Offensive Security
cyber4.jpg

Latest Posts

3 Reasons Your Adaptive Authentication is Too Dumb to Protect You

48175665_m.jpg

Traditional authentication methods were set up for consistency. Whether your account is being accessed from your home computer or from a Russian café, if it was configured for passwords it would ask for the password. As risk-aware creatures, we understand the major risk difference here, so the idea of adaptive authentication was born to help machines make the same determinations.

The concept underpinning adaptive authentication is that the authentication mechanism should increase in strength— or “step-up”— during unfamiliar or high-risk situations. A sound approach, but most current implementations have a few major flaws.

1. Its Risk Awareness is Seriously Lacking

Most adaptive authentication does only rudimentary risk detection. If your bank doesn’t recognize your browser or IP address, it may challenge you for additional credentials. This captures a handful of attacks but what about the multitude of other high-risk scenarios that this wouldn’t trigger?

The strength of adaptive authentication depends upon the intelligence to identify the maximum number of high-risk situations. With no baseline of “normal” applications are limited to only a handful of factors to make any risk determination. It can’t adapt if it doesn’t know there is a reason to.

2. It’s Easily Predictable

Instead of adjusting authentication methods based on a range of risk indicators, current adaptive authentication defaults to a standard additional authentication method — typically security questions. This makes it easy to game.

It’s not difficult to figure out what conditions will prompt what authentication methods. With this knowledge, hackers can take pretty simple steps to either avoid adaptive authentication or in some cases deliberately trigger it if it provides an alternate route of attack.

3. It’s Not Stepping-Up; It’s Stepping-Down

One of the most common adaptive authentication tools is the security question. Hardly a “step-up” in security, most of these questions are easily obtained by finding the target’s social media accounts. “Name of your first employer?” LinkedIn. “What high-school did you attend?” Facebook. “Your favorite ice-cream?” Twitter.

For security questions to be strong, they must be unique and rooted in aspects of your history that only you are likely to know or remember, but even that is getting difficult. Even questions such as “What was the last name of the first person you kissed?” won’t be difficult to surmise for younger generations that have documented their lives online (and are now the majority of consumers).

What does adaptive authentication look like?

With the integration of additional factors, such as environmental risks and user behavior applications could gain awareness beyond IP or basic system status  to perform deviation detection that captures all kinds of risk the currently go undetected by so-called “adaptive” authentication.

Better analysis leads to a wider spectrum of responses that are appropriately correlated to the measured risk.

As more computing moves to mobile devices adaptive authentication providers can leverage the significant amount of data that is readily available from existing mobile sensors assess real-time risk and give adaptive authentication the intelligence to provide better protection.

Jason Miller