by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : October 2015
GCN OCTOBER 2015 • GCN.COM 39 how to ADAPTIVE AUTHENTICATION Risk-based, or adaptive, au- thentication grew out of the recognition that single- and multiple-factor authentication methods were based on the erroneous assump- tion that identity could be absolutely confirmed and, once confirmed, used as a basis of trust for all subsequent access decisions for the authenticated identity. It is clear that even the most robust multifactor authentication mechanisms do not give that level of assurance, though one-time passwords are still the most effective method for approaching that goal. Adaptive approaches were developed to address that inherent limitation by viewing authentication as establish- ing a certain level of trust that could be factored into subsequent decisions regarding access. Those decisions also considered context (such as deviations from typical patterns of access for that user or all users) and the value of the resource being requested. Those fac- tors could result in a response tailored to the authentication, such as requir- ing additional (step-up) authentication or limiting the extent to which the re- source was provided (for example, per- mitting only partial access to particular information even if full access had been requested). Adaptive authentication technologies are well established in government in response to regulatory and application requirements. For example, the pas- sage of the Telework Enhancement Act of 2010 resulted in the proliferation of products that provide risk-based au- thentication as a way to meet the new regulatory requirements for multifactor authentication for end-user remote ac- cess. Some of the products had already been available and were provided by agencies to their users. But the law ac- celerated the availability and adoption of adaptive authentication. For example, suppose an end user has logged into an online government service with a valid username and pass- word. Before allowing that person to perform any activity, the application can evaluate context related to the user, such as whether the device, IP address and user location are the same as in pre- vious logins. If any of those factors do not match (indicating that this might be a fraudulent login using a compromised username and password), the applica- tion can require step-up authentication such as answering challenge questions, using an authentication token or enter- ing a code provided via email, text or telephone. That kind of authentication is widely used for end-user access to online gov- ernment services and has been success- ful in reducing the incidence of fraud. The range of information used as con- text for the risk decision continues to increase and has expanded from lim- ited geolocation, IP address and device identifier information to behavior pro- files (what this user has done in the past or what all users generally do), device profiling (configuration and low-level hardware characteristics), biometrics (fingerprints, gestures, facial recogni- tion and voice recognition) and various forms of shared intelligence (vulner- ability information, threat intelligence and phishing attack patterns). The term “infinite factor” is some- times used to reflect this ongoing ex- pansion of the context used in making risk decisions. The use of this broad range of factors, especially compared to only using challenge questions or codes provided via text or email, has signifi- cantly improved the effectiveness of authentication. An important development is the rec- ognition that authentication is part of a Managing access to agency systems involves a continuous process of authentication based on context and value The vetting of trusted users should never end BY ROBERT GRIFFIN Adaptive authentication has clearly emerged as an effective technology and as a paradigm that reflects the risk- based world in which we live. 1015gcn_039-040.indd 39 10/5/15 11:41 AM
January and February 2016