A little over a month ago, we released Adaptive Authentication, our machine learning technology to identify high-risk logins that require multifactor authentication. Since then, we’ve been getting a lot of interest in it — and a lot of questions. So we thought we’d put out a guide to three common questions we get.
1. How does OneLogin Adaptive Authentication use machine learning to secure access to enterprise applications?
Because passwords are easily compromised, multi-factor authentication (MFA) is critical for strengthening security. But hackers are constantly thinking up new types of attacks. Traditional MFA tools use static rules that can’t keep up with today’s constantly evolving security risks. To help combat this, Adaptive Authentication uses machine learning to help you keep one step ahead of hackers by scoring the risk of each login attempt, then challenging users making high-risk logins to authenticate using MFA.
Machine learning is also used to find anomalies at the time of login. Anomalies can be related to the user’s network, geographic location, device fingerprint, velocity, or time of access. If a user always logs in from the same network and location, with the same device, at the same time, that’s typically a low risk login. But if something seems off — for instance, if they’re coming from a known botnet, or a new location or device — they will be challenged for MFA.
Adaptive Authentication is especially useful for preventing phishing attacks. Typically a phishing attack tries to install malware on a user’s computer. From there the malware, running on a trusted company network, may try repeatedly to log into company apps. Eventually the malware finds the right password, and when it does, it isn’t challenged for MFA, because it’s running on a trusted company network.
Compare this to Adaptive Auth: the malware would be flagged as a new device fingerprint, and would get challenged for MFA. This malware, running on a computer, obviously can’t respond to an MFA notification on a mobile phone. Thus, the hacker is prevented from accessing company apps.
2. Reducing friction in the authentication process seems to be a new trend. Is this the case? What’s prompted security solutions providers to focus on usability?
For IT, acquiring products to increase security is only half the battle. The other half is getting people to use those technologies. Users aren’t going to adapt security products that reduce their productivity.
OneLogin is built on the premise that security has to be frictionless. Our first product was Single Sign-on, which saves users the equivalent of three business days per year. Then we added Push MFA, which makes multi-factor authentication as easy as clicking an alert on your phone or watch. With Adaptive Authentication, we make it so that low-risk logins aren’t forced to use MFA. This way you get both increased security and productivity.
3. How do you see machine learning transforming the identity and access management sector in the next few years? What emerging trends will you be watching?
We believe that machine learning could eventually transform the identity and access management market by expanding the range of signals that we feed into our machine learning algorithms to find different kinds of risks. These new signals could include biometric data. This will make it increasingly difficult for hackers to defeat authentication systems.
For this reason, it will become increasingly important for IT teams to understand that they need not just MFA, but MFA underpinned by machine learning. IT buyers need to be aware that, just like some vendors have engaged in “cloud-washing”, some security vendors might start to make unsubstantiated claims about how machine learning, or its more sophisticated cousin, Artificial Intelligence, is embedded into their products. It’s critical to ask your vendors tough questions about how machine learning or AI actually improves their products.
We’d love to tell you more about how OneLogin Adaptive Authentication can protect your business. Please contact us today to talk to a cloud security specialist.
An earlier version of this article originally appeared in BizReport.