The video explores how authentication works in IT systems, focusing on various methods used to verify identity. It delves into the traditional approaches of authentication, which rely on something you know (like passwords), something you have (like a registered device), and something you are (biometric data). The video addresses the inherent risks and vulnerabilities present within these methods and introduces the concept of a security-usability continuum that navigates between convenience and security in authentication processes.

The video emphasizes the concept of risk-based authentication, which utilizes a combination of multiple factors to determine the level of trust in a user's identity claim. By incorporating situational and contextual elements, such as geographical location, device configuration, and user behavior, risk-based authentication offers a more nuanced approach. The objective is to manage authentication challenges more effectively by choosing appropriate responses based on the calculated risk level, thereby balancing trust with potential threats.

Main takeaways from the video:

💡
Risk-based authentication takes into account various factors beyond basic authentication methods to assess and manage the risk and level of trust.
💡
Adaptive authentication techniques can respond dynamically to different risk scenarios by using multifactor authentication and step-up challenges based on context.
💡
The relationship between risk and sensitivity is key to determining when to allow, deny, or escalate authentication levels in order to maintain a secure yet user-friendly system.
Please remember to turn on the CC button to view the subtitles.

Key Vocabularies and Common Phrases:

1. authentication [ɔːˌθen.tɪˈkeɪ.ʃən] - (noun) - The process of verifying the identity of a person or device, often as a prerequisite to granting access to resources in a system. - Synonyms: (verification, validation, confirmation)

So how do we prove who we are when we're on IT systems? Well, that's the process of authentication.

2. biometric [ˌbaɪ.oʊˈmɛtrɪk] - (noun / adjective) - Relating to the measurement and analysis of unique physical or behavioral characteristics, especially for verifying personal identity. - Synonyms: (biological measurement, physiological data)

Your face print, your fingerprint, your maybe voice print, some sort of biometric.

3. continuum [kənˈtɪnjuəm] - (noun) - A continuous sequence or range of elements that vary gradually and can blend without distinct boundaries. - Synonyms: (spectrum, range, gradation)

...consider a continuum between security on one end and usability or convenience on the other end.

4. Multifactor authentication [ˈmʌltɪfæktər ɔːˌθen.tɪˈkeɪ.ʃən] - (noun) - A security process requiring multiple methods of authentication from independent categories of evidence to verify a user's identity. - Synonyms: (two-factor authentication, multi-step verification)

...we call that multifactor authentication.

5. Adaptive authentication [əˈdæptɪv ɔːˌθen.tɪˈkeɪ.ʃən] - (noun) - An advanced form of authentication that adapts the security measures based on real-time assessment of risk factors and user behavior. - Synonyms: (context-based authentication, dynamic verification)

You may also hear the term adaptive access, or adaptive authentication.

6. Behavioral biometric [bɪˈheɪvjərəl ˌbaɪ.oʊˈmɛtrɪk] - (noun) - The use of unique patterns of behavior, such as keystroke dynamics, as a method of identity verification. - Synonyms: (behavioral analysis, pattern recognition)

That's a kind of unusual one. It's called a behavioral biometric.

7. Step-Up authentication [stɛp ʌp ɔːˌθen.tɪˈkeɪ.ʃən] - (noun) - A security procedure that requests additional verification factors when the risk level of a transaction is perceived as high. - Synonyms: (additional verification, heightened authentication)

Let's challenge you. Let's do something we call a step up authentication.

8. graded trust [ˈɡreɪdɪd trʌst] - (noun) - A trust level assigned based on the assessment of various risk factors and user credentials, which determine access privileges. - Synonyms: (trust level, conditional trust)

...considered together when we're looking at a graded trust situation.

9. impossible travel [ɪmˈpɑːsəbəl ˈtrævəl] - (noun) - A situation in which login attempts are made from geographically disparate locations in a short timeframe, deemed suspicious. - Synonyms: (unfeasible journey, unreliable location)

That's an impossible travel case, and therefore we want to deny access in that case.

10. ip reputation [ˌaɪˈpi ˌrɛpjʊˈteɪʃən] - (noun) - The perceived trustworthiness of an IP address based on its history of behavior on the internet. - Synonyms: (IP credibility, IP trust level)

Another one is ip reputation. Yeah, Internet protocol addresses.

Risk-Based Authentication Explained

Who are you and how do you prove it, especially if you're trying to do it at opposite ends of a wire? Well, you can't just take your id and hold it up to the computer screen and expect that that's going to work. It won't. So how do we prove who we are when we're on it systems? Well, that's the process of authentication, and there are different ways that we do it. One is based upon something you know, something you know might be a secret, a password that only you know, or a pin.

