Security is a matter of compromise, a balance between confidentiality and convenience, control and efficiency. While it would be easy to restrict access to an Information System in order to protect sensitive business data, it would become impossible to make it a tool for productivity and growth, especially at a time when openness and collaboration are taken for granted. At the same time, the strict control and monitoring of “power” users has become of crucial importance given the recent cases of intrusion into information systems caused by accounts with privileged access. In addition, a growing number of companies’ IS access are now made from mobile devices (telephones, tablets, etc.) or uncontrolled workstations (service providers, technical or commercial partners, etc.). In this context, the combination between mobility and security implies having to solve problems that would not have occurred if we are considering each aspect independently.
Principles and limits of initial authentication
The basic principle of securing IS access[i] is, on the one hand, to define the identity of persons or applications accessing the company’s resources and, on the other hand, to compare this identity with conclusive data that allow us to verify that the identity presented is legitimate and valid. The first part of this premise is performed by identity management solutions (#IAM) such as Avencis Hpliance. The second phase is ensured by controlling the credentials and authenticators that the user presents when he opens a session from his workstation, and then, when accessing certain resources that require secondary authentication, which is generally different from the main authentication. The user therefore has several digital identities, which may vary in time according to the roles he or she has to assume in the company.
The authentication mechanisms used today can be very diverse, even if today passwords are the method used by the great majority of applications. Indeed, thanks to their simplicity, low implementation cost and the familiarity that users have acquired, passwords became an essential element, despite their shortcomings and limitations: difficulties in making them robust, risks inherent to their disclosure or sharing, excessive cost of managing omissions and losses, etc. Multi-factor authentication improves the level of security by using other elements to check the authenticity of the user’s identity:
- Knowledge-based authentication: the user registers a set of answers associated with questions predefined or selected by the user. The weakness of this method lies in the ease of guessing the answers, often due to the information disseminated on social networks;
- Authentication based on objects: smart card, USB key, phone. The main challenges for the generalized use of this type of authentication are the acquisition cost and the need to have an appropriate environment (e.g. smart card reader). Authentication based on dynamic passwords (OTP, One Time Passwords) sent to a phone is part of this category; however, the weaknesses inherent to the underlying protocol for sending SMS (SS7) make this solution no longer considered sufficiently secure to be recommended today;
- Biometric authentication, which can take different forms such as digital, vocal or physiognomist (iris, facial features). These solutions are often expensive, invasive to privacy and are fundamentally non-repudiable, i.e. corrupt minutiae cannot be revoked.
However, regardless of the authentication mechanism deployed, for primary or secondary authentications, the principle is the same, i.e. a punctual and static check of the user’s identity. For some sensitive actions or applications, there are re-authentication mechanisms that require the user to confirm his or her identity (e.g., by replaying the password or primary PIN code) before performing these operations. However, recent news in the field shows that identity theft, password theft and even SMS hijacking are reaching astronomical levels[ii]. Therefore, the trust that can be placed in this type of “classical” authentication is inherently limited despite the occasional improvements made by current logical access control solutions.
It is therefore necessary to reassess the criteria that allow to determine the authenticity of a user’s identity, regardless of his position or geographical location (within the company, remotely…).
In addition, the diversity of user types (internal, external, temporary, etc.) requires the ability to organize the heterogeneity of this population in order to meet the challenge of providing efficient and secure digital services.
In addition, the efforts to more accurately measure the level of trust that IT security managers place in users would be almost useless if all accesses were not federated within a global solution: for a particular user, access from any workstation within the company, from an uncontrolled workstation outside the physical perimeter of the company or from a mobile device must be monitored and controlled in a homogeneous and consistent manner.
The consequence of this approach is that it is also becoming essential to introduce new elements to check and monitor the user activity in order to better control the current level of risk and no longer just the initial risk, at the first connection. Indeed, a password may be valid, but the environment and context in which it is presented may be sufficient reasons not to trust it. For this purpose, the use of behavioral biometrics will allow the dynamic characterization of a user’s activity and provide significant elements of the user’s legitimacy to perform certain actions within the IS: by recording and classifying multiple data sources, it will be possible to dynamically assess the degree of trust placed in a user and, from there, the actions he or she will be authorized to perform, or in extreme cases, the partial or total blocking of his or her work session. The collection of information on the dynamics of keyboard strokes and pointer movements, the speed of selection clicks are all potential sources of information for this evaluation.
