As 2-factor authentication falls short, ‘adaptive multi-factor authentication’ goes mainstream

By Byron V. Acohido

The use of an additional form of authentication to protect the accessing of a sensitive digital system has come a long way over the past decade and a half.

Most individuals today are nonplussed when required, under certain circumstances, to retrieve a one-time passcode, pushed out in a text message to their smartphone, and then typing the passcode to gain access to a privileged account.

Related: Why data science is the key to securing networks

An Israeli start-up, Silverfort, is seeking to make a great leap forward in the state-of-the-art of authentication systems. Silverfort has introduced new technology that is designed to help corporations address unprecedented authentication exposures spinning out of ‘digital transformation.’

I recently visited with Silverfort CEO Hed Kovetz, who described how the idea for the company percolated when the co-founders were toiling in the encryption branch of Unit 8200, the elite cybersecurity arm of the Israeli military.

Kovetz recounted how he and two colleagues came up with the idea for a centralized authentication appliance that uses machine learning to recognize the logon patterns of all employees, and then makes strategic use of that analysis in real time.

Having visited with several cybersecurity companies marketing cutting-edge authentication technologies, it has become clear to me that advanced authentication technologies will play an important role, going forward, in helping enterprises build out ‘hybrid’ networks that tap deeper into cloud services and the Internet of Things. This is what digital transformation is all about.

For a drill down on Silverfort’s bold approach to the authentication part of the equation, please listen to the accompanying podcast. Here are excerpts edited for clarity and length:

LW: How did Silverfort get started?

Kovetz: All of us worked together very closely in Unit 8200, a cyber intelligence unit inside the Israeli army. The three of us worked a lot on these areas and really understood some of the challenges that we wanted to handle.

The unique thing about what we do is that our solution can actually protect every authentication across an entire network or an entire cloud environment, without actually installing anything on your end points and servers. We can add multi-factor authentication and adaptive authentication to basically any type of assets, including resources that don’t support authentication at all.

LW: Let’s come back to ‘adaptive authentication.’ Can you frame what’s happening with ‘multi-factor?’

Kovetz

Kovetz: Companies are starting to add two-factor or multi-factor authentication to systems that they really want to protect. However, today there are simple ways to collect passwords directly from the computers, or even collect them remotely using phishing or by using tools like Mimikatz. It has become easy to get user credentials and use them to access the network.

LW: So the bad guys have figured out how to overcome the two-factor authentication?

Kovetz: Some multi-factor authentication methods are not really secure. The SMS standard is vulnerable to many attacks; it’s pretty easy for an attacker to get the text message containing the passcode.  In other cases, e-mails are being used for multi-factor authentication, which means that if somebody is on your computer, they can easily obtain both the passcode and the email containing the second factor.

LW: Can you frame how privileged access covers a lot more ground today? For instance, companies today routinely have to access micro services, APIs and DevOps in the cloud.

Kovetz: This is what drove us to establish this company – the understanding that it doesn’t make sense for each server or application to take care its own authentication, individually. We created a unified platform that would handle authentication for all of them.

SilverFort actually offers a network-based authentication solution that we put into your network, or into your cloud environment as a virtual instance, and it automatically discovers and protects every authentication inside this network.

Most commonly, enterprises today want to use push authentication to their users’ mobile phones. It is actually a mobile app that is running on your phone and communicating with the multifactor authentication  provider over an encrypted tunnel.

LW: Sounds like the physical key fob Gannett required me to use to log into USA TODAY’s front end system 15 years ago. Only this is an app version that’s somehow pushed out to all employees’ phones?

Kovetz: Yes. This solves the problem by which many of the servers in your network don’t always support multi-factor authentication. And even if some of them do, each might support a different authentication method. As a user, you don’t  want to have to carry around five different authentication tokens, or five different apps. You want to have one user experience that is consolidated across environments, and you want to have one place to manage the policies.

LW: Makes sense. What’s the ‘adaptive’ part of this?

Kovetz: Adaptive authentication is basically a way to analyze the behavior of the user and determine when and where to require additional levels of authentication. Let’s say you’re doing what you do every day, using the same device, from the same location, accessing resources that are not considered sensitive. So maybe you don’t need advanced authentication methods. But if you are coming from a new device, or different location, or maybe doing activity that doesn’t look normal for you, or  is not what you are supposed to be doing, then you’d need to validate your identity using another form of authentication .

LW: You pay attention to my behaviors using that app on my device?

Kovetz: We would learn your behaviors, based on the way we see you authenticating on the network. This is exactly the advantage of our approach of introducing a unified authentication platform that monitors every authentication in the network. We can see all of these activities and everything that you do in the network.

Now that we’ve created this platform that can add authentication, very dynamically,  anywhere in the network, we’ve started to integrate with other security vendors. By getting alerts, from all of their  detection engines —  from the endpoint protection solutions, from the firewall and from the SIEM — we can make even better authentication decisions.

LW: So you get a rich profile of the legit user, and maybe even some useful intelligence about the attackers, as well?

Kovetz: Exactly. Today security products can either alert companies and, in many cases, nothing happens with all these alerts. Or, alternatively, they can block the user. But then, if it’s a false positive, the user will be blocked and productivity will be damaged.

LW: How is what your system doing any different?

Kovetz: We don’t just detect or block. We have this third option where we can send a stepped-up authentication to the user asking if it’s really him. If you can prove it is you, you can continue. You don’t need to call the help desk. And if it’s not you, you would be blocked. So it’s actually real time prevention without reducing productivity.

(Editor’s note: Last Watchdog has supplied consulting services to Silverfort.)

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone