One of the key requirements for a dynamic authentication platform is that it be contextual. Without context, the true meaning of any given event will likely be lost.
The definition of context in the Oxford dictionary sums up why it’s so important—within the context of authentication (no pun intended): “the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood.”
With fraudsters buying credentials on the Dark Web for use in large-scale stuffing and password spraying attacks, it’s time to be less binary. “Yes, these are the right credentials for this user account … but we still see reason to use additional factors of authentication in this case.”
Traditional authentication methods don’t account for context. As pointed out in our latest white paper, “Dynamic Authentication: Aligning the Authentication Experience with Risk, Reputation and Reward,” traditional approaches to authentication might miss certain kinds of threats.
For example, what if an individual attempts to log in to a business site using an anonymizer or emulator? Most authentication products are designed to make a binary “allow or deny” response; they’re not configured to catch these subtle, tell-tale signs of an account takeover attempt.
The same is true of VPNs: most VPNs are legitimate, but some are fronts for fraudulent activities. An effective authentication solution should be able to leverage proxy piercing to tell the difference. However, many of the authentication tools available today can’t do this. They don’t catch the nuances of context.
“Even simple contextual red flags, like a mismatch between the browser-reported IP address and the actual IP address, may go unnoticed,” the white paper notes.
At its core, dynamic authentication is context-aware. That means it can take into account security risks that are both near and far. This advanced form of authentication examines all of the possible risks at the moment of authentication, rather than just the obvious ones such as a mismatch between an IP address and a stated geographic region.
Less obvious contextual clues might include subtle indicators, such as a browser version that is much newer than a device’s operating system; or a device reporting odd screen resolutions, which is what happens when a laptop or desktop PC tries to emulate a group of mobile devices in a credential-stuffing or password-spraying attack.
With a dynamic authentication solution, a company can look at a user’s request for access in full context. For instance, it can tell if the user’s device has been jailbroken or rooted; what type of transaction the user is trying to complete; how many applications are on a supposedly “mobile” device; and whether the real IP address for a transaction is similar to the one being reported by the browser.
Context and Reputation
An important variation of context when it comes to authentication is “reputation.” If a particular user’s device is completely the same as it was the last time that user requested access, that indicates there should be a standard, low-friction authentication experience.
However, if during the intervening period of time some other organization has placed evidence of account takeover fraud against that same device in relation to another account, a dynamic authentication solution should stop and reconsider its authentication process. While the solution might not deny the device access outright, it could at least present more rigorous forms of authentication based on the risk profile of the transaction.
These variations in context should routinely drive different levels of authentication rigor or assurance, and dynamic authentication takes these variances into account. For instance, if a user’s device profile and credentials are all aligned, then the authentication solution can simply ask for the most basic authentication credentials.
On the other hand, if the device profile and credentials are not aligned, the authentication solution could ask for additional authentication factors such as a fingerprint before it grants access. In a similar way, authentication can be applied to different transaction types such as cash transfers compared with simple balance reviews.
The key point is that the contextual nature of a dynamic authentication solution gives it the ability to evaluate the particular circumstances of any event so that it can be fully understood. That makes it possible for companies to provide stronger security while at the same time delivering an exceptional user experience to your most trusted customers.
Want to learn more about the role of context in dynamic authentication? Download the “Dynamic Authentication: Aligning the Authentication Experience with Risk, Reputation and Reward” white paper from our Resources page.