Page 235 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 235
Unit 14: Authentication
data requirements and authentication strengths and points, this approach can improve Notes
overall usability while ensuring security, as it allows convenient access to less confidential
areas of a Web site, and more credentials are required only to access the more confidential
areas. Furthermore, additional authentication/verification can be required on individual
transactions that are deemed more risky. These potentially can leverage the stronger
authentication methods, such as multifactor and out-of-band authentication approaches.
Alternatively, in systems that have implemented role-based access control (RBAC) for
user authorization, different methods of authentication can be presented to users who are
mapped to different roles; or, in a more dynamic implementation, if a user logs on by
using partial credentials (when higher-strength credentials are made optional), that user is
mapped to a role that has lower access privileges for that Web session.
14.1.4 Risk-Based Analytics
Risk-based analytics are similar to what credit card companies use to assess risk levels for each
requested transaction and make authorization decisions in real time. Assessments are based on
real-time evaluation of various data points that are collected about the user and the requested
transaction; depending on the scoring and data-confidentiality requirements, a transaction can be
authorized or unauthorized, or additional credentials can be requested from the user to facilitate
stronger authentication and reliable auditing.
The data points that are collected often are contextual information (or location-based, behavior-
based, and so on) and used as supplemental credentials to support strong authentication. For
example, client-device identification (CDI) can be used to simplify valid repeated authentication
requirements from the same client device, if a verified set of credentials has signed in to a Web
site from the same device previously. This is often facilitated by saving specific "remember me"
cookies, and sometimes by using a combination of data points that are collected from the HTTP
request and client-side JavaScript code. Subsequently, based on the risk-based assessment that
the same user had signed in successfully to the same application previously, a lower-strength
authentication is presented to the user to improve convenience.
Historical and social data points also are included often in the risk assessment, and often are used
from the perspective of transaction-anomaly detection (TAD), as these data points help establish
a "normal" usage profile about a user and can be compared against the requested transaction to
identify contextual anomalies.
Example: A transaction that is identified with unusual characteristics (for example,
originating from a different physical location, different client device, unusual time of day/week,
fund transfers to new and unverified account, and so on) contributes to a higher risk profile,
which prompts the authentication system to require stronger authentication from the user in
order to authorize the transaction.
This is also referred to as fraud detection, and it works well together with a layered approach to
implement a dynamically adaptive authentication system.
14.1.5 Compensating Controls
An authentication system also can take into account other components that are not integrated
directly into this architecture, which can potentially influence (positively or negatively) users'
security postures and/or risk profiles, and contribute to risk-based analysis. For example,
Extended Validation SSL (EV-SSL), digital watermarking, site keys, and so on contribute to
mutual authentication and help improve end-user behavior, which in a way improves the risk
profile. Host intrusion detection, anti-spyware, anti-phishing network services, and so on all
contribute to a user's overall risk profile.
LOVELY PROFESSIONAL UNIVERSITY 229
