Edgewise is now part of the Zscaler family. Learn More

Frictionless Authentication: Cybersecurity Dream or Future Reality?

“Password1.” “123456.” “qwerty.” As a cybersecurity practitioner reading this, these three (and similar) character combinations probably make you want to scream. Specifically, they may make you want to scream, “That’s a terrible password! Stop! Especially stop using it across all your accounts!”

Guess what? People are going to continue to use these types of passwords because they’re easy to remember and easy to type. In other words, “123456789” and the like are low friction. Much to the security community’s chagrin, the average person does not care about passwords or even security in general. They want quick access to their accounts, to be able to order items online without too much rigamarole, and the ability to see how much money is in their accounts in one click. For the unlucky set who have had their identities stolen, security and privacy are serious considerations. For the balance of the general public, though, the most highly publicized and widespread breaches have simply meant that they were issued a new credit card, told to change their now-public password(s), and offered free credit monitoring for a year or two. The actual impact of breaches has (to date) had little practical effect on the majority of victims. While security pros worry about unauthorized account and system access a lot, non-security people just don’t.

As a result, the effort of creating long passphrases, using a password manager, or turning on two-factor authentication (2FA) is not perceived as measurably beneficial and therefore not willingly done. Doing so creates friction in the sign-in process. That’s the point, of course; friction, in the case of authentication, is not one sided. It extends to attackers trying to gain unauthorized access to user accounts, IT systems, and databases rich with confidential information. And when security teams have tried to introduce more friction into the access control process in the past, they’ve been met with resistance. Businesses want speed and agility, not frustrated users who can’t connect to the tools they need.

Passwords: just the tip of the security incident iceberg

Year after year some industry outlet predicts that “this is the year passwords will become obsolete.” It hasn’t happened yet, and it’s not likely to happen any time soon. A small subset of security teams, surrendering to reality, have successfully introduced mandatory 2FA/MFA and/or password managers for employees, yet adoption rates for these security enhancements remain low due to the aforementioned friction problems. As a result, these organizations are back to where they started, leaving giant vulnerabilities in user authentication and automated system access. The easier it is for employees/customers/authorized users to access accounts, the easier it is for cyber criminals to do the same using stolen credentials. Once inside, attackers can inflict all sorts of damage across business systems. Doing nothing, therefore, is not an option, but many security teams feel stuck between trying to insist on better security practices and bowing to the pressure of low-friction authentication.

Stay on the cutting edge. Subscribe to our blog.

Continuous authentication heats up the market

In an effort to have their cake and eat it too, some forward-thinking CISOs have started looking past passwords to move towards continuous authentication based on behaviors and attributes. A key benefit of behavior- and attribute-based authentication is that it works seamlessly in the background without conscious action on the part of the user. In effect, it takes the onus of security off the user and puts it back in the hands of the security team. The initial login—username + password combination—may remain (though it doesn’t have to), but that first login is just one layer of security, not the final or authoritative word on access control.

In an attribute-/behavior-based world of authentication, additional factors are weighed more heavily in the decision to authorize system access: operating system, UUID of the BIOS, patch levels, trends for when the user/system resource is accessing (other) system resources (normal/expected vs. abnormal/unexpected), patterns of how a user/system resource is accessing (other) system resources (e.g., a database requests access to a host it has never accessed before; sudden, unexplained change in bandwidth consumption), and much more. Introducing additional factors into authentication decisions removes the probability that an attacker can steal pieces of “what you know” (i.e., username + password) and turn that into system compromise. Decisions using an aggregation of attributes that are extremely hard to replicate (e.g., cryptographic identity, behaviors, patterns), pave the way to stronger security without adding friction, a.k.a., requiring action on the part of the user.

Another bonus of behavior-/attribute-based authentication is that it is persistent. Attributes and behaviors are inextricably linked to system resources (including people). In other words, they can’t be abstracted away from what/who is trying to communicate. Not only does this result in enhanced credentials, but it also means that systems can be configured to verify access continuously, again, without requiring a human being to input information. Credentials are a combination of what an entity is (identity) and how it behaves, and permitted access relies on the network in which the entity is trying to communicate (environment) and what the entity is trying to do (transaction).

Reducing friction, improving access control

The good news is that all of this is automated and uses some form of machine learning to continually improve the accuracy with which resources are authenticated. Unlike typing a username/password combination then perhaps entering a secondary code, token, or biometric, attribute- and behavior-based authentication are invisible to the user and therefore have less chance of being vetoed by the executive team as too intrusive.

As a consequence, security teams can strengthen authentication without having to convince someone to change policy and a whole lot of someones to adopt new actions. People can even keep their passwords, if that makes them feel better. But now, when the security team or IT Help Desk sees 207 accounts with “January2019” as the new password on January 1, 2019, they can simply shrug it off, knowing that passwords aren’t the only—exploitable—thing protecting their systems.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.