MFA: Essential, but not enough on its own

IT teams often rely on multi-factor authentication (MFA) as a way to authenticate users beyond just usernames and passwords. This added authentication factor (such as something you know, have, are, or do) helps verify user identities and adds a hurdle for attackers. Threats are dynamic, real-time, and evolving. Advances in AI mean attackers are getting smarter, faster and are finding ways to bypass widely adopted security measures. While many organizations may broadly apply MFA and assume it’s enough to protect identities across their business, it’s not enough to secure an organization. Not every user poses the same risk. Not every application holds the same value. The question then becomes how to make MFA smarter, more adaptive, and better aligned to business risks and needs.

Key risks of a “one-size fits all” MFA policy

Applying a uniform MFA policy is simple to manage, but can introduce some key risks.

• Overburdening low-risk users: Can lead to friction, perception of loss of productivity and efficiency.
• Under-protection of high-value assets: For applications that contain sensitive information, such as financial systems or access to production environments, a singular authentication request is likely not enough to verify a user.
• Creating blind spots: A uniform authentication policy may authenticate a user, but may not be enough to deter attack attempts on critical assets.

MFA assumptions vs. Reality

Assumption: A standard MFA policy is all you need

With only one policy assignment to update, there’s only one standard to manage and secure. However, this singular approach can lead to a false sense of security. As the saying goes, if you’re only using a hammer, then it’s easy to treat every problem like a nail. And that leads to inflexible policies where not every action requires the same amount of scrutiny as others.

Not every action requires multiple authentication methods, while high value targets may be better suited to require multiple authentication challenges to confirm user identities.

Maybe an employee needs access to sensitive financial resources for limited periods of time only. Perhaps a third-party would like to collaborate but wants to log in using their existing Entra ID credentials rather than lose time waiting for the partner organization to provision a new account for them.

Modern defenses need to be similarly flexible, layered, adaptive and able to limit fallout in case MFA is breached. And if an organization assumes that standardized MFA is sufficient, critical risks of over-burdening users, or lacking protection for high value applications can arise.

Assumption: All MFA factors are perceived to be equal

There may be multiple authentication factor options available for users, but that doesn’t mean each authentication factor is created equally, or should be equally applied to authenticate user identities.

Threat actors now use methods such as device code phishing to steal valid MFA access tokens from legitimate users. Other malware such as keystroke logging can capture OTP codes entered by users. These device-based methods can lead to exploits in ways that stronger identity-based approaches, such as biometrics, don’t.

Alongside emerging MFA-resistant attacks, human behavioral risks and internal risk tolerance also have an influence. Shadow IT is expected to grow. By 2027 ‘75% of employees will acquire, modify or create technology outside IT’s visibility.’ Users need tools to do their work without delays or frustrations, otherwise they may look toward unauthorized products and their associated cybersecurity risks.

It also calls for attention to behaviors relating to logins, from humans and entities. That means analyzing the machines being used, the browsers making requests and the locations from which logins are attempted. A non-risky user, working with their usual device, may not need to jump through the same hoops as a new user from an unrecognized IP address.

Then, when any actions appear anomalous or suspicious, or when they deviate too far from the established norm, further authentication requests and potential remediation can start. After all, MFA is essential to operations – but it comes with conditions attached.

Reality: MFA is vital

MFA is vital, but it only works when it’s part of an overall security posture. At enterprise level, this is how IT leaders can respond and maintain a hardened posture when there are thousands of seats to secure and protect.

Of course, the level of protection depends on organizational needs and user preferences.

Reality: Not all MFA is created equal

For authentication, it may be practical to issue office-based workers with hardware keys, whereas mobile workers may be better suited to biometrics for a more flexible login experience. Some environments may not be suitable for phones, removing the possibility to use OTP or push notifications to mitigate login risks. This would be the case if there are user groups who aren’t confident with technology and would prefer a hardware key.

Organizations need to factor in these demands while managing the different requirements for authenticating and authorizing employees.

Authenticate, authorize: Who and what

Authorization overlaps with authentication, with identities verified and authenticated (the ‘who’ that can gain entry), and then the access to relevant resources for which they’ve been authorized (the ‘what’ that can be accessed).

JSON Web Tokens (JWT) can play a central role in limiting the attack surface by securely transmitting encrypted identity and permission information between desired resources. For a relatively newer protocol such as OIDC, successful authentication sees a JWT issued. This can be used in the header of authorization requests and allows users to control how much information to pass on.

For other application types, SAML can fulfill a similar role for larger or more traditional organizations such as government entities. Although, for API-centered architectures and mobile applications, OIDC can be the most suitable option.

When authenticating and authorizing involves partner ecosystems, a trusted identity provider can be added to increase MFA security. —this is known as inbound federation or relying party trust, this OneLogin feature allows users to login with a different identity provider, such as Google, Facebook or Entra ID.

Setting authentication policies and pre-emptive defense

Rather than adopting a rigid, business-wide strategy, organizations can set appropriate rules and policies for factors based on user groups. Any added user can automatically follow what’s been set for the group they’re joining, saving time on manual configurations.

Naturally, IT’s authentication needs will be different from other departments. Imagine DevOps want access to AWS. They need to login to the corporate network, gain access via a VPN and require authentication to business-critical systems. Whereas an HR worker requires access to communication platforms, such as Teams, where attending an online event may not need the same level of authentication.

An enterprise’s many different components call for a similarly granular approach. One that triggers step-up authentication based on risk indicators and uses phishing-resistant factors such as passkeys (WebAuthn) and certificate-based desktop authentication. Logins can be tied to devices rather than passwords or phone numbers with passkeys and biometrics built around a WebAuthn framework and certificate-based desktop methods.

Further hardening comes from implementing identity security before someone enters anything into the username and password fields. Leading approaches use real-time intelligence to identify high-risk traffic, known anonymizing proxies and botnet traffic. Device fingerprinting and behavioral risk scoring can also be used to decide whether a login attempt should be allowed. In some environments, pre-authentication policies allow administrators to block malicious, proxied traffic before it arrives and prompts targeted users to validate their credentials.

Security leaders are increasingly prioritizing these stronger factors. Not just for privileged accounts, but across the broader workforce. That is when more advanced authentication becomes necessary.

Advanced authentication

Advanced authentication involves user verification methods that are less likely to be stolen, compromised or vulnerable to brute force attacks. A common example would be two or more authentication factors, along with adaptive authentication or passwordless authentication. For authorized users, there’s a more positive experience, without the need to remember or create different passwords for each application they use. In practice, this could involve:

1. A user tries to login with either SSO, desktop client or web browser.
2. The authentication system analyzes various parameters and risk levels relating to the request, such as device (usual or unrecognized), login time (within regular working hours or not) or network (trusted or unknown).
3. Based on a system evaluation, users are prompted to complete authentication steps that reflect the perceived risk. A low-risk action can be completed with a low-friction method such as OTP. Login requests flagged as higher risk can trigger more advanced authentication factors such as biometrics or a security token.

The decisions and actions are driven by machine learning, which can execute actions at scale and at pace. But this doesn’t mean organizations are safe from a breach. If the worst happens and attackers gain access, the goal should be to limit lateral movement as much as possible.

After authentication, lateral movement restriction

Threat actors will find ways around MFA. Limiting movement is key to containing the potential impact and can be done using machine learning to ‘never trust, always verify’ user identities. The result is a reduced attack surface with requests verified continuously. Users benefit from more intuitive logins and are less likely to want to circumvent existing controls.

If there’s a breach, organizations need to have a containment strategy in place that can limit privilege escalation and the impact of account takeover (ATO). If one credential is compromised, that shouldn’t mean a malicious actor can gain full access and move laterally to other applications unrestricted. A multi-layered approach to MFA makes it possible to enforce the Principle of Least Privilege (PoLP) even for users who have been authenticated, but might require further access or validation.

IT leaders must weigh the different demands, balancing security with convenience. They need to develop varied approaches for authenticating and authorizing to factor in different privileges, access windows and individual users’ knowledge and capabilities.

These approaches should match the nature of always-on and cloud-based business, and evolving attackers’ threats. It calls for a new way to evaluate session management, such as by shortening session lifetimes so that attackers have less time to hijack and gain access. Efforts should be made to enforce re-authentication when appropriate, such as for tasks that require elevated permissions, and to maintain visibility of logged-in user behaviors, assessing for anomalies and possible malicious activity.

MFA enforcement plays an essential role. But it’s equally important that MFA be part of a smart, adaptive defense. This way, any potential breach can be contained, lateral movement can be reduced and impact from MFA bypasses can be minimized.

The post Rethinking MFA: Smarter security for smarter threats appeared first on OneLogin Identity Management Blog.

In all my years in tech – through the rise of the internet, cloud and mobile – nothing has seen the adoption curve that generative AI (GenAI) has. In such a short period of time, it’s gone from novelty to necessity, with people already growing to rely on it for everything from research to writing code.

And that’s largely due to its intuitive interface. GenAI with its Natural Language interface doesn’t need system integration to generate a lot of value – it integrates directly with people.

Current threats: Familiar tactics, supercharged

While GenAI hasn’t yet led to brand-new attack vectors, it’s made existing ones far more dangerous:

• Visual impersonation is more convincing, thanks to deepfakes
• Phishing emails are nearly indistinguishable from real ones due to improved linguistic capabilities
• Process replication allows for mimicking internal workflows
• Scalability enables attackers to launch highly targeted, large-scale campaigns

Future threats: Unknown unknowns

As GenAI evolves into Agentic AI – tools that make independent decisions and act autonomously – the threats become harder to predict. State-sponsored “AI Threats-as-a-Service” could become a reality. Our best defense? Master the basics.

