January 25, 2022
User authentication is like a plane taking off or landing. It’s the most important and also the most dangerous event. In the same way we can assess a pilot’s qualification by the softness of their landing, we can measure a user's authentication quality based on their login behavior.
Typical authentication systems can utilize three parameters to measure quality of a user’s login:
- Context - Has the user's location changed(IP)? Has the user's device type changed(UA)?
- Behavior - Were there multiple consecutive failed attempts? Did the user try to bruteforce usernames?
- Externalities - Was the user’s account leaked elsewhere? Is the user’s password a common password?
These three parameters give identity systems the ability to qualify each and every session with a unique risk score. A user that logged in from their home country with a first attempt, vs a user that suddenly changed countries and had many failed login attempts.
The risk score can then be applied to the user’s session to help the system mitigate future risks by adjusting system behaviour towards the user. If a user’s session is low-risk, then the identity system may for example authorize higher transactions without additional verification, or leave users logged-in for longer, as opposed to riskier user sessions when they might be logged out earlier, and asked to perform KYC more often for riskier operations, etc.
However, these scores only work effectively for a typical user, who works nine to five, does not travel much, and has no carpal tunnel syndrome :) ! This also does not apply to highly vulnerable users with sensitive, confidential and/or valuable access, like bankers, lawyers, pharmaceuticals researchers, reporters or business people.
LoginID’s UAF/FIDO2 certified passwordless authentication solution has a unique advantage - device attestation.
Each and every FIDO device contains an attestation, a digital proof that verifies who manufactured the device. LoginID utilizes this information to add another score factor to the user’s session, which improves quality of risk assessment and helps our companies mitigate security risks while enabling them to improve user experience.
How does LoginID's device attestation work?
LoginID utilizes a database of all FIDO2/UAF supported devices on the market called MDS. MDS contains roots of trust to verify genuinity of the devices, in addition to the certification status, known security vulnerabilities, and a device’s security and cryptographic information.
When a user performs some operation using FIDO2/UAF authentication, LoginID performs analysis of the device. The criteria that LoginID might use are:
- Device genuinity
- Device cryptographic strength
- Device certification level
- Device known vulnerabilities
If a user uses a FIDO2/UAF certified L2 device, with no known security issues, in passwordless mode, that gives LoginID a high level of confidence during the user session. This allows our partners, enterprises, and merchants to potentially relax restrictions against a user, and allow them to operate more freely by, for example, enabling them to perform larger banking transfers without re-authentication, KYC, or other sometimes cumbersome steps.
For example, if the customer uses a platform authenticator on the Android 7 device with no hardware backing, they might be asked to re-enter their password or perform KYC, because there is an inherent risk that an attacker may have gotten unauthorized access to their account.
Another situation, that a company may consider, are highly vulnerable users - for example, high value customers. If the user is a large enough target, then the attacker may try to send a compromised authenticator that imitates a real, trusted brand like Yubikey, or Trustkey.
If a user, unknowingly, adds this device to their account, the attacker may utilize the compromised authenticator to extract, or predict, the private key, and thus gaining access to the user’s account without the user’s knowledge, thereby allowing attackers to steal funds, leak secrets, or obtain access to confidential research materials, damaging a company's brand, competitive position in the market, and ultimately their bottom line.
LoginID can eliminate this problem by performing strict device attestation and triggering an alarm in case such an attack occurs, by logging it with the client's SIEM (Security information and event management), hosted on the likes of Azure Sentinel, Splunk, or AWS Security Hub.