Authentication, the process of trying to prove that you are who you say you are to an online system, has primarily been driven by user ID’s, aka logins or user names, and an accompanying password. In theory, the password is secret, only known by the user associated with it, and thereby by able to authenticate or provide proof of identity. The problem is that there are a plethora of flaws to that. Some of these include:
- the password is not secret because the user shared it with someone else
- the password is not secret because the user wrote it down on a yellow sticky note & stuck it to their monitor at work or school
- the password is guessable and could be figured out if there were readily available, free password cracking tools available online
- there are a million readily available, free password cracking tools available online
- a password hacked on one site is used on another user site — because users use the same password across multiple different accounts & sites because it’s very hard to remember different complex passwords for many different accounts and sites
- and on and on
An alternative is a newer approach that computes a risk score that is associated with login attempts (the authentication process). A usage profile is developed based on several factors:
- user ID
- user device
- geographic location
- target system (what they’re trying to log onto)
- time of day they typically log in
- their IP address
- typing speed
A user that tends to log into their company’s database on weekdays at a particular time of day from a particular workstation will generate a baseline profile. An attempt to login to that database Sunday morning from a mobile device will generate a disparity. This will signal the need for additional proof of identity (maybe a phone call or PIN) or perhaps disable the login entirely.
It seems some time in use and data to analyze effectiveness is called for, but if that looks good, this is pretty cool. More here. Even Bruce Schneier likes it!