Rethinking Adaptive Authentication
Adaptive Authentication is one of the fastest growing approaches in the field of multifactor authentication.
Adaptive systems take advantage of contextual and behavioral aspects to assess the risk of an access attempt and adapt the type of authentication accordingly.
For instance, let’s say an access request is emanating from an unusual location or at an unusual time, strong indicators of a digital identity compromise. An adaptive system can be programmed to view this as suspicious activity and demand additional authentication factors. In addition to location, adaptive systems can use a variety of behavior measuring techniques to detect potentially dangerous activity. These include everything from keystroke sequences to the pattern of services and tabs opened on a site. Other forms of adaptive systems, instead of employing preset protocols, assess user activity with computer algorithms, flagging actions that don’t jive with the user’s typical behavior or are otherwise suspicious. When any of these patterns are identified, the system can then interrupt a session until more authentication is provided.
At a first glance, this method seems like an ideal balance of the two most important factors of authentication – UX and risk. However, it isn’t all it’s cracked up to be. There are more elegant solutions to this UX-risk dichotomy available in the market today that offer high-assurance password-free authentication.
Let’s examine and compare the methods.
While adaptive systems give a network an added layer of protection, they do not replace other authentication methods that are necessary to log in. Users still need to deal with a password. This means remembering and frequently changing long and complicated sequences of numbers and digits.
alternatively, password less methods completely eliminate passwords, and with that, the need to maintain, replace, and manage them. Authentication is always seamless, requiring only the response to a push notification.
A basic idea lies at the heart of the security concept of Adaptive Authentication: user access to company resources should be easy.
How easy? As easy as the risk level for any given access permits. To this end, an adaptive system needs to assess the risk associated with any request and keep authorization requirements as low as possible.
Opposing this aspiration for smooth access is the need to maintain high-security assurance to protect company assets. In an adaptive system, these two considerations will always be in conflict. Lowering your walls may make it easier for your own people to get in, but also opens the doors for intruders.
But there are other alternatives. Secret Double Octopus authentication, for example, is based on Secret Sharing technology, alleviates the need to work within the UX-security schism. The most powerful and reliable authentication is achieved from the initial login. No additional authentication steps are required through the rest of session.
A major consideration in deploying any system of authentication is the total cost of owning and managing the tools, or TCO. The more factors required in a system, the more TCO goes up. Some factors like hardware tokens need to be procured and distributed to each individual user. Others like passwords, while not requiring an additional device, still divert considerable resources to maintain. Company IT needs still needs to handle password management and replacement. According to the biggest names in industry research such as Gartner, HDI, and Forrester, the cost of the average call to technical support for password reset can range from $17 to $25.
Adaptive Authentication, far from being an alternative, only add more weight to the workload of IT departments, who now have to manage the adaptive layer of the system in addition to the other factors.
Password less multifactor systems., however, saves cost while achieving the highest level of authentication security. The fact that an estimated 20 to 50 percent of helpdesk calls are password related, means eliminating password management translates into substantial savings even for small organizations. All other costs associated with passwords, including storing, and encrypting, are also eliminated.