Preemptive defense: The first line

When threats are unpredictable, the fundamentals become critical:

• DDoS/IP reputation filtering
• Pre-authentication risk scoring
• Dynamic authentication flows that adjust based on risk level
• Two-layered access policies (SSO and app level)

Preemptive defense, as coined by Gartner, starts before authentication. Blocking high-risk attempts, introducing step-up challenges for medium-risk ones and trusting but verifying low-risk traffic reduces exposure without compromising user access.

AI-powered phishing

The sophistication of GenAI makes phishing much harder to detect. Attackers now create nuanced, human-like interactions that evade traditional filters. That’s why context-based authentication is essential:

• Adjust authentication factors dynamically based on risk
• Step up authentication within applications based on behavior
• Incorporate ID-verification challenges, particularly for sensitive access

And don’t rely on a single authentication method – use a blend: OTPs, passkeys, biometrics and ID verification – layered across access points.

Session hijacking

GenAI can lure users into unknowingly giving up session cookies – bypassing the need to authenticate altogether.

Recommendations:

• Enforce step-up authentication when users laterally move to sensitive apps
• Use phishing-resistant factors like FIDO2 or passkeys
• Require re-authentication when users access their SSO profiles

Shadow AI: What you can’t see can hurt you

Let’s talk about Shadow AI – the unsanctioned use of GenAI tools. Even with policies in place, there’s nothing stopping an employee from using ChatGPT on their phone and pasting the output into a report.

The best way to manage this risk? Remove the friction:

• Provide a corporate-controlled GenAI instance
• Maintain a register of AI usage (especially for compliance frameworks like the UK’s ATRS)
• Streamline procurement and integration of GenAI tools into your existing infrastructure

The goal isn’t to block GenAI – it’s to govern it.

Leveraging AI: Four core benefits

AI isn’t just a threat – it’s an opportunity. In the security world, it offers four key benefits:

• Simplify: Delivering the same capability more intuitively
• Accelerate: Improving speed and efficiency
• Fortify: Enhancing what already works
• Expand: Unlocking new functionality altogether

For example, OneLogin’s Vigilance AI uses machine learning (ML) to assess dozens of attributes per authentication attempt, assigning a dynamic risk score using Bayesian probability. This kind of automation improves accuracy and reduces false positives.

Expect to see even more innovation as vendors integrate Small Language Models (SLMs) into security tooling – ideal for tasks like analyzing predictable authentication data.

Securing AI: Managing non-human identities

As AI becomes embedded into business workflows, it’s reshaping our understanding of identity – especially non-human identities (NHIs). Traditionally, NHIs include workloads, machines and service accounts. But with Agentic AI, we’re seeing a new category: AI agents that can make decisions and take action.

These non-human human identities must be governed as rigorously as human users with measures including:

• Lifecycle Management: Track creation, role assignment, and deactivation
• Least Privilege Access: Enforce granular permissions and Just-In-Time (JIT) access
• Separation of Duties (SoD): Prevent conflicts or risky combinations of access
• Continuous Risk Assessment: Adapt authentication and access based on evolving behavior

And here’s a critical reminder: Don’t forget the kill switch. You must be able to immediately revoke access if an AI agent behaves unexpectedly – or worse, begins modifying its own code to prevent shutdown.

Final thoughts

AI is reshaping identity security from every angle. It’s powering new attacks, improving defenses and demanding entirely new identity governance models. The path forward requires balance: enabling innovation while managing risk.

Start with strong fundamentals, build layers of adaptive defense, embrace AI where it adds value – and never assume that today’s controls are enough for tomorrow’s threats.

Because in the world of AI, speed and adaptability aren’t just advantages – they’re requirements.

The post Identity and AI threats: Building a defense-in-depth access management strategy appeared first on OneLogin Identity Management Blog.

Authored by Solenne Le Guernic and Grant Tackett

We want standardization and consistency in many IT situations, but authentication calls for something more flexible. After all, not every user can use the same authentication factors and not every situation involves valuable resources that need more complex forms of authentication. To make authentication work for your organization, SMS and email may have business-critical roles but should come with risk-based and contextual analysis. It’s a way to avoid the one-size-fits-all approach that can cause inefficiencies, slow down access and even leave gaps in security. Ultimately, it’s about deciding what level of risk can be allowed, identifying the worst case scenario, and what actions should be implemented to reduce the risk.

It starts with identifying and avoiding a couple of common assumptions.

Assumption 1: A single standard authentication policy is the most secure

At first glance, a single, standard authentication policy sounds ideal – one policy to manage, one set of rules to secure, and less overhead for IT teams. Simple, right? Not quite. In reality, not every application holds the same level of sensitivity, and not every user interaction warrants the strongest authentication. A one-size-fits-all approach can lead to unnecessary friction – or worse, security blind spots. By adding context – like app sensitivity, user role, or location – you can apply stronger authentication only where it truly matters, striking the right balance between security and usability.

To support this contextual approach, start with a multi-layered strategy. The layers involved will vary based on elements such as risk profile and regulatory requirements. That means a similarly wide range of potential multi-factor authentication types that organizations can use, ranging from biometrics and hardware tokens to time-based one-time password (TOTP) apps and even SMS and email for less sensitive authentication flows.

Assumption 2: SMS and email aren’t suitable for authentication

Phones can be compromised, emails intercepted, session hijacking is on the rise, and phishing remains a constant threat. These are all valid concerns – but they don’t mean SMS and email should be dismissed entirely as authentication methods.

The reality is, not all users have access to – or are comfortable with – stronger authentication methods like hardware tokens or biometrics. This can include users with limited technical experience or third parties who don’t have the infrastructure to support advanced options. But nearly everyone has access to a phone or email.

That’s why SMS and email-based authentication still have a role to play – particularly in low-risk scenarios. Trying to enforce strong authentication universally can backfire. It increases friction, leads to user frustration, support tickets, and sometimes insecure workarounds.

The better approach? Contextual authentication – applying the right level of authentication based on the risk of the situation. It keeps identities secure and keeps experiences smooth.

How to mitigate risks with contextual authentication

Not every user has the same level of comfort or experience with authentication steps. Context-aware authentication that considers risk offers a powerful alternative to relying on people having strict password hygiene and avoiding password reuse, or expecting them to use factors that aren’t reasonable for whatever reason.

Risk-based authentication

Sometimes adding context is a simpler and faster alternative to investing in new infrastructure. That means seeking out solutions that can dynamically assess:

• IP reputation
• Geolocation
• Device parameters

This contextual information allows for a level of adaptive control over authentication that delivers login flexibility. When a user authenticates from a recognized device, in a typical location, and via a secure corporate network, it may be appropriate to relax authentication requirements – such as bypassing multi-factor prompts. In higher-risk situations, additional authentication steps may be required – or access may be blocked entirely. This could include scenarios where the user logs in from an unfamiliar location, a suspicious IP address or at an unusual time of day.

At the enterprise level, machine learning can be used to analyze patterns across thousands of users, building a behavioral profile that helps distinguish normal logins from risky ones. When login activity aligns with established norms, access can be granted seamlessly. As the system matures and baseline risk scores are refined, outliers and anomalies can automatically trigger step-up authentication or other security measures.

However, implementing this kind of adaptive intelligence takes time – budget approvals, planning, and technical deployment don’t happen overnight. In the meantime, organizations still need practical ways to balance security with usability. That’s where SMS and email-based authentication can still offer value in the right contexts.

SMS and email: Still viable authentication options (sometimes)

In low-risk scenarios, it can be reasonable for organizations to allow authentication via SMS or email. These methods offer a low barrier to entry, are cost-effective and work with tools nearly every user already has – like a phone or email account. Security can be further strengthened through user education, such as reminding users never to share one-time passcodes. On the admin side, additional safeguards like setting PINs with mobile carriers can help defend against SIM swap attacks and improve overall resilience.

For accounts with elevated privileges or access to sensitive applications, adaptive authentication often needs to be reinforced with stronger methods such as passwordless flows using biometrics or security keys.

CISA has already recommended moving away from SMS-based MFA for high-risk users, noting that it doesn’t qualify as strong authentication for individuals likely to be targeted. That concern isn’t theoretical – SIM-based attacks have remained prevalent, from a 400% surge in SIM swapping between 2018 and 2021, to reports in 2024 of bad actors offering telecom employees cash bribes to facilitate SIM swaps.

Still, despite these risks and federal guidance, SMS and email authentication can continue to serve a purpose – particularly in low-risk scenarios or as a fallback option – when implemented thoughtfully and supported with layered security measures.

Reducing risk with granular access control

Authentication can only go so far to mitigate risks. Organizations must also apply granular access controls to limit what can be accessed after authenticating. Examples include:

• Allowing read-only access to files
  Minimize the risk of accidental or deliberate changes or deletions to sensitive information.
• Restricting access to non-sensitive applications
  Deploy an IAM solution that automatically assigns users to what they need, based on their attributes.
• Increasing monitoring of access activity across the environment
  Audit the current stack, to check for any shadow IT or areas where there’s limited visibility or knowledge of what exists and what needs to be protected.
• Requiring step-up authentication for access
  Apply dynamically, whenever there’s a required action that’s defined as higher risk.

