Security Experts:

The Kiss of Death for Passwords: Machine Learning?

Since the introduction of computers, user names and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords. A contributing factor for these stats is the fact that users often reuse the same password across multiple accounts and applications. For example, according to a report from TeleSign, 73 percent of users leverage the same password for multiple online accounts. 

This behavior doesn’t differ much in the enterprise environment. Meanwhile, account compromise provides a perfect camouflage for attackers since they look just like legitimate users. When exploiting legitimate credentials — all security analysts see, is regular user activity. This also causes a domino effect and increases the risk of lateral movement by the attacker. 

Multi-Factor Authentication to the Rescue?

To make things more difficult for cyber-attackers, security-minded organizations are supplementing passwords with either two-factor or multi-factor authentication (MFA). In this case, users provide extra information or factors when they access applications, endpoints, or infrastructure. MFA uses a combination of the following factors:

● Something you know (i.e., username, password, PIN, security questions)

● Something you have (soft or hard tokens in different forms and shapes, smart card)

● Something you are (biometric traits like fingerprints, voice recognition, facial scan)

Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Organizations often make the mistake of limiting MFA usage to application access and only to end users. However, applying MFA for only certain apps, users, or resources, still leaves organizations exposed. Instead, MFA should be implemented across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers). This ultimately minimizes weaknesses in the attack chain — and protects against compromised credentials.

While the use of MFA makes a lot of sense for the above-mentioned reasons, adoption is still not at 100%. The main impediment for adoption has been the perceived impact on the productivity and agility of end users. For example, having to manually type in a code that has been transmitted via SMS in addition to the already supplied user name and password is often seen as cumbersome. Technology advancements are removing some of these objections by offering a more user-friendly experience, like eliminating the need to manually enter a one-time password on the endpoint, by enabling the user to simply click a button on their smartphone. Nonetheless, some users still express frustration with this additional step, even if it is relatively quick and simple.

Making Access Controls Invisible: Risk-Based Authentication 

Ultimately, the best security is transparent and non-intrusive. That’s where the use of risk-based authentication and machine learning technology comes into play.

Risk-based authentication uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, like eliminating authentication challenges for low risk access, stepping up authentication when risk is higher, or block access entirely. To evaluate the risk of each access request, a machine learning engine must process multiple factors, including: location, browser type, operating system, endpoint device status, user attributes, time of day, unusual recent privilege change, unusual command run, unusual resource accessed, unusual account used, unusual privilege, and more. 

To keep the organization protected, risk-based authentication needs to be applied across all user audiences (end users, privileged users, contractors, etc.) as well as across all resources (e.g., applications, infrastructure). Applying risk-based authentication as part of a mature identity and access strategy to secure applications, devices, data, and infrastructure — both on-premises and in the cloud ― yields the following benefits:

● Stops attacks in real time based on user behavior and risk

● Eases user access based on low risk, and only steps up authentication when risk is high

● Minimizes policy creation and modifications via machine learning, freeing up IT resources for other work

● Improves security policies with access tailored to each individual user’s behavior

Not only does risk-based authentication provide real-time security, but it also flags high-risk events, and elevates them for investigation by security analysts – greatly minimizing the effort required to identify threats across today’s hybrid IT environment. Implementing machine learning in the context of access control can help organizations reduce their reliance on passwords, and potentially get rid of them altogether.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).