Hey, you! Yes, you! Is it really you?
That’s the question that you get indirectly asked each and every time you click on a log in, or sign in button. Logging in into accounts is something we all do many times a day, at many different places, on many different devices.
How do we log in into our various accounts on the internet? Enter the username, then the password, then click login. Simple as that.
But what if your username and password became compromised?
What if there was a data breach and your credentials were leaked? What’s the solution for that?
Often, people will think that the solution is to enable a two factor authentication method like SMS one time passwords.
But is it really safe? SMS is an age old protocol which sends data unencrypted. They can be intercepted even before they reach the user’s mobile. So to be really safe in today’s complex world just two factor authentication might not be sufficient.
To overcome this, the solution is to use multi factor authentication which adds more steps before a user is authenticated. But facing so many steps before the authentication might drastically reduce the user friendliness of the system. That’s where the Adaptive Authentication comes into play.
Here’s what we’ll discuss:
1. What is adaptive authentication and why use it
Adaptive Authentication is a way that multifactor authentication can be implemented to allow the selection of correct authentication factors, based on a risk profile and patterns for adapting according to the situation. For a low risk situation it might use a basic username password based authentication, while for a higher risk situation, it might prompt the user for another step of authentication.
Authentication steps usually belong to 3 categories:
- Something you know such as username and password.
- Something you have such as an OTP.
- Something you are such as face, or fingerprint.
Multi factor authentication is done by combining two or more of the above factors. However, using all the factors all the time can reduce the usability of the application or service. Adaptive authentication can decide which and how many steps need for a user to be authenticated depending on the situation.
Adaptive authentication policies can be deployed in 3 ways:
- They can be manually set up by a system administrator. The admin defines a risk level for different authentication factors based on user role, user location or the importance of the service which is being protected.
- Giving the system the capability to identify the user’s typical behaviour pattern over the time and use authentication factors based on that. For example, most users will log into to the system from a one country or a geographic location for a prolonged period of time. If a login request suddenly came from a different geographic area, the system would flag this as unusual, adapt to the situation and use more factors to authenticate the user.
- Use a combination of static and dynamic policies by using both above methods.
Adaptive authentication works based on a user profile. The profile consists of user’s geographical location, devices commonly used to log in, the user’s role and lots of other related information. Each time a user tries to log in, the system will calculate and assign a risk score for the request based on the user profile. Using this risk score, the system decides the minimum amount of authentication steps needed to validate the user.
The more accurately the system identifies a situation, the more it helps it determine an accurate risk score. That leads to an adaptive authentication system which is user friendly and more secure. This is where the intelligent adaptive authentication comes into the picture.
2. What is intelligent adaptive authentication (IAA)
An Intelligent Adaptive Authentication (IAA) system takes calculating the risk to another level. For example, if a user has a registered device, that device would be considered as a trusted by the system. If that device was then rooted or jailbroken, an intelligent adaptive authentication system would identify this and no longer trust it, even though it’s technically the same registered device. The system would then assign a higher risk score for the login request coming from that device, setting authentication steps accordingly.
An intelligent adaptive authentication will be always collecting users behavioural information. As an example, data such as from which geographic locations the user usually logs in, and at which times of the day a user logs in across all platforms and devices will be collected. Then all of this data will be used to create behavioral models and risk profiles. To make these accurate behavioral or risk models and calculate risk scores, some intelligent adaptive systems will even make use of machine learning techniques.
3. How Intelligent Adaptive Authentication Works
Intelligent Adaptive Authentication is a combination of authentication and machine learning technologies. This usually involves a robust risk analytical engine powered by machine learning to assess a user’s risk profile. This starts with collecting user or groups of users behavioral and other relevant comprehensive data from various digital sources and third party data sources like fraud/risk detection tools as well. Here, behavioral data is really important, as it helps better understand a user’s natural habits, allowing the detection of anydeviation or abnormalities from known patterns.