There may be a single companywide portal or intranet. However, employees will still be accessing different applications and systems. Usually they’ll need different authentication factors, with different departments also aligning to different policies.

For example, DevOps want access to AWS. They need to login to the corporate network and gain access via a VPN, and require authentication. Whereas an HR worker requires access to communication platforms such as Teams or SharePoint. Two separate use cases, where it’s about context rather than being too rigid when securing and protecting company resources.

Apply user policies to groups, and then any user added can automatically follow the same policy, saving manual input and resources.

Example user policies to manage and secure resources

To further harden and add context to authentication, combine restrictive access policies with automated workflows. These can cover everything from password usage and hygiene to automated account suspensions and checking for the use of compromised credentials.

Login flows

For brute force defense, set limits for the number of times an incorrect password can be entered, and set how long a user is locked out. For more advanced and user-friendly security, use a passwordless solution combining ID and MFA, where only a username and authentication factor is required.

Granular SMS and email authentication usage

Map user directories and allow SMS or email authentication for low-risk accounts only, where there’s little possibility for lateral movement or sensitive data exfiltration. Enforce OTP for different user types, from admins only, through to all users. For critical systems and to ensure compliance with relevant laws, implement more advanced methods like adaptive passwordless authentication or traditional username and password combined with a physical security token.

Require trusted laptop and desktop devices

Add a trusted device certificate or PKI certificate to user devices and specify the length of validity. Naturally, this allows users a more seamless authentication experience with their usual (trusted) machine and through an IP allow list . But it may need MFA configured and also depends on the context and the level of regulation involved. Multi-factor is a requirement for PCI DSS, and MFA is also becoming mandatory for Azure and Google Cloud Platform throughout 2025.

Auto-suspend inactive users

Unless monitored, standing privileges can become a massive security threat. The FBI and CISA highlighted this attack vector in an advisory to critical infrastructure organizations, regarding Scattered Spider threat actors. To mitigate these vulnerabilities at enterprise scale, automatically suspend accounts if a user hasn’t logged in for 90 days. Apply this to sessions too, by setting how long a user can stay signed in for, from hours to minutes.

Password guidance

The most common password in the US is 123456. One quarter of US consumers say they’ve used other people’s streaming passwords. That’s a lot of easily guessed logins and widely shared passwords. That’s also why organizations that use password-based authentication must control how users manage their login credentials. One way is to define the combination of different character types required, from uppercase and lowercase, to numbers and special characters. Another is to specify user attributes that aren’t allowed, such as username, email address, or phone number. The best solutions verify and block the use of known compromised passwords.

Compromised credentials check

Credential stuffing is a common threat vector, driven by tools that make this trivial and the wide availability of stolen credentials on the dark web, including mass data dumps of up to 10 billion passwords. Implementing a credential check whenever a user creates an account or changes their password can reduce this risk. This feature can compare their chosen credentials against a live database of breached credentials, alerting when a match is found and blocking the use of that password.

Minimizing risk without compromising security

There’s always some level of risk when granting access or allowing authorized actions—but that risk can be better managed by applying context to authentication flows. That’s where methods like SMS and email still have a role to play.

By tailoring policies based on risk, IT leaders and administrators can restrict access when needed, while also reducing support overhead by implementing automation, rules and triggers to manage inactive or privileged account management before they become vulnerabilities. At the same time, users can authenticate with simpler methods – like SMS or email – for low-risk resources, enabling smoother day-to-day operations. This more nuanced, flexible approach helps strike the right balance between security and usability, avoiding the pitfalls of a rigid, one-size-fits-all strategy.

The post Authentication that fits: Customizing access for your business needs appeared first on OneLogin Identity Management Blog.

Authored by Solenne Le Guernic and Grant Tackett

Single sign-on (SSO) reduces credential fatigue while presenting unique security considerations that require careful architectural planning. In particular, SSO implementations must balance user experience with layered defense mechanisms.

From a user perspective, SSO provides the ability to login once and start using their chosen applications, saving time and effort. But from a threat actor’s viewpoint, a single log in means something different. They see the opportunity for a single point of entry to multiple applications, email inboxes to reset and change passwords, and for carrying out malicious activity undetected.

Of course, the alternative is a scattered environment with various entry points and passwords. The resulting lack of visibility means IT teams have no way to monitor, control and detect anomalous behaviors.

Password reuse across multiple logins

The rise in BYOD means that boundaries are blurred between personal and professional workspaces. Any user recycling passwords, or using their corporate email to sign-up for consumer services, can put the business at risk. Especially when phishing and social engineering remain highly common threat vectors, along with brute force attacks.

If a personal password is breached, the fallout can now extend to a victim’s workplace. That’s what happened with the LinkedIn 2012 hack. One compromised victim had reportedly used the same now-breached password for their Dropbox account. This allowed attackers to gain access to the filesharing service’s user database, leading to the leak of over 68 million email addresses and passwords.

In recent years, it’s no longer just human logins that can be compromised.

Non-human identities requiring access

More entities are connecting to environments for integrations with third-party apps, APIs and devices.

There’s efficiency and scalability that comes from being able to run autonomously. Yet without supervision and adequate lifecycle management, there’s a risk that any compromise may stay undetected. After all, machines also need to be granted access, given roles and granted permissions. But this is often at scale and with high complexity, such as with thousands of IoT devices or sensors that provide constant sources of data. At such volumes, it’s natural to want to streamline entry points. However, automation doesn’t necessarily reduce the attack surface.

Single point of failure

It’s perfectly acceptable to advise a workforce not to reuse passwords when using multiple software products. However, the average large enterprise is reportedly using 664 apps on average, with individual users accessing 11 core apps daily on average. This necessitates automated user provisioning/deprovisioning systems to maintain least privilege access. Moreover, faced with growing volumes of logins to remember, employees are often advised to use a password manager. And while a single repository means a simpler way to manage passwords and access applications, it also means a single point of entry if their master password is breached.

There may also be unmanaged apps or other Shadow IT around the edges. These are often more complex to monitor than birthright access apps such as email, document management or HR and CRM. Without full visibility there’s an increased attack surface from unmanaged renewals and expiries, unnecessary license usage and standing privileges, plus potential gaps in compliance and governance.

What SSO looks like with the right controls

Peel back some of the layers of single sign-on, and there should be centralized, secure, automated access management, where entry conditions are managed in a way that ensures security without vulnerability. The goal is to find the right balance between convenience and security for enterprise users.

Building a federated trust network

Despite the ‘sign-on’ in SSO, SSO isn’t simply a case of signing on to a network and gaining access. Entering the username and password should trigger a host of identity-related actions that determine whether access is granted. It’s done with protocols such as SAML 2.0 and OpenID Connect. SAML 2.0 enables XML-based authentication assertions between identity providers and service providers, while OpenID Connect uses JSON web tokens for modern web and mobile implementations. These offer secure authentication protocols for use with VPNs, firewalls, device apps, plus cloud and on-premise resources.

For example, an Identity Provider (IdP) can monitor the device ID to check if the device has previously been used to login. This can include building device profiles, containing information on browser and operating system used. Also monitoring the geographic location, triggering further identity checks if the login comes from an unrecognized or new location. The result is smoother login experience for approved users, with hardened security and an identity fabric across an integrated ecosystem.

Automating security at scale

SSO goes beyond the capability of password-based managers. Because when trust is approved on one system, users can be approved on other systems automatically, rather than relying on manual processes. When credentials are compromised, anomaly detection can be triggered to deny access to all the other platforms that are part of the federated environment.

Alongside the boost to security, there’s the agility that comes from accelerated access policies. Predefined rules help to reduce friction for users, and also support compliance and create a unified audit trail. Further sophistication comes from Advanced Authentication, allowing businesses to secure and simplify access at scale.

Advanced authentication

Advanced Authentication brings in technologies such as machine learning (ML). Login attempts can be automatically assessed for risk levels, with machine learning algorithms adjusting security protocols based on user identity profiles. Setup varies based on business requirements, such as industry and level of regulation. For example, some may combine Multi-Factor Authentication with behavioral analytics, for real-time analysis and contextual evaluation of login credentials.

For an added security layer, authentication can even go beyond logins and use passwordless authentication. This solves the risks of password-related compromises, by verifying identities based on biometrics or possession factors instead of passwords.

If attackers can leverage AI, so can defenders, in the form of AI-powered pattern detection. Broadly, this means identifying and acting on patterns in data. When applied to cybersecurity, AI can learn individual user behaviors and create a baseline of acceptable risk and ensure a positive experience for legitimate users. Any deviation from the norm means the AI can flag potential malicious activity and request additional steps from potential threat actors. Essentially, finding the balance between user experience and enterprise protection.

