After more than a decade of high-profile data breaches – in which the sensitive personal data of hundreds of millions of people were exposed to hackers – it’s clear that password-based authentication alone, albeit convenient, is not secure enough.
We all remember the biggest data breaches, the ones that made international headlines and did irreparable damage to some of the biggest brands in the world – names like Yahoo, Equifax, Target, Home Depot, and Uber.
How did these data breaches happen?
There are several reasons. In some cases, security systems require users to answer pre-determined security questions in addition to a username-password combo. If these have been leaked by a data breach or compromised in another way, it makes it easier for an attacker to gain access to an organization’s internal networks.
But even if there is consensus on the fact that passwords should be protected by hashing (a technique to delay password recovery after a data breach), in the post-breach aftermath, some organizations have admitted that some passwords were guarded only by weak hashing algorithms, or were stored in unprotected databases. The cherry on the cake for cybercriminals is the usual weak passwords of some users, which make them prone to being cracked in a brute force attack, and the proliferation of malware that specializes in credentials stealing.
One common remedy for the inherently unsecure username-password combo is second factor authentication (2FA). 2FA adds another layer of security on top of the password, and can take the form of one-time passcodes (OTPs) sent to a mobile phone via SMS text message or email, or a token generating app. This certainly raises the bar for attackers, since it is harder to attack two communication channels simultaneously. Unfortunately, 2FA also harms the user experience and usability, and in many cases causes user friction. Moreover, attackers are adapting to 2FA by hijacking a victim’s SIM card, as the now infamous SwimSwap attack demonstrates.
Can we do better? When users attempt to log into a service, there are many traces they leave behind that can help in thwarting the efforts of attackers. Information such as time and date, IP address, geolocation, device type, and browser version are useful for learning the normal patterns of legitimate users, in order to build up a user behavior profile over time. This user profile also helps to detect when certain user behavior deviates from the norm, and is classified as a risky anomaly.
For instance, if you live in New York City and typically connect from either home or work from a Mac device running Google Chrome, it would be suspicious to receive a login attempt that’s coming from a Windows device running Firefox, with an IP apparently belonging to a French internet provider at 2:00am ET. Granted, you might happen to be in Paris for work, but you probably won’t mind being challenged with a 2FA on those rare occasions.
This is an example of a Risk-Based Authentication mechanism (RBA), which typically uses machine learning to detect such anomalies, provides risk scores, and initiates another layer of security when necessary.
Another example of 2FA is behavioral biometrics, such as the way users move the mouse cursor, type on their keyboards, or tap away on their mobile devices, to aid in building a profile of legitimate user behavior.
Behavioral biometrics also has the advantage of minimizing user friction, for instance, when users are traveling and don’t want to jump through another security hoop just because they happen to be on the road.
Can we do without passwords, 2FA or RBA? Probably not. Passwords will be around as a convenient method, as they provide some measure of security. Two-factor authentication is necessary to protect against brute-force attacks and credential stealing. But by combining 2FA with an RBA feature, an organization gets the best of both worlds – effective antifraud protection while keeping the user experience friendly and user friction to a minimum.
Working in tandem, they make it difficult for end-user accounts to be penetrated by advanced attackers, like the kinds generating headlines around the world.
To learn more about how RBA complements second-factor authentication, click here.