Nevertheless, while it is quite easy to catalogue information sources, the next step is to model users’ behavior and define the rules for accepting or rejecting an action based on the current level of trust. This is the core of the problem, since these rules will depend on a large number of potentially interdependent factors. Indeed, for a user accessing a resource from a mobile device, the data sources can be extremely rich, such as:
- Biometric access (fingerprint, voice or facial recognition…);
- Orientation and positioning of the mobile (accelerometer, compass);
- Precise geographical position (GPS);
- IT environment (NFC, Bluetooth), sound and visual environment (microphone, camera);
- Dynamics of screen touches;
- Scan and zoom movements on the screen.
In addition, if the mobile is a professional device and if privacy is guaranteed, the access to the device’s history (location, calls…) can constitute a reliable additional source of information.
On the other hand, a traditional workstation will provide less information, most of the above elements being dependent on the workstation equipment: indeed, few PCs have cameras, accelerometers, Bluetooth as standard… For these access points, the available data will therefore be more limited and the characterization of a user’s behavior will essentially consist of:
- Login schedules;
- The position of the PC in the network (IP address);
- The dynamics of keyboard strokes;
- The use and movements of the pointer;
- The access methods to the applications (by keyboard shortcuts, command line, graphic shortcuts, etc.);
- The network activity.
All these elements together provide a large number of parameters which, when present and accessible, are divided into 6 main categories:
- What the user knows: password, PIN code, questions and answers…
- What the user is: fingerprints, voiceprints, facial prints…
- What the user has: smart card, single-use code generator, RFID card…
- What the user does and how: data entry dynamics, access kinematics, network activity, application launch sequence…
- Where the user is located: precise or approximate geographical position, proximity to known radio equipment…
- When the user’s actions are performed: schedules, frequency.
Each of these sources, considered separately, cannot constitute a reliable source, but it is all the data, properly aggregated, that will constitute the user’s digital signature and will dynamically determine his or her level of risk, consequently the trust that will be placed in him or her and ultimately the operations that he or she will be authorized to perform. In addition, some data may be temporarily “out of the ordinary”: for example, if the user uses a secure tunnel to connect to the company, his IP address may appear very far from his real geographical position (measurement of geo-velocity) and should not mislead the evaluation system.
Machine learning for continuous authentication
The continuous authentication of a user is therefore based on the modeling of his or her behavior, based on the traces he or she leaves during the activity on the information system. However, the complexity and heterogeneity of the above-mentioned data sources make it difficult or even impossible to define a comprehensive set of rules to achieve this objective with an acceptable level of trust. Moreover, the variability of the context means that these rules, if they existed, should take into account the different modes of access that the same user would be likely to use to accomplish his mission, in particular for an administrator who has to work on heterogeneous workstations. On the other hand, thanks to a supervised Machine Learning, it is possible to train an algorithm to extract relevant and significant models from all the data collected and, depending on the context, to determine the current trust level of the user being supervised.
The model training allows to map the user’s behavior according to his work context and habits when performing the tasks that usually constitute his mission. From the analysis of available traces, a fingerprint is calculated that represents the person’s digital identity in the same way that the DNA identifies an individual, except that the biological DNA does not change over time. In the case of continuous authentication, this footprint is likely to change, either because the working context changes (new versions of applications or operating systems) or because the user’s behavior changes over time. Short-term reasons (illness, fatigue) will lead to longer reaction times when others will shorten them, for example when the user discovers new shortcuts to access certain functions (Control-Shift-Esc for the task manager under Windows).
In real-life situations, security managers determine for each use case, the thresholds above which the risk perceived is a sign of abnormal behavior and decide to apply the appropriate actions, automatically or manually: this may involve requesting the user to re-authenticate if the calculated risk is moderate or performing more radical actions such as closing the work session in other cases.
Unity is strength
Today, the limitations of initial authentication solutions are well known. Without questioning their relevance, the continuous authentication, by analyzing the user’s behavior profile on the workstation’s input/output devices, allows them to be completed and overcome their limits by improving both IS security and user comfort. Indeed, as long as the level of trust is sufficient, the analysis of the activity is silent and transparent: the user is not disturbed in his mission by undesirable interruptions related to the identity check. On the other hand, if the trust level decreases for any reason, the continuous authentication allows to react more quickly and effectively to a threat, potentially before it occurs.
The operational implementation of continuous authentication is a technical challenge due to the diversity of data sources, variability of parameters and scarcity of information. This is why integrated access management solutions such as IPdiva Safe from Systancia are irreplaceable tools to deal with the user authentication, especially for privileged accounts, since they are platforms that can federate and centralize all access to company resources and thus provide all the methods to identify signals that can be weakly correlated but constitute a threat for the company.
Frédéric PIERRE – Scientific Director
[i] Authorization management which is part of identity management is not covered here.
[ii] Latest (December 2017): disclosure of 1.4 billion credentials.