These days, every employee logs into many applications and websites while working to get things done. But creating and remembering so many lengthy passwords is cumbersome. People don’t want to keep complex passwords in general; they seem to be boring. However, the few whose identities have been stolen in the past know the real value of security and privacy.
As a result, employees unwillingly construct lengthy passphrases, use a password manager, or turn on multi-factor authentication (MFA) as these are not considered to be measurably beneficial. Doing so creates friction in the sign-in process. Friction isn’t one-sided in the case of authentication. It goes beyond attackers who try to gain unauthorized access to user accounts, IT apps, and databases rich in confidential information. And while security teams have sought to inject more leverage into the access control mechanism in the past, they have been met with resistance.
Passwords: It All Begins Here
Some organizations have successfully implemented mandatory 2FA/MFA policies and employee password managers, recognizing the bleak reality of the data security threat environment, but adoption rates for these security enhancements remain poor due to the aforementioned friction concerns. Consequently, these companies are back to where they began, leaving major gaps in user authentication and automatic access to devices. The simpler it is to access accounts for employees/customers/authorized users, the easier it is for cybercriminals to strike. When they are in, all sorts of harm can be done across business networks by attackers. It is also not an option to do nothing. Still, many security teams feel stuck between trying to insist on the highest safety practices and bowing to the low-friction authentication burden.
The Argument for Attribute-Based Authentication
The key benefit of authentication based on behavior and attributes is that it works seamlessly on the user’s part in the background without intentional effort. In turn, it removes the security burden off the user and places it back in the hands of the security team. The initial username + password combination login can remain. Still, the very first security layer is the first login, not the last or definitive word on access control.
Additional factors are also taken into consideration in the decision to allow system access in an authentication attribute-/behavior-based environment: operating system, BIOS UUID, patch levels, trends for when other system resources (normal/expected vs. abnormal/unexpected) are accessed by the user/system resource, patterns of how a user/system resource accesses different system resources. The use of additional variables in authentication decisions decreases the possibility of attackers being able to snatch and turn bits of “what you know” (i.e., username + password) into a system compromise. Decisions using an aggregate of attributes that are incredibly hard to reproduce (e.g., cryptographic recognition, behaviors, and patterns) pave the way for greater security without friction being added.
Persistence is another advantage of behavior-/attribute-based authentication. Attributes and behaviors are inextricably connected with the tools of devices. That is to say, what/who is trying to communicate cannot be abstracted from them. This not only leads to better credentials, but it also means that systems can be configured to confirm entry constantly, again, without a human being requiring information to be entered. Credentials are a combination of what actually an entity is (identity) and how it works, and permissible access depends on the network by which the entity seeks to communicate (environment) and what the entity is attempting to do (transaction).
The Obvious Advantages
Such identity and access management, completely automated, uses some form of machine learning to continuously improve the accuracy of authenticating tools. Unlike typing a combination of username/password, then potentially entering a secondary code, token, or biometric, attributes-based authentication and behavior is invisible to the user and is less likely to be vetoed by the executive team as too intrusive.
As a consequence, without having to convince someone to change policies, security teams will strengthen authentication. People can even keep their passwords. It is straightforward, seamless, and frictionless. It improves data security and user experience.