Usability & security: Creating a best-of-both worlds solution

With the above elements controlled, it’s time to put them in the right place. That means making sure any security program – spanning corporate culture, to overall strategy and vendor selection – is fully user-centric. It’s an outcome that successful security leaders achieve by:

• Building in usability to the security charter
  Hiring talent that understands how to make security the easy and default option for users, so they’re not tempted to use risky workarounds to achieve their goals
• Asking the right questions when selecting vendors
  Making sure procurement processes ask vendors exactly how their solutions support both usability and security, without the need for compromise or trade-off
• Partnering with users to develop their security knowledge
  Strengthening the business’s first line of defense against threats, offering training and education to recognize and react to potential threats

Implementation Checklist for Secure SSO

To operationalize these principles, consider the following measures:

• Secure SSO Portal Configuration
  SSO, with increased security that comes from policy-driven password protection, MFA and context-aware access management. To harden security further, it’s possible to make password policies more restrictive, with greater length, complexity, and reuse restrictions. Additionally, session timeouts and self-service resets help bring a balance of heightened security and increased usability.
• Adaptive Multi-Factor Authentication Deployment
  The adaptive element takes authentication beyond static rules-based MFA. Where users have to authenticate at every login, and organizations remain vulnerable to brute force and spear phishing attacks. Instead, AI is deployed in adaptive MFA to dynamically adjust authentication requirements. There’s real-time assessment of login attempts, with low risk users allowed appropriate access at the right time.
• One-Time Password (OTP) Protect
  To reduce friction from MFA, OneLogin Protect allows a user to log in from push notifications sent to their device. Validation happens in OneLogin, where there’s a time-based one-time password algorithm (TOTP). This allows endpoints to exchange secure-one-time passwords within a 30-second period, based on the HMAC algorithm.

SSO should be implemented to best align with modern security frameworks. Access should no longer be granted based on location. Instead, it should be informed by a user’s authorized access, information about the device they are using, and contextual information about what is normal for the type of access request.

With these measures in place, businesses can solve challenges around password overload and reuse, reducing the number of logins needed while also reducing the attack surface. Increased self-service capability puts less of a burden on IT and their service tickets. Finally, by moving to a model of risk-based authentication, there is less of a chance of privilege creep.

The post Securing Single Sign-On: Balancing User Convenience and Enterprise Protection appeared first on OneLogin Identity Management Blog.

Access management in education: Ways schools are securing their users and apps

IT teams in schools have a unique set of identity and access management challenges. Between constantly evolving cybersecurity requirements, digital communication gaps with parents, and continually growing student and staff populations, IT teams have to deal with a perpetually changing ecosystem.

Additionally, every school will attack these access management challenges differently and will require different features to fit their needs. This complicates the matter even more.

Some schools and districts, however, are managing access in ingenious ways with solutions that are customized to fit their needs. Learn below how major educational institutions are battling common IAM challenges with OneLogin by One Identity.

Address changing educational populations

Anyone in education can tell you that turnover and updates are rarely so common as they are in education. Students graduate and move on or join or leave the school mid-year. Teachers retire or change roles. Schedules shift. Parents, admin and substitutes need secure access – but not the same access.

These are the environments where OneLogin thrives.

FVI School of Nursing: Group students by cohort

FVI School of Nursing uses OneLogin to group students by cohort to address their growing student population.

“It creates a much more efficient management of our systems. We can group students by cohort, keeping them all together, and then once they graduate, we deactivate them all together,” said Eusser Darling, FVI’s IT Manager.

For FVI, employing roles to differentiate between student and administrative users also helps them minimize both security and access issues.

San Jose Unified School District: Automate app access

Grade levels, site locations or cohort locations can be utilized via mappings to automate app access, as San Jose Unified School District discovered, saving them time and storage.

SJUSD benefitted from an integration of OneLogin with the storage solution Box, and Patrick Scanlan, Supervisor in Technology and Data Services for SJUSD, states that “the use of [OneLogin] and its features, and how easy it is to integrate, has given people in my department more of their time back to take care of other more interesting and productive things.”

Uncommon Schools: Fully manage user lifecycles

The non-profit organization Uncommon Schools also manages the entire lifecycle of students and staff with OneLogin and its integration with PowerSchool. They wanted a program that could update, delete or suspend user accounts through a native connection with their Active Directory environment.

For Uncommon Schools, the product was unique, and enabled the team to “streamline the onboarding and offboarding experience for complete, real-time identity lifecycle management, saving valuable time and resources.”

Simplify user experience and increase productivity for students, parents and teachers

An overused term that teachers regurgitate to their students is, “Set yourself up for success.” But students might take it more seriously if teachers could follow their own advice when it comes to cybersecurity.

Luckily, academic organizations have realized how much OneLogin can simplify the user experience for students and staff alike.

The Glennie School: Simplify login and communication

With 2,000 users on multiple apps, single sign-on (SSO) was a major need for The Glennie School in Queensland, Australia. Since SSO only requires one set of credentials for multiple apps, it drastically boosts user productivity and reduces login issues, especially among young users.

OneLogin allowed The Glennie School to minimize the number of usernames and passwords for young students. “That was important as they are only beginning to learn how to read and write, let alone remember passwords as well,” adds Matthew Russell, Information Technology Manager, The Glennie School.

Parent communication is simplified and streamlined as well through OneLogin’s integration with Google, eliminating support calls from parents who previously could not access email links. This also allows parents to access the school system’s calendars, permission forms and more.

St, John’s School: Enable centralized access to multiple apps

“If our teachers and students struggle to log in to access the many applications they need, it takes away from the fast-paced, 40-minute lessons,” says the assistant head of digital strategy for St. John’s School in the UK, Mark Sartorius. They turned to OneLogin for its enterprise-level features, its futureproofed support and its two-factor authentication model.

“Our teachers and pupils trust OneLogin. They know it works reliably and with just a single click, provides access to everything they need,” states Sartorius. For that matter, he calls it indispensable to the school’s operations.

Berklee College of Music: Configure flexibly

The notorious Berklee is not exempt from needing user friendliness in their technology. They wanted flexible access management that would integrate easily with multiple apps to simplify login and access for students and faculty.

“I think that’s really the flexibility of the platform, the type of accounts you could have, the application is configurable – it’s fairly wide,” states GAËL FROUIN, Information Security Officer for Berklee College of Music. The Berklee IT department can configure OneLogin so that internal users can log in easily, “which alleviates some issues in certain applications.”

Lower the cost, heighten the security

Compliance regulations ensure student data stays secure, but sometimes those regulations come with a large balance. What if you could ensure compliance with tested, trusted security protocols – without the hefty price tag?

University of Mary Hardin-Baylor: Get built-in 2FA

A big plus for the University of Mary Hardin-Baylor when looking for a new access management tool was the security of two-factor authentication (2FA). But not just 2FA – built-in 2FA. “A lot of companies charge extra for two-factor, which we thought was kind of shady,” said MATT IRVINE, the university’s Director of Media Services. OneLogin’s support of 2FA, along with its own, trusted 2FA app, made it enticing for this institution.

The Cleveland Institute of Art: Maximize your investment

The flexibility and functionality of OneLogin made it a critical investment for the Cleveland Institute of Art. They rolled out and provisioned iPads to all incoming freshmen and faculty. In this initiative, OneLogin completed the deployment of Google Apps across workstations, laptops and iPads in less than three weeks.

With OneLogin, the institute secured their authentication and access management processes at a comparable price that afforded them much more functionality than other options.

Pearson Education: Futureproof your enterprise

With its new platform for end-to-end administration of large-scale assessments, PearsonAccess, Pearson Education was looking for a scalable IAM solution that could support authentication needs. The security policies, fine-grained user access control, just-in-time privilege and automation capabilities made OneLogin the choice to ensure seamless IAM and risk detection at scale. Plus, the enterprise-grade security and reliability made it a solid foundation for future revenue growth.

Ease up on IT administration

IT teams withstand the worst of the login issues and manual system maintenance for any organization, and an argument can be made that IT teams in the educational field have it particularly tough.

Schools use OneLogin to take the pressure off the cybersecurity teams and gives them the time and the energy to manage more important tasks.

Muhlenberg College: Minimize manual management

The SSO portal, password management and MFA allowed the college to modernize their authentication at scale and cut down on the password reset requests and improve user experience for both IT and end users.

Lighthouse Academies: Offer help to your help desk

Casey Muse, CIO and CTO at Lighthouse Academies, states that the nonprofit network of charter schools didn’t have student accounts at all before OneLogin, and that their staff account management was “cumbersome, manual and required a lot of maintenance. It consumed large parts of our helpdesk and on-site technicians’ days. Now those days are pretty much gone.”

The automated student information system (SIS) sync to a school Active Directory (AD) gives back an enormous amount of time to the IT team, allowing them to spend less than two hours a day managing user identities thanks to OneLogin.

Conclusion

Every school and district use IAM differently – to take the load off their IT team, to comply with cybersecurity regulations, to communicate with their parent populace or to simplify access for their student body.

OneLogin is the flexible IAM solution that can be customized to your needs and help you face and fix the challenges of access management in the field of education.

The post Access management in education: How schools are securing their users and apps appeared first on OneLogin Identity Management Blog.

Why wouldn’t they switch to a cloud directory service? AD is so core to IT functionality, that there’s still a strong preference to keep it on-premises, largely because of the financial and technical difficulty of switching to alternatives – it creates a pressing challenge. Users need rapid access to a sprawling array of cloud apps but are held back by an on-premises directory service. But not just that: revocation of user privileges is also a concern.

Syncing infrequently creates plenty of hazards, but regular batch synchronization isn’t ideal either. Let’s discuss why synchronization delays in your AD directory to the cloud can impact both user experience and security posture – and how near real-time synchronization helps close the gap.

What happens when synchronization is irregular?

Infrequent or intermittent synchronization creates a disconnect between AD and the cloud apps your workforce uses. The risk: exposure to security threats, compliance violations, and operational inefficiencies.

Productivity and user experience

Slow synchronization can hold your organization back. New hires can’t get quick access to the tools they need for the job, and existing staff members are left waiting unnecessarily when they require a new tool.

