Appgate SDP

Appgate SDP Overview

Learn how the industry’s most comprehensive universal ZTNA solution strengthens security and transforms your network with the flexibility, extensibility and integration advantages of direct-routed architecture.

How Appgate SDP Works

Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.

Zero Trust Platform
Integrations and Tech Partners
Appgate SDP for Developers
Use Cases for Securing:
Risk-Based Authentication
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.

Nicole IbarraFebruary 20, 2020

RBA and 2FA

Partners in the Prevention of Crime

After more than a decade of high-profile data breaches – in which the sensitive personal data of hundreds of millions of people were exposed to hackers – it’s clear that password-based authentication alone, albeit convenient, is not secure enough.

We all remember the biggest data breaches, the ones that made international headlines and did irreparable damage to some of the biggest brands in the world – names like Yahoo, Equifax, Target, Home Depot, and Uber.

How did these data breaches happen?

There are several reasons. In some cases, security systems require users to answer pre-determined security questions in addition to a username-password combo. If these have been leaked by a data breach or compromised in another way, it makes it easier for an attacker to gain access to an organization’s internal networks.

But even if there is consensus on the fact that passwords should be protected by hashing (a technique to delay password recovery after a data breach), in the post-breach aftermath, some organizations have admitted that some passwords were guarded only by weak hashing algorithms, or were stored in unprotected databases. The cherry on the cake for cybercriminals is the usual weak passwords of some users, which make them prone to being cracked in a brute force attack, and the proliferation of malware that specializes in credentials stealing.

One common remedy for the inherently un-secure username-password combo is second factor authentication (2FA). 2FA adds another layer of security on top of the password, and can take the form of one-time passcodes (OTPs) sent to a mobile phone via SMS text message or email, or a token generating app. This certainly raises the bar for attackers, since it is harder to attack two communication channels simultaneously. Unfortunately, 2FA also harms the user experience and usability, and in many cases causes user friction. Moreover, attackers are adapting to 2FA by hijacking a victim’s SIM card, as the now infamous SwimSwap attack demonstrates.

Can we do better? When users attempt to log into a service, there are many traces they leave behind that can help in thwarting the efforts of attackers. Information such as time and date, IP address, geolocation, device type, and browser version are useful for learning the normal patterns of legitimate users, in order to build up a user behavior profile over time. This user profile also helps to detect when certain user behavior deviates from the norm, and is classified as a risky anomaly.

For instance, if you live in New York City and typically connect from either home or work from a Mac device running Google Chrome, it would be suspicious to receive a login attempt that’s coming from a Windows device running Firefox, with an IP apparently belonging to a French internet provider at 2:00am ET. Granted, you might happen to be in Paris for work, but you probably won’t mind being challenged with a 2FA on those rare occasions.

This is an example of a Risk-Based Authentication mechanism (RBA), which typically uses machine learning to detect such anomalies, provides risk scores, and initiates another layer of security when necessary.

Another example of 2FA is behavioral biometrics, such as the way users move the mouse cursor, type on their keyboards, or tap away on their mobile devices, to aid in building a profile of legitimate user behavior.

Behavioral biometrics also has the advantage of minimizing user friction, for instance, when users are traveling and don’t want to jump through another security hoop just because they happen to be on the road.

Can we do without passwords, 2FA or RBA? Probably not. Passwords will be around as a convenient method, as they provide some measure of security. Two-factor authentication is necessary to protect against brute-force attacks and credential stealing. But by combining 2FA with an RBA feature, an organization gets the best of both worlds – effective antifraud protection while keeping the user experience friendly and user friction to a minimum.

Working in tandem, they make it difficult for end-user accounts to be penetrated by advanced attackers, like the kinds generating headlines around the world.

To learn more about how RBA complements second-factor authentication, click here.

Receive News and Updates From Appgate