Security Experts:

Is Conditional Access the Right Approach to Authentication? It Depends.

What You Need to Know to Make Sure You’re Headed in the Right Direction on Your Authentication Journey.   

As Risk-Based Authentication Methods Continue to Evolve, Is It Time to Revisit Your Approach? 

If there’s one thing you can be sure of about user authentication methods today, it’s that determining the best choice isn’t as simple or straightforward as it used to be. There are more ways to authenticate users now than ever before, and as identity risks continue to evolve, new authentication methods are emerging all the time. So how do you know what’s going to make authentication more secure and efficient for your organization while also shifting the burden off users? Risk-based authentication is increasingly the answer – but it’s more nuanced than that. At its most basic, a risk-based approach may mean simply adopting static risk-based policies that support conditional access. But it can also mean leveraging artificial intelligence (AI) and machine learning (ML) to enable dynamic identity confidence scoring. Here’s what you need to know to make sure you’re headed in the right direction on your authentication journey.   

You’ve Come a Long Way Already. (Remember Browser Cookies?)

Risk-based authentication began simply enough, years ago, when websites began using browser cookies to recognize repeat visitors, eliminating the need for users to enter their credentials on every visit. The premise is simple: If you’re using the same browser on the same device, we trust that you’re the same person, and we don’t need to check your identity. But if you’re using a different browser, there’s a risk it’s not really you – so credentials are required. Today’s conditional access policies that are used to secure corporate resources are based on a similar principle. For example, you may recall “Judy,” the helpdesk representative I described in my previous column, who works at the same workstation in the same call center every day. To verify Judy’s identity, her employer uses a location-based conditional access policy that says if this person is in this call center location using a trusted device, the risk that she’s anyone else is minimal, and she’s not required to authenticate. But if someone ever attempts to log in from another location or a different device using Judy’s credentials, an additional layer of authentication will be applied to prove it’s really Judy (and to deny access if no proof is forthcoming). 

Conditional Access Depends on the Conditions. (Remember Greg?)

For a user like Judy, a location-based conditional access policy makes sense as a next step that goes beyond basic browser cookies to establish a higher level of confidence in a user’s identity. But what about the other employee we met last time? “Greg” is constantly on the road as a sales executive. It’s impossible to use his location as a condition for allowing him access to resources, when he needs access from so many different places. In fact, there is no one static condition that can be applied in Greg’s case; his situation is dynamic, and the method of authentication he uses need to account for that. Enter dynamic identify confidence scoring – a method that uses AI and ML to build a range of confidence in the user’s identity by taking into account multiple factors such as location, device and session information, which together define normal user behavior. Greg has a pattern of behavior, just as Judy does – but it’s a different, more complex pattern that can’t be defined by location alone. 

It’s Your Authentication Journey. Which Way Should You Go Next? 

For some organizations, conditional access makes sense as a next step in the authentication journey – at least for now. If you operate a call center that employs a full-time, on-site staff of people like Judy, it may be exactly what you need. But what happens if you decide to reduce infrastructure by having some staff work remotely? Or you begin to employ contract workers? As organizations grow and change, they often reach the point where it’s simply unsustainable to keep writing new policies for every specific situation. Your authentication strategy must evolve along with your business. Maybe you use conditional access for as long as it’s practical in your situation. Maybe you skip that approach altogether and move directly to dynamic identify confidence scoring. Maybe you find that a combination of several approaches works best for you. While there is no one-size-fits-all approach to authentication, the key is understanding the dynamics and diversity of your users, and finding the right method to address evolving needs.

view counter
Jim Ducharme is Vice President of Identity Products at RSA. He is responsible for product strategy and leads the associated product management and engineering teams. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.