It also leads to a higher burden on IT admins. Slow synchronization implies manual provisioning and de-provisioning of user access, which is a time-consuming process prone to human error. It takes time away from IT staff who could focus on more strategic tasks.

Impact on security posture and compliance

Arguably, the bigger concern is security and compliance. Intermittent synchronization creates a risk of lingering access where terminated employees retain access to sensitive data. This significantly increases the risk of insider threats, account takeovers, lateral movement and breaches.

Intermittent synchronization also delays the de-provisioning of privileges, which creates a window of vulnerability that malicious actors can exploit.

It could also leave your organization in breach of its compliance obligations. Heavily delayed synchronization implies inconsistent enforcement of access policies, because services outside of AD drift out of date.

Data protection and privacy regulations (such as GDPR and HIPAA) contain strict auditing and enforcement requirements. Out-of-date directory data could result in hefty fines and reputational damage.

Batch or time-based sync works – but there are pitfalls

Batch or time-based sync is a step forward, but it is not without its drawbacks. Batch sync creates, as a functional minimum, some level of synchronization at a predictable pace. This removes many previously listed concerns. For example, new hires can be confident that they have full access to their software toolset by the next day.

Similarly, system administrators no longer need to regularly intervene to set up access rights – as long as the user is able to wait, say, a day. Yet, batch sync often doesn’t go far enough in helping to mitigate security risks.

While batch or time-based synchronization offers some improvement over entirely manual processes, it still comes with inherent drawbacks:

• Latency: Changes to user access, such as new hires, role changes or terminations, are not reflected immediately. The “gap in access” remains, which still impacts the user experience – and can sometimes leave just enough time for a security threat to evolve.
• Synchronization windows: Batch processes often require specific time windows for execution, potentially disrupting operations or requiring off-hours scheduling to minimize impact.
• Data inconsistencies: Updates to user information might not be propagated across all systems in a timely manner. The inconsistencies in permissions, roles and access may cause errors, hinder productivity, create security vulnerabilities and introduce compliance challenges.

It is not uncommon to see an employee being terminated but retaining access to critical systems for hours until the next scheduled sync. That may not always be cause for concern – but would be a problem if the termination was under difficult circumstances, in which case, lingering access would create a substantial security risk.

How does real-time directory sync work?

Clearly, regular batch syncing is an improvement over irregular synchronization or unsound synchronization, but it’s not perfect.

Synchronization that happens in near real-time closes the gap. It ensures that changes to AD entry for a user are almost immediately reflected across all impacted applications and services. Benefits of near real-time synchronization include:

• Near immediate user provisioning: New users gain access to applications in milliseconds, eliminating delays and boosting productivity because there is almost no waiting period.
• Almost instantaneous de-provisioning: Revoking access is equally rapid, occurring in milliseconds. When a user is disabled or removed from the directory, their access to all connected applications is quickly terminated, further enhancing security and compliance.
• Real-time role and attribute mapping: User roles and attributes are synchronized in real-time, ensuring accurate provisioning into applications and eliminating the need for manual adjustments. This streamlines user management and reduces administrative overhead.
• Active session termination: Real-time de-provisioning extends to active user sessions. If supported by the application, users are automatically logged out upon being disabling in the directory, preventing unauthorized access even if a session remains open on a device. This adds an extra layer of security, especially for sensitive data.

It’s not hard to see why processing directory synchronization in as close to real time as possible leaves less room for security gaps or compliance violations and dramatically minimizes the burden on admin teams.

What are the benefits of near real-time AD sync?

Near real-time synchronization with AD offers significant advantages for both operational efficiency and security posture. Let’s look at the operational benefits first. For administrators and users, real-time sync provides the benefit of:

• Immediate access: New employees gain access to necessary resources almost instantly, improving productivity and reducing downtime associated with waiting for account provisioning.
• Seamless onboarding and offboarding: Real-time sync streamlines user lifecycle management. New hires are productive from day one, and departures are handled swiftly, minimizing security risks.
• Operational efficiency: Automation through real-time sync further reduces manual effort, minimizing errors and freeing up IT staff for other tasks. This is particularly valuable for organizations with high employee turnover or frequent changes in user access.

But arguably, the larger benefit is around cybersecurity posture. Organizations that sync AD and cloud app directory services in real-time benefit from:

• Preventing lingering access: Real-time de-provisioning eliminates the risk of former employees retaining access to applications, even if they are still logged in. This is crucial for maintaining security and compliance.
• Maintain compliance: Real-time sync helps organizations meet regulatory requirements by enforcing access policies and providing accurate user records.
• Rapid response to threats: Real-time sync also enables immediate deactivation of compromised accounts, minimizing damage from security incidents and preventing lateral movement by attackers.

Synchronizing AD to the cloud in real-time is essential for any organization with frequent user changes. It ensures that access rights are always up to date, further closing the cybersecurity gap while reducing the efforts of security teams.

Working with OneLogin AD Sync

OneLogin’s Active Directory Sync is a seamless and efficient way to manage user identities and access across your organization’s applications.

By establishing a near real-time connection between your on-premises AD and the OneLogin cloud directory, AD Sync automates user provisioning and de-provisioning, ensuring that cloud rights and privileges are always current.

It also eliminates the need for manual updates and reduces the risk of errors, freeing up IT resources and improving overall security.

With OneLogin AD Sync, any changes made in your Active Directory, such as adding new users, modifying attributes or deactivating accounts, are instantly reflected in OneLogin and propagated to connected applications.

OneLogin’s extensive application catalog, with over 6,000 pre-integrated applications, ensures seamless integration with your existing SaaS portfolio – with rapid configuration.

In this video, we demonstrate how simple it is to set up real-time sync with OneLogin.

Also worth mentioning, Active Roles, from One Identity, is recognized as #1 active directory management tool.

The post Where speed meets security: The role of real-time sync in IAM and why it matters appeared first on OneLogin Identity Management Blog.

Attackers no longer “break” into accounts. Instead, they log in using an existing user’s credentials. This account takeover provides access to IT environments where, often hidden by typical enterprise complexities, threat actors can move laterally.

The credentials are often found for sale on the dark web, where Initial Access Brokers sell unauthorized routes into compromised systems. Other entry points include paying existing account owners, brute forcing passwords and socially engineering an employee to expose their credentials.

Why is account takeover a risk?

The average desk worker needs to access 11 applications for their day-to-day tasks, while 5% are using 26 or more. That compares to just six applications accessed per day in 2019.

These employees are more likely to be working remotely, using either company-owned hardware or their own devices. With every new identity needed, the attack surface expands, as a reported 39% reuse existing passwords. With access to every account that uses the same potential login details, credential stuffing then becomes another threat..

Depending on the account breached and level of attack sophistication, the associated permissions can allow movement to go undetected – often for extended periods, with an average 207 days. This mix of privilege and potential for long-term damage is partly why account takeover fraud was one of the most encountered threats reported by US businesses in 2023.

Common account takeover tactics

Account takeover goals are simple: Maintain access, expand reach and locate valuable resources, all while staying undetected. However, the routes are complex and varied.

Phishing

A malicious actor sends an email, sometimes impersonating an entity. This entity can be a bank, a corporate department or a specific person that the recipient trusts or regards as a person of authority.

The email may include an invitation to click a link or open a file that may result in malware being downloaded to the recipient’s machine. Or it can be a message that encourages them to share sensitive information that the malicious actor can use for extortion or login purposes.

Man-in-the-middle

A man-in-the-middle (MITM) attack can also be used to launch session hijacking. Because this can happen in multiple ways, it’s harder to defend against. It can sometimes come from a script attack that just needs the recipient to click a link; other times involves exploiting vulnerable protocols or non-encrypted networks, or even by stealing a valid session token.

MITM just needs to intercept the flow of information between legitimate users and services. While in the middle of traffic, they can gather sensitive data and login credentials and can redirect bank transfers to their own accounts. A common route is setting up a fake WiFi hotspot for unsuspecting users to connect to and leaving the door open to their private systems or banking applications.

Session hijacking

Sessions are created every time a user logs in to a website. Naturally, this means multiple opportunities for cybercriminals to exploit. Especially if the website, application or server has weak spots vulnerable to cross-site scripting, another vector.

The cybercriminal steals the user’s session cookies using malware and can then insert the cookie into their own session and take over the session. This attack vector bypasses authentication completely, including MFA and SSO. What’s more, the busier the network, the more chance of a breach remaining undetected amid usual traffic.

What are some of the real-world consequences of account takeovers?

Consequences vary, depending on the attacker’s goal. They may be motivated by financial reward or some type of extortion to interrupt service or destroy data. Whatever the motivation, the consequences are usually immediate and long-lasting.

Data exfiltration

These days, data is seen as the new currency, so businesses lose their most valuable asset when it’s exfiltrated. Sensitive data and intellectual property may be sold on the dark web or to competitors for market advantage.

Financial loss

Account takeover can result in accounts being emptied. Depending on the industry, there may also be regulatory action to deal with. If the breach involves EU customers, there’s the risk of GDPR, with fines from to 4% of annual turnover up to €20 million. Individual states also have their own civil penalties, with up to $500,000 due in Florida “if the violation continues for more than 180 days.” There may also be a longer-term revenue loss.

Reputational damage

Up to 75% of US consumers said they’d consider walking away from a company that had experienced a cybersecurity issue. Companies have few ways to mitigate this risk. The breach to their organization can either be made public by attackers or expose it themselves when they report it to regulators.