So something like that. We also might do it based upon something you have. So that is a specific device. Very often these days that would be your mobile phone, because most people aren't separated from those for very long. So you have that specific device and we register it in advance. And then the other way is based upon something you are. This is some physical characteristic of you. Your face print, your fingerprint, your maybe voice print, some sort of biometric. Now, these are the ways that we do authentication based upon something you know, something you have or something you are. But each one of these has a certain amount of risk associated with them.

In fact, something you know well, knowledge is something that can exist in actually two brains at the same time. So if I steal your password, I might know it as well, and therefore I could log in as you, your device. Maybe I steal it from you. Now you don't have it anymore, and I authenticate as you, even though I'm not you. So that has a weakness. And biometrics also have weaknesses in that. Someone may have similar physical characteristics, and they may be similar enough. Or maybe there's a way to fake out the biometric reader and make it think that you're someone that you're actually not. So in other words, all of these have inherent weaknesses.

But we're also looking at trying to make this authentication process one where we're having to consider a continuum between security on one end and usability or convenience on the other end if we make it too secure. In fact, we've locked it down to such a point that there's a lot of friction introduced for the user, and they're not going to be happy about that. And the opposite end is if we make it so easy. In other words, like put no lock on the front door, then anybody can walk in. It's very usable, very accessible, very convenient, but then there's no security. So where is the right place along this continuum?

Well, in fact, what we're going to take a look at in this video is risk based authentication. We're going to throw risk into the consideration and look at these factors, which oftentimes we will use in combination. For instance, if I take something you know and something you have or something you have and something you are or something you know and something you are, or all three of those, we call that multifactor authentication. What if I consider not only these factors, but some other things and create a risk based calculation that then lets me do more fine grained authentication decisions? That's what we're going to look at in this video.

Okay, let's take a look at this relationship between risk and trust. It turns out that as risk increases, well, guess what? Trust will decrease and conversely, the opposite happens. If risk goes down, then our sense of trust should be increasing. Now, let's think about that when it comes to authentication and specifically risk based authentication. authentication. So that means if I've got a very high risk scenario based upon how I've judged it to be, then I'm not going to trust it very much, and I might limit some capabilities.

Let's take a look at an example of what that might be. So let's say we're over here on this end of the spectrum, and we'll say it's a low risk situation. So low risk, high trust. Probably what we're going to say in that case is allow it. They've logged in, and what they were trying to do wasn't really all that risky to begin with. And the information they've given me gives me a lot of confidence and trust. So we're going to allow it.

How about the next case? Let's say we're in a medium case where we've got medium risk involved here. Well, now I have a couple of choices. I could either limit what their access is and say, okay, I sort of trust you. I sort of don't. So I'm going to only let you do these things, but not those things. Or I might do something where I end up asking for additional factors. So I'm going to look at other things, the context about the transaction. I may also do something that would cause you to have to re authenticate later. So we could make a decision on either of those kinds of things.

And then finally, if we judge it to be a high risk situation, well, guess what? We're probably just going to say, no, we're not gonna allow that. Although we'll look at a scenario where we might be able to maybe make some adjustments in that case. Okay, let's take a look at what some of those risk factors would be, what kinds of things would help us determine whether we can trust this authentication, this proof of who a person is or not? Well, I've already talked about the basics, and those are the things that, you know, something you have, something you are.

And a lot of times, as I said, we use these in multiple combinations, multifactor authentication. So that's the basic stuff here. Right. Well, there's another one that actually fits into this as well. That's a kind of unusual one. It's called a behavioral biometric. So we're looking at how a person actually does something, not just the physical characteristic of what they look like, but for instance, one of these would be the way you type in your password. It turns out people type differently and they'll pause in a micro way on just one key versus another.

So if we profile that, then we could, with some degree of confidence, say that we think it's you, because the way you typed your password in, the speed, the way you hesitated, all that matches, that's a behavioral biometric that would fit into those authentication types. How about some of the other things that we could consider here? Well, other things in terms of the way the user, once they're on the system, different kinds of behaviors may also factor into this. So, for instance, we may look at the times that you log in. We may even have restrictions, like we know, for instance, your job is Monday through Friday, nine to five, and if you're trying to log in on Saturday at 02:00 a.m. no, the answer is no.

