a user/system resource is accessing (other) system resources (e.g., a database requests access to a host it has never accessed before; sudden, unexplained change in bandwidth consumption), and much more. Introducing additional factors into authentication decisions removes the probability that an attacker can steal pieces of “what you know” (i.e., username + password) and turn that into system compromise. Decisions using an aggregation of attributes that are extremely hard to replicate (e.g., cryptographic identity, behaviors, patterns), pave the way to stronger security without adding friction, a.k.a., requiring action on the part of the user.
Another bonus of behavior-/attribute-based authentication is that it is persistent. Attributes and behaviors are inextricably linked to system resources (including people). In other words, they can’t be abstracted away from what/who is trying to communicate. Not only does this result in enhanced credentials, but it also means that systems can be configured to verify access continuously, again, without requiring a human being to input information. Credentials are a combination of what an entity is (identity) and how it behaves, and permitted access relies on the network in which the entity is trying to communicate (environment) and what the entity is trying to do (transaction).
Reducing friction, improving access control
The good news is that all of this is automated and uses some form of machine learning to continually improve the accuracy with which resources are authenticated. Unlike typing a username/password combination then perhaps entering a secondary code, token, or biometric, attribute- and behavior-based authentication are invisible to the user and therefore have less chance of being vetoed by the executive team as too intrusive.
As a consequence, security teams can strengthen authentication without having to convince someone to change policy and a whole lot of someones to adopt new actions. People can even keep their passwords, if that makes them feel better. But now, when the security team or IT Help Desk sees 207 accounts with “January2019” as the new password on January 1, 2019, they can simply shrug it off, knowing that passwords aren’t the only—exploitable—thing protecting their systems.