Downtime

Further financial loss comes from the operational fallout. Global 2000 companies lose a reported 9% of annual profits when digital environments fail unexpectedly. Data may be encrypted using ransomware, disks may be wiped or systems shut down. This service disruption costs businesses dearly in terms of output and risk to agreed-upon SLAs. Customer experience is also negatively impacted, with users either unable to log in or suffering delays.

Repeat attacks and malware

Much like a burglar can return to the scene of their crime, attackers may also return to carry out further attacks. They may have left behind backdoors that allow access, such as newly created user accounts, installed Trojans, rootkits and even hardware devices. If they successfully erase their footprints, such as by deleting logs or hiding account activity, organizations may not be aware of the repeated risk.

What are some account takeover prevention and mitigation strategies?

Preventing account takeover means tightening up your architecture so that any account takeover is limited in its potential to cause damage.

MFA

This is an effective way to mitigate many attacks that aim to compromise and use passwords, like brute force attacks, MITM attacks, plus phishing and spear phishing risks. The attacker may know the login password, but if they don’t have a secondary authentication factor, logins can be prevented.

However, if the authentication device is a phone, MFA can be circumvented if there’s a SIM card swap resulting in the target losing their phone number to attackers. To alleviate this, identity can add a layer of defense to identity and access verifications. In these instances, biometrics can be used for the “something you are” variable alongside “something you know” and “something you have.”

Session timeouts and reauthentication

These can be configured with your identity provider. You can set sign-in frequencies over periods of hours or days. Users won’t usually be prompted more often than once every five minutes, partly to avoid impacting productivity, and partly to not “increase the risk of users approving MFA requests they didn’t initiate.”

Cybercriminals will use urgency in their messaging to targets, hoping that users will act and approve a request without thoroughly thinking. That’s where education and training come in.

Education and training

Staff are the first line of defense, yet are also a prime target for social engineering attacks that play on:

• Trust: “Hey, it’s me from a different email address.”
• Urgency: “We need that money transferred now.”
• Respect for authority: “Hi there, can you do a favor for the CEO?”

In other words, attacks like these play on the emotions that make us human. Realistic role-play training is an effective way to respond. For example, sending spear phishing emails to specific employees. These should be chosen based on their authority and potentially advanced or unmonitored privileges.

Monitoring and anomaly detection 

Continuously monitoring user activity allows organizations to harness behavioral analytics to detect suspicious behaviors and anomalies.

Maybe a dormant account or entity becomes active. Perhaps an existing user starts making unusual or irregular access requests. Multiple login attempts from the same IP may indicate a botnet attack.

Device recognition

Devices and browsers trying to gain access can be identified. This form of fingerprinting means that if a user’s device appears as “unknown,” access can be refused.

If a user always logins using their desktop, and suddenly starts trying to use a phone, this can also be flagged by fraud detection systems.

Risk-based authentication (RBA)

RBA uses risk to assess a user’s login behavior. For example, using the same device to log in constitutes a lower risk that the login attempt is fraudulent. In contrast, a login from a new device may trigger a request for an extra authentication factor to validate access.

These include OTP codes, biometric identity-based verifications or answering a security question. Activity flagged as high risk, such as a login with a new device in a new location, means a stricter and more comprehensive authentication process.

Account takeover: Prevention, preparation and response

Alongside phishing, MITM and session hacking, IT leaders know that attacks will continue to grow in volume, variety and velocity. Many also know the costs of not having an adequate response strategy – $204,000 spent on breaches each year – especially when experiencing almost one breach every 12 months.

That’s why it’s critical to put the defense mechanisms available in place and to link them to identity management where possible. Most users are used to MFA, so education and training can be more focused on the advanced psychological tactics used by threat actors.

Meanwhile, enterprise architecture can be secured with techniques such as session timeouts, repeated authentication, monitoring and anomaly detection. Combine these with seamless identity management and device recognition tools that measure risk in real-time, and there’s little impact on user productivity. Security is maintained, and account takeover threats can be managed, mitigated and minimized.

The post Preventing account takeovers: Strategies to consider appeared first on OneLogin Identity Management Blog.

Malicious actors usually come prepared: before attacking an organization, they’ll gather as much data as possible to boost their chances of success.

One common tactic is user enumeration, where attackers seek to identify active user accounts. But what exactly is a user enumeration attack, and how do attackers execute it?

Let’s explore why user enumeration is so commonly used by malicious actors, share practical examples and offer tips to achieve robust defense.

What is a user enumeration attack?

A user enumeration attack is less of a direct cyberattack and more a reconnaissance mission that precedes one. It is a technique that malicious actors use to discover valid usernames or user accounts within a system or application.

User enumeration provides crucial information for subsequent attacks such as targeted phishing, password cracking or privilege escalation – all of which cannot take place if the attacker does not know which users exist in a system.

By doing reconnaissance via user enumeration, hackers methodically identify which users live in a company’s system – gaining a list of users to target.

Usernames become the target list

Usernames provide attackers with a list of potential targets. Armed with this list, malicious actors then test or probe these accounts and once verified, employ tactics to compromise verified accounts.

But successfully breaking into an account is just the first step. A compromised account can be used for unauthorized access to sensitive data or even control over an entire system. Yet it starts with user enumeration: finding out which users are in the system in the first place.

The danger lies in the fact that user enumeration is often subtle and difficult to detect, making it a potent weapon in a hacker’s arsenal.

Types of user enumeration attacks

User enumeration attacks come in many shapes and forms. Each attack vector exploits unique vulnerabilities and weaknesses within apps and systems. We can broadly categorize these attacks into three main types:

1. Passive enumeration attacks

In passive enumeration attacks, attackers gather information without directly interacting with the target system. The attacker relies on publicly available data or information leaked inadvertently. This includes looking at public websites or social media. For example, usernames or email addresses often appear in  company personnel directories, forums or social media posts.

Analyzing website source code or metadata is another route to user enumeration, as developers sometimes include usernames within website code or file metadata. Misconfigured services can also be revealing. For example, where a system administrator leaves a directory service open or misconfigures a network share.

2. Active enumeration attacks

Active enumeration attacks rely on a much more direct interaction with the target system: attackers probe the system using automated tools to try and elicit responses which confirm the existence of users or reveal valid usernames.

For example, attackers can systematically try different username and password combinations until they find a valid one. Likewise, subtle differences in error messages for invalid usernames versus invalid passwords can reveal valid accounts.

While active attacks are easier to detect they can nonetheless be surprisingly effective if an organization lacks robust security measures.

3. Application-specific enumeration attacks

Applications and services have unique vulnerabilities, and some have known user enumeration vulnerabilities. For example, weak password reset processes can allow attackers to enumerate usernames by checking if an email address is associated with an account.

Some applications inadvertently expose APIs that reveal usernames based on certain inputs, while publicly accessible user profile pages can inadvertently display lists of usernames or provide clues about valid accounts.

Application-specific attacks highlight the importance of securing every aspect of an application – not just the obvious entry points.

Practical examples of user enumeration attacks

How does this play out in practice? Here are three common examples of user enumeration attacks.

Practical examples of user enumeration attacks
How does this play out in practice? Here are three common examples of user enumeration attacks.

1. Login pages

This is one of the most common forms of user enumeration. The attacker will input various usernames into a login form, and then carefully watch the server’s response. If the server responds with a message like “username not found,” the attacker knows that the username does not exist in the system.

Conversely, if the server responds with “password incorrect,” the attacker can infer that the username is valid, allowing them to focus on cracking the password for that username, or attacking the user via a phishing attack or another route.

2. Password reset

Attackers exploit the password reset feature by entering different usernames or email addresses. If the system indicates that a reset link has been sent to the email address, the attacker knows that the username or email is valid.

It’s another quick way to build a list of valid usernames for future use. Similarly, a poorly designed system might explicitly state that the username does not exist, thereby confirming to the attacker which usernames are invalid.

3. Registration pages

Another common route for user enumeration is via faking registrations. If, during the registration process, a user tries to register with a username that already exists, the system might tell that a username is taken.

Attackers can exploit this by attempting to register with various usernames and noting which ones are already in use, thereby compiling a list of valid usernames.

Defense mechanisms

What can organizations do to guard against user enumeration, and how can companies prevent users from becoming targets? It requires a multi-layered approach – both in terms of preventing attackers from accessing user data and exploiting any data they already have.

Network security is the first port of call. Firewalls and intrusion detection systems should flag suspicious activity, such as repeated login attempts or unusual error message patterns. Restricting the number of login attempts or requests from a single IP address within a given time frame is another defensive option.

In application security, consider input validation and sanitization alongside use of a CAPTCHA to make sure malicious inputs won’t trigger error messages or reveal sensitive information. Broadly speaking, avoid revealing detailed error messages that attackers could exploit.

Regular security audits and penetration testing also help address vulnerabilities before attackers can exploit them. Some organizations will also go as far as to set up decoy accounts or systems to lure attackers and gather information about their tactics.

User education and awareness is the final component of comprehensive protection against user enumeration. Teach users how to identify and avoid phishing emails and other social engineering tactics, and encourage users to create strong, unique passwords and avoid reusing them across multiple accounts.

Defense mechanisms combined with a culture of security awareness help organizations significantly reduce the risk of successful user enumeration attacks and protect their valuable user data.

