PassMark’s technology employs user-selected watermarks to distinguish legitimate Web pages from phishing scams, plus back-end anti-fraud analytics that spot suspicious log-in attempts. RSA calls this multipronged effort “adaptive authentication,” but it is more commonly known as “risk-based authentication.”
“It’s the concept of different types of authentication based on context,” RSA’s Young says. “Who are you? Where are you in the session? What’s your typical account behavior?”
Among the factors that anti-fraud vendors consider are time of day, the IP address and kind of computer used, and geographic location. Although these measurements aren’t foolproof, they’re highly accurate in identifying most users, experts say.
“My wife always banks online at home,” says Nico Popp, vice president of authentication services at VeriSign, which bought fraud detection company Snapcentric in February. “She’s going to have a very stable cluster of behaviors: the same kind of browser, the same ISP, and she always banks on Saturday morning. It’s a very clear pattern.”
If Mrs. Popp tries to log in from Korea on a different machine with non-English-language settings, it should set off alarms, Popp says. On the other hand, Popp himself is more of a globetrotter; for his profile the geo-location information is less reliable. But he does always connect from the same laptop, so the device settings and session information is just as powerful, he says.
Proceed with confidence
The combination of fraud detection and risk-based authentication is powerful, Popp says, because it is invisible to users under normal circumstances but springs to life when the risk associated with user behavior increases, as in the case of money transfers or sudden account changes.
But risk-based authentication is no silver bullet for enterprises, notes Stu Vaeth, chief security officer of Diversinet, a supplier of token-based strong authentication solutions. Anti-fraud and risk-based authentication are great at weeding out phishing and man-in-the-middle attacks, he says, but they aren’t as secure as traditional two-factor authentication.
RSA’s Young concurs. “It’s kind of like saying that alarm systems will make door locks go away,” he says. “What this will do is allow millions of consumers or enterprise users who are not using credentials like SecurID to open up their protection options.”
That kind of thinking represents a major shift in the authentication market. Whereas at one time merely granting permission was seen as the essence of authentication, today’s solutions are moving instead toward an idea of “confidence,” IBM’s Blakley says.
“People think of authentication as something to do at the beginning of a session and never do again, but authentication is a confidence building thing — you have to have confidence in the identity of your transaction partner, and that confidence can erode over time,” Blakley says. For example, getting through the identity check at the front gate of NSA headquarters in Fort George Meade, Md., doesn’t necessarily give a visitor access to every room in the building, he adds.
At security vendor Cydelity, the idea is to monitor users’ behavior after they’re logged on and flag what’s risky, according to CEO Bob Ciccone. “Enterprises have typically deployed layered defenses, but there’s not a layer where they’re watching what users do once they’re in,” he says.