How to Escape Access Policy Hell with Risk-Based Authentication

As I discussed in my previous post, Okta’s Risk-Based Authentication feature helps organizations overcome the challenges of balancing security with usability. You may have heard a lot about Risk-based Authentication over the past couple of months, and now that Risk-Based Authentication is Generally Available, I want to give an updated overview of what it is, why it matters for your workforce, and how you can get started with using it.

Navigating modern security challenges

Organizations are deploying more tools and applications than ever before. Within Okta’s customer base,  the average number of apps deployed per customer has reached 88, up 21% from 72 apps in 2016. On top of that, there’s added complexity in the fact that users want to access these apps from multiple devices and locations.

To manage the additional risk associated with these requirements, security teams have to constantly create and maintain various complex access policies that address specific business needs. Businesses with large workforces that span several office locations and large numbers of remote workers, for instance, require varying levels of security for each user group.

Deploying multiple policies to meet the needs of these users can create security blind spots that increase the organization’s risk, require ongoing maintenance, and hinder admin productivity. This is particularly taxing as 73% of security professionals are still configuring security policies manually, leading to wasted time and human error—which can have rippling effects across the organization. 

Solving policy confusion

To counter this, businesses require a solution that automates policy creation, maintains and tests policies, and removes the blind spots in their security.

As a policy-driven + machine learning engine that reduces rule and policy overload, Okta’s Risk-Based Authentication improves security and access experiences. It uses a predictive model to detect the probability of an account being compromised in every authentication request by assessing variables including the device, location, IP address, network, and more. Using this information, the system establishes a baseline of
“normal” login activity for every user, which then informs authentication decisions each time the user attempts to login. 

In low-risk scenarios, for instance, where the user is accessing an app from their usual location and device, admins may be comfortable with allowing logins with a less secure factor like SMS. In a medium-risk case where the login is coming from a different city or device, the user may be prompted to enter an additional factor. Lastly, in a high-risk scenario, where an employee tries to log in from the other side of the world on a new device, admins can require that a strong auth factor such as WebAuthn with biometrics is required.

As an added security measure, Risk-Based Authentication can also be coupled with Factor Sequencing, which helps organizations deliver passwordless experiences by incorporating alternative authentication factors. By combining these features, companies can recognize various risk levels and also enable a combination of multi-factor authentication options. 

Risk-Based Authentication events are also included in Okta’s Syslog for admins to send to their SIEM (Splunk, SumoLogic, etc.) for further analysis on specific user groups and to identify trends in high- and low-risk logins. This helps companies better understand the level of suspicious activity in their environment.

The impact of Risk-Based Authentication

By implementing Risk-Based Authentication, workforces benefit from:

  • Enhanced usability: Risk-Based Authentication enables simplified policy creation, as Okta does the hard work for admins. From an end-user perspective, employees aren’t bogged down by unnecessary MFA requests. Risk-based auth can even provide passwordless, seamless login experiences when appropriate.
  • Improved security: Implementing Risk-Based Authentication helps ensure that every access request to corporate resources is from a valid user. It does this by requiring that higher-risk logins be supplemented with advanced authentication factors, such as biometrics or an OTP. Biometrics provide high levels of certainty of a user’s identity, and WebAuthn is a non-phishable authentication factor that can be set to default. Okta Verify can also prompt users to verify their identity via a push notification. These factors are crucial in moving enterprises away from the inherently insecure practice of passwords. 
  • Heightened visibility: Risk-Based Authentication automatically stores risk level data and login attempt data in the Syslog. This includes the specific risk level of each individual user login. This information can be fed into tools like Splunk and SumoLogic to help IT admins and security teams understand where users may be vulnerable, better visualize events, and take further remediation action if necessary.

Ultimately, Risk-Based Authentication brings together security and usability by blocking malicious actors and providing better user experiences for legitimate users. This will be a big step towards effectively deploying a Zero Trust strategy that keeps the organization secure and meets the access requirements of their mobile workforce. 

Risk-based Authentication combined with Okta Verify Push 

Since the GA release of Risk-based Authentication, we’ve also deployed a newer feature - Review High-risk logins on Okta Verify - which adds an additional layer of security for high-risk login events. This feature is primarily aimed at preventing phishing attacks. 

When Okta detects a high-risk login, end users are presented a Review button in Okta Verify allowing them to review details about the authentication attempt. End users can then tap either Yes, It's Me to access their Okta account after satisfying a simple verification challenge or No, It's Not Me to deny the authentication attempt. This verification challenge involves matching a number on the Okta Verify app to a number on the Okta login screen. 

You can learn more about this feature here. This feature is now Generally Available and is gradually being rolled out to all customers. You can verify if the feature is GA on your org via the self-service feature manager, Settings > Features. Look for Phishing Resistant Okta Verify Push. (if you do not see the feature here, it has already been enabled in GA on your org). 

 

Get started with Risk-Based Authentication

Risk-Based Authentication is now Generally Available with Okta’s Adaptive Multi-Factor Authentication and Adaptive Single Sign-On products. To get started with Risk-Based Authentication in Okta now:

You’ll see updates to the sign-on rules UI, including defining a risk level and customization on how to respond based on risk.

You can expect expansions of Risk-based Authentication capabilities over the next few months and beyond. For more information on how Okta’s authentication options can help your business go passwordless, read our MFA deployment guide and MFA evaluation guide.

For further content on Risk-Based Authentication and Factor Sequencing, check out our recent posts on the topic: