1 Introduction
Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). One of these such enhancements is Adaptive Authentication.
Adaptive Authentication (AA) is the process of gathering additional attributes about users and their environments and evaluating the attributes in the context of risk-based policies. The goal of AA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, hardware tokens, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
AA solutions can use multiple authentication schemes and authentication challenges presented to a user or service according to defined policies based on any number of factors, for example the time of day, the category of user, the location or the device from which a user or device attempts authentication. The factors just listed as examples can be used to define variable authentication policies which are often referred to as context- or policy-based AA. A more advanced form of AA uses risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behaviour which triggers additional authentication challenges. This can be referred to as dynamic AA, yet it is difficult to categorize AA products into dynamic or static AA categories, since the strongest products are able to use a combination of both approaches. This is invariably a positive feature, as there are use cases where the use of either static or dynamic AA proves the most appropriate, and both approaches are not without their limitations.
A wide variety of adaptive authentication mechanisms and methods exist in the market today. Examples include:
- Knowledge-based authentication (KBA)
- Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
- One-time password (OTP), delivered via phone, email, or SMS
- Mobile push notifications / Out-of-band (OOB) application confirmation
- Identity context analytics, including
- IP address
- Geo-location
- Geo-velocity
- Device ID and device health assessment
- User Behavioral Analysis
- Etc.
Many organizations today employ a variety of Adaptive Authentication methods. Consider the following sample case. Suppose a user successfully logs in to a financial application with a username and password. Behind the scenes, the financial application has already examined the user’s IP address, geo-location, and Device ID to determine if the request context fits within historical parameters for this user. Further suppose that the user has logged in from a new device, and the attributes about the new device do not match recorded data. The web application administrator has set certain policies for just this situation. The user then receives an email at their chosen address, asking to confirm that they are aware of the session and that they approve of the new device being used to connect to their accounts. If the user responds affirmatively, the session continues; if not, the session is terminated.
Going one step further in the example, consider that the user would like to make a high-value transaction in this session. Again, the administrator can set risk-based policies correlated to transaction value amounts. In order to continue, the user is sent a notification via the mobile banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.
Adaptive authentication, then, can be considered a form of authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors. Since access to applications and data are the goal, adaptive authentication can even be construed as a form of attribute-based access control (ABAC).
Adaptive authentication is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Adaptive authentication can help mitigate risks and protect enterprises against fraud and loss. Moreover, many organizations are increasingly using AA systems in conjunction with Physical Access Control Systems (PACS), i.e., opening doors and gates. This is a particularly innovative usage which will be noted in Chapter 5 for vendors that support these types of use cases.
There are a number of vendors in the Adaptive Authentication market. Many of them provide complete IAM solutions, and Adaptive Authentication is just one part of their overall solution. Other vendors have developed specialized Adaptive Authentication products and services, which can integrate with other IAM components. The major players in the Adaptive Authentication segment are covered within this KuppingerCole Leadership Compass. Sometimes these solutions are also referred to as Advanced Authentication, Contextual Authentication, or just Step-Up Authentication. This Leadership Compass will examine solutions that are available for primarily on-premise deployment.
Overall, the breadth of functionality is growing rapidly. Support for standard adaptive authentication mechanisms is now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session.
1.1 Market Segment
This market segment is mature but constantly evolving, due to innovations in authenticator technology and risk analysis engines. We expect to see more changes within the next few years. However, given the surging demand of businesses and the need to provide better security, many organizations must implement Adaptive Authentication if they have not already to help reduce the risk of fraud and data loss.
Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a particular customer and their requirements. However, this Leadership Compass will help identifying those vendors that customers should look at more closely.