Generally, gathered data is integrated with a real time risk analytics engine powered by machine learning plus custom rules to run accurate risk assessments. Specially machine learning algorithms are used to identify new fraud schemes, anomalous patterns of activity, or suspicious activity for a single user or group of users. With the processing of data with machine learning, a risk profile score or a similar mechanism is used to determine the next steps of the authentication process. Subsequently depending on the determined risk profile score or other mechanism, authentication steps/actions will be dynamically applied to users authentication process and users are required to comply with those steps/actions to complete the authentication process.
4. How intelligent adaptive authentication enhance conventional adaptive authentication
Conventional adaptive authentication would be powerful enough to identify the associated risk and provide the user with appropriate levels of authentication in day to day scenarios. But the real question is, does it really address all the challenges and issues such as usability, security, efficiency, compliance etc. while providing optimal security? This where the intelligent adaptive authentication comes in handy.
Unlike conventional adaptive authentication mechanisms, intelligent adaptive authentication is somewhat based on many pre-processed factors and heavily trained machine learning models which can provide more accurate and most suitable results. This uses a broad range of inputs and additional data to calculate risk scores and determine the most appropriate security action for a given situation. It is quite proven that intelligent adaptive authentication offers not only the appropriate level of security but also the users with seamless user experience with today’s constantly evolving security risks.
5. Real-World Scenario using IAA
Let’s take a look at a real world scenario where intelligent adaptive authentication can be put into use.
Tom lives and works in central London. He resides in his own house with his family. There’s a supermarket and a few ATMs near his house. His normal routine is that he withdraws cash from those ATMs when he visits the supermarket, or sometimes on the way to his office. He spends his money using a combination of credit and debit cards at various locations around the city.
Let’s say for an example, Tom’s bank core banking system is equipped with an intelligent adaptive authentication component and whenever Tom makes a transaction following background steps take place.
When Tom makes a transaction, an intelligent adaptive authentication component in the banking system collects relevant data including geo-locations, device and integrity of the device used for the transaction, duration and time which the transaction takes place and other contextual data. Meanwhile it collects data on Tom’s behavior across digital channels to build an accurate model of the user. And these systems always collect behavioral data to better understand user’s habits and behaviours, so that system is capable of detecting transactions deviating from these known patterns.
As the next step, the system makes use of existing data from different sources like history data or third party systems data like fraud detection systems, various security systems etc to model a more complete picture of the situation.
With all the data surrounding the transaction, the banking system uses a combination of machine learning algorithms to identify new fraud schemes, anomalous patterns of activity, or suspicious activity for a single user or group of users to determine their risk profile score to decide on the authentication steps which the user needs to follow to complete the transaction.
With the risk profile score as a guide, the authentication steps are dynamically applied to the transaction process in real time. If additional security measures are considered necessary for this transaction, Tom must take necessary actions and he is prompted to authenticate himself in one form or another to be authenticated in the banking system
However, it’s quite important to understand that this transaction may be determined to be within Tom’s normal pattern of behavior. In that case, no additional security steps will be initiated.
By now, it should be clear how intelligent adaptive authentication works. It highlights when and where adaptive authentication can be applied. With ever evolving and rapidly developing machine learning and artificial intelligence technologies, adaptive authentication can become increasingly intelligent in identifying risk factors, different situations and calculating risk scores.
Internet usage continues to grow. There are more users signing up for numerous online services each day. With this increase comes an increase in fraud. Hackers are finding more and more complex ways to breach systems, or breach user data. Therefore, the importance of proper authentication mechanisms has become paramount in today’s world.
With the help of machine learning and artificial intelligence, next generation intelligent adaptive authentication systems will be able to not only prevent threats when something is actually happening, but they will be able to anticipate threats and get the counter measures ready even before someone tries to log in to a system. With all these examples, it becomes very clear that intelligent adaptive authentication is the way forward, and it can significantly increase the security of the internet services without compromising usability. Usability and security – it’s a win win for service providers and users.