View all on-demand sessions from the Intelligent Security Summit here.
Multi-factor authentication (MFA) can be important for implementing zero trust to deny unauthorized users access to sensitive data, but it is also extremely inconvenient. All too often, MFA forces trusted employees to jump through hoops with one-time passwords and passcodes before they can log in to the apps they need.
New risk-based authentication approaches, as released by Cisco Duo today is trying to address the inconvenience of MFA by providing a login process that is tailored to each individual user.
Cisco Duo can adjust user authentication requirements in real time based on contextual risks. The solution uses a machine learning (ML)-based risk analysis engine to dynamically assess risk based on user signals such as location, behavior, device security status, Wi-Fi network, and usage of known attack patterns.
The idea is to enable low-risk users to log in with a simple authentication process that can meet the needs of a zero trust environment, while giving high-risk users extra steps in the form of one-time passcodes or biometric credentials to reduce the likelihood of breaches.
Making zero trust practical with adaptive authentication
The announcement comes as the limitations of MFA become increasingly apparent. Last year, for example from Microsoft The Cyber Signals report found that only 22% of Azure Active Directory identities use MFA, instead authenticating only with a username and password.
One of the reasons MFA user adoption is low is that it provides a poor user experience. If an organization bombards users with too many steps to log into every device and application, it can quickly become overwhelming, especially in everyday life.
Risk-based authentication attempts to overcome this problem by keeping the logging process as light as possible, unless there are contextual factors that warrant a more extensive login process. In short, it offers a more practical way to implement zero trust than traditional MFA.
“The three main zero trust principles are: never assume trust, always authenticate, and enforce least privilege,” said Jackie Castelli, director of product marketing for Cisco Secure. “Risk Based Authentication (RBA) allows friendly implementation of the zero trust principles of ‘never assume trust’ and ‘always verify’.”
Cisco Duo will now assess risk and adjust authentication requirements based on risk level, rather than requiring users to re-authenticate each time they request access to a resource, Castelli said. Likewise, it can also request phishing-resistant FIDO2 security keys or biometric login if the connection is high-risk.
“In other words, RBA adheres to the zero-trust philosophy of continuous trust verification by assessing the level of risk for each access attempt in a frictionless way for users,” said Castelli. “Higher authentication levels are only requested when there is a greater perceived risk.”
Looking at the risk-based authentication market
Cisco’s new update falls within the risk-based authentication market researchers estimated at $3.23 billion by 2020 and is expected to reach $9.41 billion by 2026 as more organizations look to make MFA easy to use and implement zero trust.
One of the main vendors experimenting with risk-based authentication (also known as adaptive authentication) is Okay.
Okta offers adaptive MFA that assigns a risk score to login attempts based on contextual clues such as location, device, and IP address to decide whether to add additional authentication steps such as biometric login and fingerprints or one-time passcodes.
Okta announced $481 million gain in the third quarter of fiscal year 2023.
Another company experimenting with adaptive authentication is Microsoft, which recently raised $52.7 billion gain and provides conditional access controls based on user, device, location, and real-time risk data based on user behavior. High-risk connections may trigger additional MFA steps, access restrictions, or password resets to enforce zero trust.
But Castelli argues that Cisco’s risk-based authentication sets itself apart from other vendors because of its focus on user privacy and its unique use of behavioral signals.
First, “it respects users’ privacy,” Castelli said. “The signals used to assess risk do not collect or store any private information. It accurately evaluates a wide and innovative variety of signals. Some of those signals, such as WI-FI fingerprints, are patent pending. Some other signals, such as attack patterns, come from Cisco’s experience and expertise in Talos threat intelligence.”
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.