SecureAuth
We meet the company that can tell if you’re a hacker just by the way you type a password
We meet the company that can tell if you’re a hacker just by the way you type a password, and provides some of the world’s biggest companies with multi-factor authentication technology.
What do the fonts installed on your computer, the speed at which you type your password or the way you swipe a smartphone screen have in common? They can all reveal if you’re a villain.
You might think enforcing two-factor authentication for every user would leave a company’s network pretty secure, but according to SecureAuth’s chief security architect, James Romer, you’d be wrong. Dangerously wrong. Two-factor authentication (2FA) is broken, he believes, which is why companies such as SecureAuth have made a healthy business out of adding extra intelligence into the login process. Now, something as innocuous as having the wrong HTML5 player installed in a browser is enough to identify someone as a potential fraudster and prevent them gaining unauthorised access to a network.
We found out how it’s becoming harder than ever to bluff your way past network security – even if you’re sat at the desk of an authorised employee.
False factors
Too much confidence is placed in the effectiveness of 2FA, claims Romer. Whilst forcing you to enter a code issued to your phone alongside your regular password is better than password alone, it’s far from Fort Knox security. And it’s a pain in the backside for the user, too.
“2FA is far, far better than username and password alone,” said Romer, “and of course we’re seeing many of the consumer-facing apps that we use every day leaning towards much more of a 2FA approach, which is great. But 2FA… is still very heavy on the friction. It usually relies on the user enrolling through a smartphone and therefore they have to use that device to authenticate. Which is fantastic if you’ve always got that device, it’s fantastic if you’ve always got cell phone coverage.” But often it’s not, and the flaws are far more serious than leaving your smartphone at home or patchy mobile reception.
According to Romer, there have been many published weaknesses in the SS7 layer that connects one mobile telco to another. “We know there’s huge weaknesses around the delivery of SMS OTPs [one-time passcodes],” he explained. “It’s allowed bad actors and hackers to go after those, not only through the use of simple phishing attacks to get OTPs, but also internal pressure on employees of telco companies who actually have access to them. We know it’s been compromised.”
What’s more, nobody’s checking that the numbers those crucial passcodes are being sent to are actually the intended recipient. “There are a lot of authentication vendors out there who just send OTPs without doing any due diligence,” said Romer. “They don’t check where that OTP is going. That’s a huge issue in our industry.”
And then, of course, there’s good old human failure. “If you try to access application X through your browser on a Mac, you get a nice pop-up message on your smartphone, and typically users will click “Yes”. Therefore, bad actors go after that human element and someone not reading a message properly. Approximately 60% of people will push to accept messages without actually understanding
what they’re accepting.”
Building layers
SecureAuth’s approach is to use multiple authentication layers to ensure that logins are genuine and that OTPs reach their intended recipients. Different clients will deploy varying number of layers, depending on their risk profile. But more layers of authentication doesn’t necessarily mean that the poor employee has to jump through more hoops to access the corporate network – quite the opposite, in fact. Many are designed to ensure that the person logging in is the genuine employee, so that they don’t have enter an OTP afresh on a trusted device. Romer refers to this process as “pre-authentication risk analysis”. One such layer is device recognition, where SecureAuth attempts to
verify if the device being used to log in to the network or application is the user’s genuine device. There’s nothing particularly sophisticated about this per se – even widely hacked consumer sites such as Yahoo are now deploying device recognition. But while Yahoo might look for nothing more than a browser cookie left on the user’s device when they first logged in, SecureAuth goes much further. It’s examining session information, the HTML5 player used in the browser, screen size, installed fonts and many other characteristics that a hacker couldn’t easily clone or replicate. “We look at 30 sets of data that come from the device and create a unique fingerprint,” said Romer. “It’s a million pieces of data that we define, and we store that with the user. It’s not stored on the device.”
Taking a device fingerprint may prevent someone logging in as you from another laptop, but what if they’ve got hold of your laptop or sneaked onto your system in the office? This is where the behavioural biometrics kick in. “This allows us to look at the rhythm, the typing, the sequencing of a user’s patterns when they are within an application,” said Romer. “So, the way you type your username, the way you type your password.”
SecureAuth will also tag certain fields within applications and then measure how a user typically moves between them, so that when a stranger sits at your system and starts using those applications in a different way, the threat profile is raised. Unusual patterns of behaviour may not be enough in itself to shut down a user, but it may be enough to trigger a request for additional authentication.
And that’s only two of the ten or so authentication layers that SecureAuth can deploy. There are geovelocity rules, for example, which raise flags if someone logs in from their London office first thing in the morning and then log in from Brussels an hour later – a journey that they couldn’t possibly have made in that time, unless they’ve been working on a secret project to relaunch Concorde.
Similarly, companies can deploy geographical boundaries. If you don’t have offices in Moscow and your staff never travel for business to Russia or other hacking hotspots in the Far East, why would you accept login attempts from that country? At the very least, you’d make them authenticate via another trusted method to make sure. Likewise, SecureAuth is keeping a beady eye out for people attempting to log in via the Tor browser or other anonymous means. There may be secure organisations where employees are doing this for good reason (the security services spring to mind), but in most instances, that would be another warning flag. Making sure the person logging in is who they’re meant to be is only half the job – the other half is ensuring that sensitive details such as the one-time passcodes are being sent to the right person in the first place.
SecureAuth will ensure OTPs aren’t sent out to just any device. First, SecureAuth will check that an OTP request is only sent to a phone number listed on a client’s list of approved contacts. “We will run that through our phone number fraud prevention intelligent schemes and we can tell what device carrier you use, what device class it is, has the phone number been ported recently?” said Romer. “This allows us to only show OTPs, or even only show the SMS [authentication] option, to phone numbers that the business are comfortable with receiving OTPs. We’re not just going to send OTPs to phone numbers in the wild. That’s pretty unique in this space today.”
The British legion
When you look at SecureAuth’s client list – which includes companies such as HBO, Unisys, Western Union, Virgin America and many other household names – you’d expect the company to be a huge corporation in itself.
In fact, SecureAuth runs light and nimble (although it’s about to merge with access control firm Core Security). The company has around 200 staff worldwide, and only seven over here in the UK, which is where Romer operates from – and why we twisted the normal rules of Profile to only cover British companies. How do they manage to service all those big-name clients with such a small team? “We have a partner network to help us, to cover the areas where we don’t have people on the ground,” said Romer. “They’re very skilled and they help us get that foothold in accounts.”
“We are a very recognised authentication brand in the US,” said Romer, adding that a lot of business comes through analyst reports that feature SecureAuth staff. Romer believes it’s also a strength that SecureAuth focuses solely on authentication and isn’t just offering it as part of a wider security portfolio. “It’s a culture and ethos of best-of-breed solutions, and hiring the best-of-breed employees.”
More layers of authentication doesn’t necessarily mean that the employee has to jump through more hoops