How a strong identity platform helps

A robust identity platform acts as a powerful shield against attacks driven by user enumeration. Identity platforms work by centralizing and streamlining identity management, access control and authentication processes. Here’s how:

• Centralized user management: A unified identity platform provides a single source of truth for user identities, making it easier to manage accounts, enforce consistent policies and detect suspicious activity such as a user enumeration attack.
• Adaptive authentication: This technology assesses risk factors in real time, adjusting authentication requirements accordingly. This means that suspicious login attempts or unusual activity can trigger additional verification steps, making it harder for attackers to gain unauthorized access.
• Risk-based access control: This evaluates various risk factors, such as user location, device type, and behavior patterns, to grant, deny or even block access attempts altogether. This helps prevent unauthorized access even if an attacker manages to enumerate users and obtain valid credentials.
• Single Sign-On (SSO): SSO reduces the number of passwords users need to remember, minimizing the risk of weak or reused passwords that attackers could exploit. It more broadly also reduces the attack surface – by consequence reducing the risk of user enumeration.

A strong identity platform therefore reduces the scope for a user enumeration attack but also acts as a vigilant guardian: constantly monitoring user activity and enforcing security policies, making it significantly more challenging for attackers to rely on the data collected during a user enumeration attack.

An “innocent” first step that demands immediate action – and prevention

User enumeration might appear harmless as it’s not immediately obvious how an attacker will exploit a list of usernames. However, this is often right where the real danger begins. User enumeration provides attackers with all the knowledge they need to launch broader attacks against your users – which can escalate into a crippling ransomware attack or worse.

Defending against user enumeration starts with making it more difficult for attackers to successfully scan for valid user accounts. However, comprehensive protection ultimately requires implementing robust cybersecurity measures and educating users to prevent attackers from exploiting this data.

Your identity platform plays a crucial role in this defense – both in guarding against user enumeration and protecting individual user accounts from subsequent attacks.

The post User enumeration attacks: What you need to know appeared first on OneLogin Identity Management Blog.

Consider a system that asks personal questions to verify your identity when you’re trying to log in or change your password. The questions are often related to your personal experiences, like, “What was the name of your first school?” or “What was the first movie you watched in a theatre?” Though the system presumes that only you know the answer to such security questions, are you sure no one else knows the answers?

What is knowledge-based authentication?

KBA, also known as knowledge-based verification (KBV), is an authentication method that asks users to answer predefined or dynamically generated questions to confirm they are who they say they are, especially when logging in to their accounts or performing critical functions like financial transactions or changing account passwords.

The primary idea behind KBA is that personal questions and answers are meant to keep people from using others’ accounts without their consent. It only allows the intended users to gain access by answering questions about something they know by heart and wouldn’t struggle to recall.

Static vs. dynamic knowledge-based authentication

There are two ways KBA is typically implemented to protect user accounts from unauthorized access:

• Static KBA: Static KBA refers to the setting up of pre-defined security questions and answers by users when they sign up for a new account. These questions can be used later to prompt the users for answers when the need for identity verification arises. These questions usually include highly personalized information regarding the user’s life, such as their favorite author’s name, first pet’s name, birth city or other criteria.
• Dynamic KBA: In this KBA method, the system generates questions based on user data. For example, questions could be related to a user’s financial transactions, cities they lived in, previous addresses and previously owned vehicles. For this technique to work, the system requires access to past and present data that users are privy to and that can’t be easily known by others.

The pitfalls of knowledge-based authentication

At this point, knowledge-based authentication (KBA), has been around for over two decades. It’s typically considered a weaker authentication method since it uses information that cybercriminals could potentially steal or decipher.

Even the National Institute of Standards and Technology (NIST) has denounced the use of KBA in its Special Publication 800-63-3, declaring the security information as “often very weak.” The report also mentioned that “[personal information] does not constitute an acceptable secret for digital authentication.”

Knowledge-based verification has been used by organizations for a long time to secure user accounts. Though it is still used, it certainly has some serious downsides, prompting organizations to move away from it as an authentication factor.

The key disadvantages of knowledge-based authentication

Potentially easy-to-access information

Nowadays, people’s personal information, which they use for KBA, can be easily accessible through social media accounts or information acquired from other data sources. Bad actors can also gain this information using social engineering attacks like phishing, smishing, whaling and more. In fact, in at least one-fifth of cases, they simply guess the right answers, bypassing the KBA system effortlessly. Other forms of information sharing are common as well. Think about the information available about you from the bumper stickers on your car. How many children you have with a stick figure family, where your honors child goes to school, perhaps your political alignment. All of these can give clues to your security questions.

Poor user experience

Another drawback is the fading nature of users’ memories. For instance, most people have trouble recalling what they ate last night, let alone what they put as their favorite food for KBA years ago. A Google study found that after just a year, there is only a 47% success rate for getting the question about their favorite food right. This poor experience also encourages users to use the same information across multiple applications. It’s possible that if someone knows your mother’s maiden name and the name of your first pet that they can reset your password and control your account.

Data privacy and inaccuracy concerns

While it is stronger than its static counterpart, dynamic KBA can be seen as meddling with people’s private financial and historical data. It might use inaccurate or forgotten information, locking users out of their own accounts. Plus, it might not work for users whose data is not available to generate questions. For example, during a very active time in my life I moved four or five times a year. These addresses were extremely temporary for me. They often come up in dynamic knowledge-based questions I am asked to verify my identity and frankly, I don’t remember them and am forced to guess.

Vulnerability to data breaches

Many users reuse security questions and answers across multiple accounts, just as they reuse passwords. Let’s say attackers gain access to the KBA information through a successful data breach of an organization. With the information they have gained from the previous breach, they now have necessary information that could be used to compromise users’ other accounts, too.

Alternative authentication methods

Since KBA is becoming less effective, many technology standards organizations, such as NIST, NSA and CISA, have listed it as a less secure factor. So, what are alternatives that organizations can look for?

MFA

MFA, short for multi-factor authentication, requires users to verify themselves with two or more authentication factors. Since passwords use the knowledge factor and are not adequately secure, MFA adds factors such as a fingerprint, one-time-password, physical token, number matching, trusted device or push notification for stronger authentication.

However, according to Verizon’s 2024 DBIR, attackers used stolen credentials to execute nearly 40% of data breaches in 2023. Since implementing MFA often uses passwords as the first authentication factor, users are still required to memorize passwords. This leads to users reusing a password for multiple accounts or even forgetting passwords completely, resulting in delays and increased costs associated with Help Desk password reset calls.

Not only that, but static MFA is also vulnerable to many attack techniques, such as phishing, MITM attacks, credential stuffing, vulnerability exploitation, SIM swapping and more. That’s why it is essential for organizations to implement stronger authentication techniques to prevent unauthorized access more effectively.

Biometric authentication

This authentication technique uses difficult-to-spoof physical or behavioral characteristics of users, such as fingerprints, facial scans, retinal or iris scans and voice recognition. It works by comparing the captured data with previously stored records for identity verification.

While it’s challenging to hack a biometric authentication system, it’s not entirely impossible. For instance, cybercriminals may fool a fingerprint scanner by using advanced AI algorithms to produce fake fingerprints identical to those of a genuine user.

One way around this problem is to use a multimodal biometric authentication system that employs multiple biometrics to verify users, making it very hard to spoof. Another way is to use a combination of physical and behavioral authentication for stronger security, which involves the analysis of user behavior in addition to biological characteristics to grant or deny access.

Although the biometric system can be breached, very few bad actors have the resources to do so, making it a much better option than KBA. In almost all cases, it accurately allows you to confirm whether a person is who they claim to be. In addition, since it does not require users to remember passwords or security Q&As, it can offer a more seamless user experience.

Behavioral authentication

This technique uses advanced machine learning (ML) algorithms to verify users based on their behavior when they use their devices or interact with applications. The verification system logs each user’s unique way of doing things, such as typing speed, touchscreen swiping style, mouse movements, accessing specific resources and the like. It compares them with previously recorded user behaviors to confirm their identity.

Also known as ‘behavioral biometrics,’ this method improves the accuracy of identifying trusted users and threat actors. It is considered better than KBA since it’s nearly impossible to fake or mimic a user’s unique behavioral traits. It can also be used as an additional factor in the MFA system to strengthen your overall identity and access management (IAM) strategy instead of just relying on weak and stealable passwords.

Moreover, this technique can be enhanced when combined with adaptive risk-based authentication (RBA).

Advanced authentication

Advanced authentication, also known as context-based or risk-based authentication (RBA), is yet another robust alternative to KBA. It uses machine learning to verify identities by determining login attempt risks in real time. It works by continuously monitoring and recording the login behaviors of users and creating each user’s behavior profile through machine learning based on typical actions they perform and the environment in which they work.

When a user tries to log in to an application, their behavior is compared with their recorded behavior. The system derives a risk score based on the level of similarity between both behaviors. The more dissimilar they are, the higher the risk score is, and vice versa. Higher risk scores can prompt the system to ask users for additional authentication, or even block their login attempts.

This can enable organizations to form sophisticated strategies to manage security threats based on risk scores. It adds an extra layer of protection without bothering users, resulting in a hassle-free user experience.

It continuously tracks user activities throughout the access session to become familiar with user’s usual behavior and uses ML algorithms to integrate it in its risk assessment strategy. Whenever the user deviates from typical behavior, the system may prompt for additional authentication or even block access temporarily to avoid potentially harmful actions in real time.

