Opening the Black Box of Risk-Based Authentication
As MFA fatigue attacks continue to wreak havoc on organizations of all sizes, security teams are left with difficult choices about how best to secure their workforces. More stringent security requirements often come with a large user experience cost, which can frustrate employees and reduce productivity. Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA requirements based on the level of risk an individual login attempt poses to an organization. Our algorithm considers the user’s authentication history, their location, and device to assess whether the user appears to be who they say they are, or whether their login is anomalous enough to resemble a potential attack. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor.
Organizations are sometimes hesitant to deploy policies that use artificial intelligence and machine learning because it is inherently difficult to predict what will happen. Will users get blocked? How many step-up authentications will a user have to do every week? Is the help desk going to be inundated with tickets? We heard these questions from our customers repeatedly, which is why we are thrilled to announce the launch of Risk-Based Authentication Preview Mode.
Now, Advantage and Premier customers can see the impact of Risk-Based Factor Selection before they turn on the policy. When Duo’s algorithm sees an authentication that would have been stepped-up with RBA, we will present a banner in the Authentication log to show administrators more information about why this authentication looked risky. The Preview Insights window will also show information about how many step-up authentications would have been required in the past 30 days and how many of those users would require assistance from the help desk (e.g., if the user does not have a more secure factor enrolled).
RBA’s preview functionality allows administrators to feel confident in their deployment of an adaptive policy. Administrators can learn more about how Duo detects potential attacks and see the additional friction their users can anticipate. The help desk can also use the data to prepare for any questions end users might have as the policy gets turned on and rolled out. Additionally, RBA Preview Mode shows the valuable threat detection and risk mitigation that is available to all Advantage and Premier customers today.
Once administrators feel comfortable and ready to turn RBA on widely, they will have access to detailed logging that shows the user journey to a step-up authentication. We invest a lot of time and effort to ensure that our algorithm is not too noisy and that we are only stepping-up on the most anomalous login attempts, but we know that most step-ups will be false positives. Busy IT and Security administrators need a quick way to triage which authentication attempts require further investigation. Now, customers can open a Detection Sequence to see all relevant user authentication attempts, along with the affected IP.
Our goal with these new features is to open the black box of RBA. AI is a powerful tool that can help us solve many different problems. But when it comes to security, we know how important it is to trust how access decisions are being made. We want to make sure customers feel confident that their users are protected against the most prevalent MFA attacks when they use Duo’s Risk-Based Authentication.
Preview Mode will be on by default for all Advantage and Premier customers and can easily be toggled off, should customers not wish to see banners with detection information. We hope this helps customers feel prepared to strengthen their authentication policy and enable Risk-Based Authentication.