Stuart Sharp, OneLogin VP of Product, introduced us to the topic of Advanced Authentication in his blog Advanced Authentication – The way forward, but what does this actually mean in the enterprise and what best practices can we follow to ensure that we are both managing and deploying it effectively?
As a reminder, and to borrow some words from Stuart, “Advanced Authentication is a cybersecurity approach that requires the use of additional security methods, beyond the traditional ones, to authenticate a user’s identity. Advanced Authentication makes it more difficult for hackers to gain unauthorized access to an organization’s accounts and information.”
Users come in many forms and are not just our traditional internal workforce (B2E). External customers need to be considered within the Customer Identity and Access Management (CIAM) space for B2C and B2B use cases too. Simple and adaptable tools are needed to ensure ease of use and deployment to increase the likelihood of repeat visitors.
In this blog, I will explore some best practices that can be adhered to when deploying Advanced Authentication, ensuring that we can authenticate users in a reliable, robust and secure way.
Best practices to deploy Advanced Authentication
- Conduct a risk assessment.
Conducting a comprehensive risk assessment is an essential first step in implementation. By identifying potential threats and vulnerabilities, determining the level of protection required for different applications, assets and data, and establishing stronger authentication workflows for individuals with access to more sensitive information, organizations can enhance their security posture and mitigate risks effectively.
We first need to identify any potential threats and vulnerabilities. This involves assessing the organization’s existing authentication infrastructure, systems and processes to identify any weaknesses or loopholes that can be exploited by malicious actors. This could include outdated software, weak authentication methods, bad code, or unencrypted communication channels. By understanding these potential risks, organizations can develop appropriate countermeasures to address them.
It is essential to determine the level of protection needed for different assets and data. Not all applications and data require the same level of security. For example, sensitive customer information, intellectual property or financial applications may require stronger authentication protection compared to accessing a line of business employee application or browsing the latest targeted offers. By categorizing applications and data based on their sensitivity and assigning appropriate protection levels, organizations can allocate their resources effectively and prioritize security measures accordingly.
Establishing stronger authentication workflows for individuals with access to more sensitive information is another critical aspect of deploying Advanced Authentication and this of course also involves considering implementing role-based access controls (RBAC), governance and attestation programs to ensure that individuals only have access to the information and systems necessary to complete their tasks. By assigning specific roles and permissions to users, organizations can limit the potential damage caused by compromised credentials or insider threats.
- Implement Multi-Factor Authentication (MFA).
Incorporating MFA into every deployment is an implicit necessity in the realm of Access Management today, considering the insufficient security offered by relying solely on passwords.
Requiring at least two enrolled strong authentication factors ensures an extra layer of security beyond simply a password. Factors I would recommend include:
- Physical tokens or security devices, such as Yubikey or Google Titan tokens, generate digital signatures that provide an additional layer of identity security.
- Biometric factors like fingerprints or facial recognition, using readers and cameras that are now standard on most modern laptops and mobile devices.
- Trusted Devices through device enrollment, or the presence of an issued and verifiable certificate on the device. This gives us the next level of security, as we can ensure that only users we know, using devices we trust, can access organizational assets.
The first two factors above provide unique device fingerprints that can offer an elevated level of security, with the last one giving us the ability to provide a ‘belt and braces’ approach to further secure your environment.
When choosing authentication factors, it is important to consider the sensitivity of the data being protected. For highly sensitive information, using a combination of multiple factors, for example both physical token and Trusted Device, can provide the highest level of security. However, for less sensitive data, a combination of a strong password and a TOTP (Time-based One-Time Passwords) mobile authenticator app code or PUSH, may be sufficient.
Looking beyond using a password and towards the paradigm of Passwordless authentication, we can leverage a combination of some of the strong factors described above in place of the password to provide end-users and customers with a robust and simple authentication flow.
While security is paramount, it is also important to consider user experience, especially in the CIAM world. Organizations should strive to strike a balance between security and accessibility to encourage user adoption. Factors that are easy to use and readily accessible, such as mobile-based authentication or biometrics on commonly used devices, can improve the overall user experience while maintaining a high level of security. Furthermore, by adding Machine Learning (ML) technologies into the mix, we can have our cake and eat it too. This, of course, leads me onto my next point.
- Adopt Adaptive Authentication.
With hacking and account takeover techniques getting increasingly advanced, deploying adaptive authentication is becoming crucial in modern security practices, to not only provide a higher level of security but also to maintain a positive user experience. Adaptive authentication allows organizations to tailor their authentication levels based on dynamic risk calculations, enabling them to skip multi-factor authentication (MFA) when the risk is low, apply step-up authentication when needed or deny access altogether.
The importance of adaptive authentication lies in its ability to provide a more dynamic and flexible approach to security. By leveraging machine learning along with contextual information such as trusted devices and locations, known risky access methods and user behavior patterns, solutions can now provide the ability to make informed decisions about the appropriate level of authentication required. This not only streamlines the user experience but also minimizes unnecessary authentication steps, reducing friction and enhancing productivity.