Passwordless authentication

With this technique, you can implement digital identity verification using more sophisticated techniques that don’t require your users to memorize a password or security question and answer. Instead of relying on the knowledge (what you know) factor, it uses the factors of possession (what you have) and inherence (who you are).

You’re probably using it every day. For instance, what do you use to open your phone? Maybe a fingerprint, face or retina scan. There are several ways you can use passwordless authentication, such as physical or behavioral biometrics, possession factors like a hardware token or time-based OTP (TOTP), and magic login links.

While passwordless techniques are not completely impenetrable by cybercriminals, they are far safer than using passwords or KBA. For instance, a password can be guessed or obtained through illicit means or brute force attacks.

Along with offering improved security, it enhances user experience by eliminating the need to memorize complex passwords. This simplifies the login process, saving users time and boosting productivity. Plus, it helps eliminate the costs of Help Desk calls for password resets.

Conclusion

Using KBA for identity verification or system access can be almost as vulnerable as using weak or common password. While it is not an ideal choice authentication on its own, it continues to be an option some organizations use. Pairing additional factors and leveraging advanced authentication organizations can effectively safeguard their systems, data and users, reducing the risk of unauthorized access and potential security breaches.

The post The pitfalls of knowledge-based authentication appeared first on OneLogin Identity Management Blog.

Cyber threats are evolving, with increasingly more sophisticated attack tactics such as credential stuffing, phishing and malware intrusions. As threats become increasingly difficult to tackle, securing your digital assets will take much more than a simple username/password authentication.

According to Verizon’s 2024 DBIR, in 2023:

• Credential theft was responsible for the most (about 40 percent) of data breaches, plus a staggering 77 percent of web application attacks.
• A non-malicious human element (phishing and errors) was responsible for 68 percent of the 10,000 data breaches in 2023.

Consequently, several businesses use multi-factor authentication (MFA) as added security. However, static MFA fails to adapt to each login’s risk level. This leads to unnecessary friction for low-risk users and missed threat prevention opportunities for higher-risk logins.

Let’s discuss seven practical examples of using risk-based authentication against modern threats and ways to implement it effectively in your organization.

Understanding risk-based authentication (RBA)

Also called adaptive authentication or risk-based MFA, RBA uses machine learning to assign a risk level to every authentication request. Depending on the perceived risk, it decides whether to prompt for additional authentication factors.

RBA assesses the user’s behavior along with several other factors including IP address, geographic location, device, network and login time to determine the risk score in real-time.

Depending on whether the calculated risk score is low or high, the user is either authenticated with only a username and password or is challenged for further authentication. If the additional authentication fails, access is denied.

A higher risk score implies a deviation from usual behavior. This could include requests from dubious IP addresses (such as Tor exit relay) and/or login attempts from new devices, unfamiliar locations or at unusual times.

Since RBA uses machine learning to process the risks, it learns from user behavior and security events, becoming more intelligent over time and assessing risks more accurately in different situations.

In a nutshell, RBA helps businesses prevent the risk of unauthorized access and meet security regulations without inconveniencing authentic users.

7 real-world examples of risk-based authentication in action

Let’s explore a few real-life examples where you can use RBA to secure your systems against potential threats:

#1 Credential theft

Picture this: A hacker located on another continent somehow got their hands on the credentials to one of your U.S. employee accounts. While the U.S. employee is logged in to their account during working hours, the attacker uses the stolen credentials to gain access at the same time but from halfway around the world.

RBA in action: The adaptive authentication system would see account access from two separate parts of the world as high-risk and increase the risk score. Even if accounts were accessed from two different locations a few hours apart, it is highly unlikely that the employee has moved to the opposite part of the world so quickly. This elevated risk score would then prompt the employee and the hacker to provide additional authentication, and the hacker would be denied access and blocked from accessing corporate apps.

#2 Insecure WiFi hotspots

Let’s say one of your employees is working remotely through a public WiFi network that other people are using too. An attacker is silently waiting for people to log in to their corporate networks and execute a man-in-the-middle attack to capture their credentials. Static MFA rules automatically trust connections from certain geographic regions and might not flag these spots.

RBA in Action: However, RBA would see it as an unfamiliar location or network and, depending on the network’s reputation, determine the risk score in real-time. If the score crosses the threshold, it will activate MFA and block the unwanted intruder.

#3 Phishing and device fingerprinting

Phishing, the second most used tactic for cyberattacks after stolen credentials, usually easily circumvents static MFA rules. For instance, consider a situation where a malicious actor succeeds in infiltrating your employee’s computer with malware through a phishing email. The malware would then use brute force to access your company’s network and try to access sensitive data and applications. The static MFA rules would not flag it as risky, as the malware uses the company’s network, failing to prevent the attack.

RBA in action: On the other hand, adaptive authentication would assign a higher risk score to this event. It would see the malware’s HTTP client as unfamiliar, tagging it as a new device fingerprint. Consequently, the malware will be prompted for MFA, but it will fail to authenticate as it’s just software and not a human who could pass the authentication, ultimately preventing the attack.

#4 Credential stuffing attacks

Imagine a hacker bombarding your system with several credentials they obtained from a popular website’s data breach, hoping to gain unauthorized access. Now suppose your employee uses the same credentials everywhere, including the ones present in the leaked data.

If the attacker is using a trusted network to execute the credential stuffing tactic, the static MFA system would consider the requests legitimate and allow them to bypass your safeguards.

RBA in action: The risk-based authentication system, on the other hand, would analyze these attempts in real time, considering other factors like login time, device used and login history. If an anomaly is found, the risk score would spike, and both the employee and the impostor would be challenged with MFA prompts, even if a trusted IP is involved. Thus, RBA stops the automated scripts in their track to protect your valuable data.

#5 The WFH employee

In this example, imagine an employee working from home and logging in from the same location, IP address and device daily for weeks on end. If static rules were used, they would force MFA for every login attempt, always treating it as high-risk and unreasonably burdening the employee. Although it’s not a security event, it would be flagged as one, cluttering your SIEM mechanism and compromising productivity – ultimately causing unnecessary disruptions and false positives.

RBA in action: Conversely, if RBA were at play, the system would gradually learn that this scenario is business as usual and assign a lower risk score to the event. This would allow the employee to log in with just a username and password, saving your SIEM systems from unnecessary alerts.

#6 App misconfiguration and vulnerability exploits

The 2024 Verizon DBIR reported that attacks exploiting system vulnerabilities have tripled from the previous year, and that’s something to worry about.

Imagine a cybercriminal finds a vulnerability in one of your apps due to a misconfiguration. By exploiting this flaw, they could bypass the authentication process altogether or generate inaccurate event logs, leaving a seemingly legitimate trail. Static MFA rules that rely on these logs would become ineffective and fail to detect the invasion.

RBA in action: RBA would analyze risk factors beyond just the logs to accurately determine threat likelihood. Its context-based authentication mechanism would raise the risk score, identifying the app misconfiguration and the resulting irregularities. This would trigger an MFA prompt to prevent the attacker from gaining unauthorized access.

#7 The IP address conundrum

Consider our last situation: an attacker tries to get into your network using your employee’s own device during office hours but from another region. They are using Tor to mask their actual location and gain access anonymously. The hacker knows the exact browser and OS used by your employee.

RBA in action: Since the login attempt is made from an unfamiliar IP address, country and device, RBA would label this event as high-risk and prompt the attacker for MFA. The attacker would fail and be denied access to network resources.

How you can implement RBA to protect against advanced threats

Let’s say your organization’s IT network is your digital kingdom, and your valuables are stored in a secure castle. To use the risk-based approach to secure your castle from pillage, you need a vigilant gatekeeper (a risk-based threat protection system) at every entrance. It must assess requests to access your castle in real-time and categorize them based on several risk factors, plus effectively learn who to trust and who to suspect as time passes (machine learning).

The new gatekeeper must also work alongside your kingdom’s existing security posture (such as single sign-on (SSO) and identity and access management (IAM) systems), analyzing risks at the point of entry and assigning them a risk level (low, medium or high) depending on the context. For instance, they would consider fire-breathing dragons as high-risk (ransomware attack), tunnel diggers as medium-risk (insider threats) and pesky archers as low-risk threats (unauthorized access to non-critical data).

Then, the wise general must create suitable security policies that trust no one (zero trust policy) to manage potential threats based on the risk values. The gatekeeper must then implement these policies vigorously and, depending on the risk level, ask for additional identification (2FA/MFA) to gain access or block their entry altogether.

In addition, the gatekeeper must work in a way that is least troublesome to regular visitors to the castle (genuine users). For instance, if a trusted advisor or vendor requests access, they would be quickly granted permission to enter by showing basic identification (password and known device/location).

Embrace adaptive authentication: The future of cybersecurity

While many businesses have robust authentication methods in place, they are insufficient to keep up with the ever-increasing sophistication of threats. Cybercriminals constantly refine their tactics, and you need to adapt your defenses to new forms of attacks just as quickly.

Traditional authentication methods, such as password protection or static MFA rules, can no longer prevent expensive data breaches executed using modern cyberattack tactics.

Get ahead of hackers with a cutting-edge, risk-based authentication strategy. It is the key to a comprehensive security posture, analyzing threats in real-time and intelligently applying security measures. It reinforces your network security with minimal trouble to legitimate users.

Don’t wait for a cyberattack to ruin your business. Explore RBA solutions to proactively implement a risk-based approach and fortify your digital kingdom today.

The post Risk-based authentication examples: 7 ways it defends against modern threats appeared first on OneLogin Identity Management Blog.