I don't care if you got all the rest of this right. That still doesn't look right. We could also look at duration, the amount of time you spend on the system typically, and find out if that looks like it's out of sync, know you're not normally on for this amount of time. So we're either going to re authenticate you and challenge you to prove your identity again or something along those lines. Some other things that we could look at is failure cases. So the number of failures that you've had, you've logged in, and you've been generally successful at doing this, and now all of a sudden you can't seem to log in anymore. You've had a large abnormal number of failed login attempts, and therefore that is going to make us feel this is a higher risk and we're going to have lower trust.

So what are some other things that we can consider? How about a broader context for a particular transaction? So we might, for instance, look at the device that you're using and say, okay, if you're using one type of device, then we're going to trust it more than another type of device. Or this is the type of device you normally use, and now you're using a different one. So we think that might in fact infer that there's more risk in this. We might also look not only at the type that I mentioned, but we could also look at the configuration of the device.

So I might, for instance, say you should have certain security software installed on your device, and if you have that, I have more confidence than if you don't have that. Another thing is to look if the device has been jailbroken. So if there's been a jailbreak on the device, then I really can't trust it. In other words, someone has modified the operating system and therefore it could have malware, it could have all kinds of things going on with it. So if I see these kinds of things or the absence of those things, it would give me more or less trust in that situation.

How about geographical location? So if you normally log in from the US and then suddenly you're logging in from the other side of the world, then I'm going to say that really is not what we're expecting from you. So your location in that case is wrong. Now, if it turns out though, let's say I normally log in from the US and then I log in from Rome, then you might say, that's wrong. Unless I was supposed to be in Rome in the first place, in which case logging in from the US would have been the incorrect case.

So sometimes you have to understand the context as well. And it's not always static, it could be, in fact, dynamic. And we need to be able to adjust for those kinds of situations. Also look for what we call impossible travel. That is, if I logged in from the US, let's say New York, and then ten minutes later logged in from Beijing. Not possible. I can't be in both of those places. That's an impossible travel case, and therefore we want to deny access in that case.

Another one is ip reputation. Yeah, Internet protocol addresses. Your IP address has a reputation as well. If we know that that IP address has normally been a place where a lot of malware or hackers have attacked from, then we're going to say, you know what, I don't care if you got all the rest of this stuff right, it's really not worth it. It's too high risk. But if your IP address generally has been a good actor on the Internet, then I'm going to have more confidence in you and I'm going to allow this to go ahead through some other things that we could look at would be transactions, the kind of transaction that you're going to do.

So the type of transaction, there are certain things. Maybe you're checking your balance or maybe you're trying to do something that is of higher value. So now in this case, I'm going to consider some graded trust that goes along with this, the sensitivity of the transaction. What kind of information am I trying to get out? So as you look at this, there's a lot of different factors that we could take into account. And in fact, it's a lot more, you see than just something you have, something you are, and something you know. I could consider a lot of different things. Put all of these things into the soup, into the algorithm, and then see what we come out with. It's a way of creating greater trust by reducing risk.

All right, let's take a look now at the relationship between risk and sensitivity, because these two kind of need to be considered together when we're looking at a graded trust situation. So, for instance, if I start off with a case where I say risk is high and the sensitivity of the transaction is high, I'm probably going to deny that. On the other hand, if I say risk is low and the sensitivity is low, I'm going to allow that to go through. So those are the two extremes.

Now it gets a little dicier. Let's say that the sensitivity is high, but the risk is low. Okay, as long as the risk is low, I'm probably in most cases going to go ahead and allow that. However, what about this case? This is an outlier. Now, risk looks to be high and sensitivity is relatively low. But because of that high risk, I may say, you know what I want to do? Let's challenge you. Let's do something we call a step up authentication.

So you gave me something to prove who you are, but I considered it to be still fairly high risk. So maybe I'm going to go re challenge you and make you step up your authentication. In other words, give me additional proofs that you didn't give initially. So that's another type of option that I might do and you might decide different things based upon your policy and your tolerance for risk. Not everyone has the same tolerance for risk.

But bottom line, as you see, this is a hard problem, authentication, and it's why we can take things like something you know, something you have and you are and we can determine a certain amount from that. But if I could add in these additional factors, things like your behavior when you're doing these things, the context of the device, the transactions that you're trying to do, and their level of sensitivity, I could take all of those things into account and actually make a better decision. It's a more complex decision, but the beauty of this, this gives us risk based authentication. It's adapting to the situation. You may also hear the term adaptive access, or adaptive authentication.

They're very similar in concept. So with this, I can now adapt my risk to the level of authentication someone is given. And that way we end up with what is hopefully a more frictionless environment for the user and a more secure situation for the organization.

Technology, Science, Security, Authentication, Adaptive Authentication, It Systems, Ibm Technology