#BackToBasics: from identification to strong, multi-factor and adaptive authentication
From identification to strong authentication
Identification consists of establishing the identity of the user. It is a about answering the question “Who are you?”. This individual action is declarative only. If I answer the question with “Hello, my name is Marc-Eric”, nothing proves at this stage that I am telling you the truth.
This is where authentication comes into play, and especially strong authentication, which allows the user to prove their identity. Providing my first name is not enough to guarantee I am who I claim to be, even assuming that it is unique.
Authentication therefore naturally occurs after the identification phase and is the answer to the question: “Are you really that person?”
In practise, I start by identifying myself, “Hello, my name is Marc-Eric”, and then I give my interlocutor proof by authenticating myself, “and here is my identity card”.
At this stage, my interlocutor can have a moderate degree of trust, which is why a system that uses only one authentication factor is called “simple authentication”.
However, if I go back to my example, who says that my identity card is not fake? If I wish to provide my interlocutor with a higher level of trust, I must be able to provide several separate proofs of my identity. This is the very concept of strong authentication that applies in the digital world and consists of proving who I am by using at least 2 distinct factors among the following:
- A possession factor, i.e. an item that I own such as my identity card, smartphone, USB security key (Yubikey, Winkeo, etc.), smart card, etc.
- An inherence factor, i.e. something that constitutes me, such as my fingerprint, vein or retinal print, my voice, my face, etc.
- A knowledge factor, i.e. something I know, such as a PIN code, a password or my mother’s maiden name associated with my favourite colour.
Combining multiple authentication factors reduces the risk of identity theft. An attacker can obtain my password, a copy of my SIM card (SIM swapping) or a reproduction of my fingerprint through various means. However, each of these operations has a cost and involves a certain degree of complexity. Multiplying the authentication factors makes the attacker’s task much more complex.
Strong authentication, multi-factor authentication, 2FA, what are the differences?
Generally speaking, today, multi-factor authentication (or MFA) is used to define this strong multi-factor authentication. But we are talking about the same thing!
Here are a few synonyms:
- MFA
- 2FA: Two-Factor Authentication or Dual-Factor Authentication. This is a strong authentication process that limits the number of factors to 2.
- FIDO – U2F: “Fast ID Online – Universal Second Factor”. It is a strong 2-factor authentication standard which most often involves the use of a USB or NFC device. The FIDO – U2F standard has been improved with the FIDO 2 standard in collaboration with Microsoft.
- WebAuthn: this is a standard developed by the World Wide Web Consortium (W3C) which stems from the FIDO 2 specifications of the FIDO alliance. It provides an interface for authenticating users of web applications using asymmetric keys, and is designed, among other things, to end the use of passwords.
There are certainly many terms but what is most important is that strong authentication is more than ever one of the fundamentals for organisations in terms of cybersecurity, especially at a time when mobility and teleworking are creating new risks for information systems.
In its IT hygiene guide, the National Cybersecurity Agency of France (ANSSI)* also strongly recommends that “Strong authentication should be used whenever possible” and specifies that “It is strongly recommended to implement strong authentication requiring the use of two different authentication factors”.
Strong authentication in banking (PSD2): the key to trust
Reinforcing user access to the IS is a key point of regulatory compliance in many business sectors where data is sensitive.
Take the banking sector and the PSD2 Directive on Payment Services as an example. One of the objectives of the Directive is to protect consumers in a context where fraud is becoming more and more frequent. Here are 3 examples of cases where strong authentication is imposed by the PDS2:
- Accessing your online banks accounts or simply your customer profile. The strong authentication must be renewed at least every 90 days.
- Making an online payment of more than €30, or €50 for contactless payments, such as a credit card payment or bank transfer.
- Executing an online action that is likely to have an impact or a fraudulent origin such as changing your mobile number on your bank customer profile.
Strong authentication and all its variations prevent a simple password from being enough to gain access to sensitive systems.