Furthermore, adaptive authentication enables organizations to set appropriate rules and policies for authentication decisions on a per-user group basis. This involves leveraging a solution that allows the creation of automatic authentication workflows based on risk assessment. By defining specific rules and policies, organizations can determine when to trigger step-up authentication based on certain risk indicators. For example, if an unusual login attempt is detected from an unfamiliar location or device, the system can automatically prompt the user for additional authentication measures, such as MFA or biometrics.
- Regularly monitor and analyze authentication activities and patterns.
While IAM (Identity and Access Management) platforms usually contain their own logging data and dashboards, more detailed and centralized data correlation can be achieved through integration with a Security information and Event Management tool (SIEM), for example Splunk or Sumologic.
With real-time alerting of suspicious or abnormal behavior, organizations can quickly identify potential security threats and take appropriate actions. These alerts can notify administrators or security teams of unauthorized access attempts, unusual login patterns, or any other suspicious activities, enabling them to investigate and mitigate potential risks promptly.
Regular monitoring and analysis of authentication activities helps to ensure the ongoing effectiveness of security measures, providing valuable insights for enhancing and adapting the overall authentication process.
- Train and educate to minimize breaches.
Providing end users and customers with the knowledge and training they need is crucial when deploying advanced authentication. It helps minimize breaches, enhances overall security, and drives adoption of stronger authentication practices.
One key aspect of end-user training is to provide clear, user-friendly and comprehensive documentation on how to set up and use advanced authentication methods. This documentation should include step-by-step instructions, screenshots, and troubleshooting tips to ensure users can easily understand and enroll in these security measures.
In addition to documentation, raising awareness about the importance of security and the benefit of advanced authentication is crucial. This can be achieved through training sessions, online tutorials, or regular security awareness campaigns. Organizations should educate users on the risks associated with weak authentication practices, such as password reuse or sharing sensitive information. By emphasizing the benefits of advanced authentication, such as increased protection against unauthorized access and data breaches, users can better understand the value of these security measures and become more motivated to use them. When it comes to CIAM, many of these methods can be utilized, but targeted in different ways: for example email campaigns, interstitial screens or blog posts.
To gain traction and understanding, organizations should highlight real-world examples and case studies of security breaches and their consequences. By promoting a culture of security awareness and vigilance, organizations can foster a sense of responsibility among users and encourage proactive participation in protecting sensitive information.
Organizations should update training materials regularly and conduct ongoing refresher sessions to keep everyone informed about emerging threats and evolving best practices. While training and documentation of what to look for is important, you should also provide channels for users and customers to seek support or report any suspicious activities, ensuring that they have the resources to address any concerns or incidents effectively.
Overcoming deployment challenges
When deploying advanced authentication, organizations will need to overcome three primary challenges to ensure successful implementation.
- User experience: It is essential to strike a balance between security and accessibility to provide a positive user experience. Advanced authentication methods should be user-friendly, intuitive and easy to use. Organizations should prioritize solutions that offer a seamless authentication process, minimizing the number of steps and reducing user friction. Clear instructions, user-friendly interfaces, and options for self-service contribute to a smoother user experience. This is even more important when we look at CIAM deployments as we want customers to keep on coming back to purchase the goods and services we are providing.
- Integration with existing systems: We should always consider compatibility with systems already in place, especially when we look at legacy systems and applications. This ensures a cohesive authentication framework across our entire infrastructure, reducing complexity, and enhancing overall security. Adhering to industry standard authentication methods is key here, so recoding application frontends to adopt OIDC (OpenID Connect) or SAML (Security Assertion Markup Language) flows may well be needed. Of course, many vendors provide toolkits to make this process easier.
- Addressing potential vulnerabilities: Regular updates and patching of applications and code is essential to address potential vulnerabilities. Organizations should stay up to date with the latest security patches, firmware updates, and software releases from their authentication solution providers. Conducting penetration testing and vulnerability assessments periodically helps identify any weaknesses or vulnerabilities in the authentication infrastructure, enabling organizations to take timely corrective actions. Using IDaaS (Identity as a Service) tooling bypasses much of this work as vendors provide much of the authentication architecture as a service and, therefore, keep on top of testing and updating themselves.
So, what next then? Well, in conclusion, Advanced Authentication is of paramount importance in today’s cyber security landscape. By reviewing its significance, we can see that Advanced Authentication is an essential measure to protect sensitive applications, assets and data from potential threats and vulnerabilities. It offers several benefits, including enhanced security, improved user experience, and of course, ensuring compliance with regulatory requirements.
Adopting and deploying technologies to support Advanced Authentication is key to reinforce these advantages. As such, organizations should emphasize the importance of Advanced Authentication as a fundamental component of their overall security strategy. By adopting these methods, not only can organizations significantly enhance their security posture, reduce the risk of unauthorized access or data breaches, and protect valuable assets and data, but they can also deliver a better user experience, mitigate risks effectively and maintain trust with their users, customers and stakeholders in an increasingly digital world.