Every day, employees use so many applications at the workplace to do their jobs. It is indeed difficult to remember so many different passwords that each user has for multiple accounts. Those few whose identities have been stolen in the past know the value of security and privacy.
As a result, the effort to construct lengthy passphrases, use a password manager, or turn on multi-factor authentication (MFA) is not considered to be measurably beneficial and instead done unwillingly. Doing so creates friction in the sign-in process. Of course, that’s the point; pressure isn’t one-sided in the case of authentication. It goes beyond attackers who try to gain unauthorized access to user accounts, IT apps, and databases rich in confidential information. And while security teams have sought to inject more leverage into the access control mechanism in the past, they have been met with resistance. Businesses want speed and responsiveness, not dissatisfied customers who are unable to access the required resources.
It all Starts With Passwords
A small subset of security teams have successfully implemented mandatory 2FA / MFA and employee password managers, recognizing the bleak reality of the data security threat environment, but adoption rates for these security enhancements remain poor due to the aforementioned friction concerns. As a consequence, these companies are back to where they began, leaving major gaps in user authentication and automatic access to devices. The simpler it is to access accounts for employees/customers/authorized users, the easier it is for cybercriminals to strike. When they are in, all sorts of harm can be done across business networks by attackers. It is also not an option to do nothing, but many security teams feel stuck between trying to insist on the highest safety practices and bowing to the low-friction authentication burden.
Attribute-Based Authentication
The key benefit of authentication based on behavior and attributes is that it works seamlessly on the user’s part in the background without intentional effort. In turn, it removes the security burden off the user and places it back in the hands of the security team. The initial username + password combination login can remain. Still, the first login is only one security layer, not the last or definitive word on access control.
In the decision to allow system access in an attribute-/behavior-based authentication setting, additional factors are weighed more heavily: operating system, BIOS UUID, patch levels, trends for when the user/system resource accesses other system resources (normal/expected vs. abnormal/unexpected), patterns of how a user/system resource accesses different system resources (e.g., a sudden change in bandwidth consumption). The use of additional variables in authentication decisions decreases the possibility of attackers being able to snatch and turn bits of “what you know” (i.e., username + password) into a system compromise. Decisions using an aggregate of attributes that are incredibly hard to reproduce (e.g., cryptographic recognition, behaviors, and patterns) pave the way for greater security without friction being added.
Persistence is another advantage of behavior-/attribute-based authentication. Attributes and behavior are inextricably connected with the tools of devices. That is to say, what / who is trying to communicate cannot be abstracted from them. This not only leads to better credentials, but it also means that systems can be configured to confirm access constantly, again, without a human being entering the information. Credentials are a mixture of what an entity is (identity) and how it behaves, and permissible access depends on the network in which the entity attempts to communicate (environment) and what the entity is attempting to do (transaction).
Improving Access Management
Such identity and access management, completely automated, uses some form of machine learning to continuously improve the accuracy of authenticating tools. Unlike typing a combination of username/password, then potentially entering a secondary code, token, or biometric, authentication based on attributes and behavior is invisible to the user and is less likely to be vetoed by the executive team as too intrusive. As a consequence, without having to convince someone to change policies, security teams will strengthen authentication. Thus, it is simple, seamless, and frictionless.