At Ilex, we work with many banking clients faced with high security and compliance challenges. This is notably the case for Natixis, a French financial institution with an international dimension, with its “Global Adaptive Access Platform” (GAAP) program. The guiding principle of the program was to combine security, ergonomics and regulatory compliance. It’s a very interesting project that I recommend you read about.
Behavioural analytics within the authentication process: adaptive authentication or dynamic assessment of the need for authentication
What about behavioural analytics within the authentication process?
Behavioural analytics is an authentication factor in the sense that a person’s behaviour will influence our trust in him or her.
To be concrete, by associating habits with a user and then measuring the gap between the habits and current behaviour during an authentication process, the system will calculate a score that will allow the authentication sequence to be adapted.
Take for example a user who wants to access an application that “normally” requires password authentication. If his score is too low, linked to a change in his behaviour, strong authentication can be required or his access to the resource can also be denied.
While user behavioural analytics may require a long and continuous learning phase, it is also possible for an organisation to base itself on simple and contextual criteria such as:
- The device’s fingerprint
- Usual connection time slots
- A bridge with the HR software to determine if the user is on leave
- Connection timeframe
- Connection from the company’s internal network or from outside the company
- An attempt to access sensitive applications
- Geoprofilling or verification of the user’s geographical location. This is very rarely exact, but it allows, for example, analysis of the location of a user from one connection to the next and to calculate the time it would take to travel between these two points. If this transport time is inconsistent, then a rule can be applied to request re-authentication or deny access.
This is called adaptive authentication. In this case, it allows to adapt the level of authentication and security required to access each application of the information system based on the user’s context.
It is based on the assessment of a risk, represented for example by the detection of an access attempt from a new device, a new location or at an unusual time.
Therefore, in order to access the same application or use the same workstation, the user may be asked for different levels of authentication, depending on the dynamic evaluation of their current trust level.
Adaptive authentication is an essential security component because it works in real time to help prevent cyber fraud.
Here again, I will take the opportunity to give some synonyms for adaptive authentication: contextual authentication, risk-based authentication (RBA).
When to set up a strong authentication system?
Whether it’s a question of responding to regulatory constraints, reinforcing the security of access to the information system or improving the user experience by removing the need for passwords, strong, double or multi-factor authentication is an excellent way to meet these three major challenges, which are at the heart of a global IAM strategy.
However, access to the IS is a complex subject which involves different user populations, numerous and varied connection contexts, a wide range of applications, etc. There is no universal authentication method and I strongly recommend Olivier Morel’s blog post if you wish to know more about securing employee use, without restricting them or changing their habits by imposing an unsuitable means of authentication.
The health crisis we are currently experiencing requires managing the identities of mobile users and their access to the information system. For many organisations, it remains a complex task to limit the cyber risks to which their remote workers are exposed, and all the more so with the expansion of Cloud services. In this respect, strong multi-factor authentication (MFA) provides very reliable and immediate security guarantees.
To conclude
I would say that authentication has been constantly evolving to adapt to the new cybersecurity challenges of organisations. It is a fundamental building block in the development of a Zero Trust strategy. By combining the technologies of multi-factor and contextual authentication, access control and authorisation management, it is possible to implement systematic, continuous and dynamic access verification, in line with a more agile security policy adapted to the context of today’s digital world.
Organisations that are slow to adopt more secure and effective authentication methods expose themselves to risks in terms of protecting their resources, employees and customers.
This is particularly true at a time when the ANSSI has confirmed a real explosion of cyber attacks in France.
I have the example in mind of the software specialist Cyble who last year launched an alert concerning the availability of 500,000 login/MDP Zoom couples on the DarkWeb**. These credentials were in fact collected during previous hacking operations and then reused on Zoom (Credential stuffing). The flaw came from users who very often use the same password, a similar password or a password made according to the same algorithm. This is a very frequent “user” error.
This is only one example among many others of data theft which, unfortunately, ultimately allows an intrusion into the IS to be initiated.
Strong authentication involving 2 independent factors, or the use of adaptive authentication combined with behavioural analysis, strongly limits this type of attack.
Don’t wait until you are attacked to react!