The most common identity and access management (IAM) authentication control in use today is a user ID and password, and there is growing awareness that passwords are incrementally becoming obsolete as an authentication control.

Three billion credentials were harvested in North America in 2016 alone according to Shape Security. You and I know there’s only 320 to 330 million people that even could have passwords in the US. Credentials are getting harvested from multiple sources (phishing, data breaches, cloud account leakage, etc.), meaning there’s a lot of credentials accessible in the Dark Web for criminal use.

The main problem with passwords is that they are binary. Authentication, historically, is an event at the front end of any electronic interaction (a web app or a mobile app). When you pass the authentication process by providing the right answer – in this case a user ID and password combination – the credentials are validated. After that point, you’re trusted as any user in the application. This is traditional authentication that is heavily relied upon today.

Even multi-factor authentication is just a modest improvement. Whether ID and password alone are enough, or another factor such as a token is required, the fact is that binary authentication is all based on the assumption: if you pass through the gate, you’re in and good to go. It’s like getting a key to a door that gives you access to the house for as long as you want to stay.

IAM has to evolve beyond user name and password

IAM has to evolve into continuous authentication throughout the life cycle of the mobile app or web app usage. Traditional authentication using passwords is based on the fundamental, but flawed, premise that you’re the only one that has your password. (See that statement above about the three billion stolen credentials.)

Once criminals have a set of stolen credentials – which can be acquired easily enough on the Dark Web – they use a tool like Sentry MBA to see where else those credentials might work, which increases their value. Let’s say the criminals acquire 10,000 of the credentials compromised in the Yahoo breach. Sentry MBA lets them try those credentials on another domain, say a bank’s web app. The criminals get a 2% hit. Now they have 200 sets of legitimate credentials that can be used to login to and own a banking application.

The reason they’ll get a 2% hit is that we all re-use passwords because we can’t remember unique passwords for every application we use. We’ve got hundreds of sites we have to use passwords for; we don’t remember them, so we use our same passwords over and over again. We use our Yahoo password, or something very similar, to get into our banking application, and maybe a few other apps as well.

The Sentry MBA tool runs scripts that test various combinations of credentials across domains. Suppose John Doe likes to use the login ID “Jdoe” for most of his apps. To make his password easy to remember, he uses the domain plus a few added characters; for example, “Yahoo123”. For his Chase bank account, he uses “Chase123” and his Amazon account password is “Amazon123”.          Sentry MBA allows the criminals to try millions of credential combinations until they own more and more legitimate credentials. Criminals with these tools can do this at scale, which they actively do today.

It’s also possible for criminals to not just login with stolen credentials, but to take over accounts completely. There’s enough demographic information in the wild (thanks to breaches like OPM and Equifax) to bypass password reset and account registration processes established for most enterprise applications.

These are the kinds of techniques that CISOs and CSOs have to thwart to prevent unauthorized logins to our important applications.

A better approach to IAM

Passwords are obsolete and their continued use puts every business that hosts an application at risk. The more credentials that are out there, the more you can’t trust the assumption that the only person with the password is the legitimate user. Passwords, as we know them, must be replaced.

A better approach to authentication is to use continuous behavioral authentication. With this technique, authentication is no longer an event just at the front end of the interaction; rather, authentication is done throughout the user’s session. Continuous behavioral authentication typically uses anywhere from 30 to 60 attributes about the legitimate end user and their use of technology and their device. These attributes include behavioral biometrics that measure things like the person’s keystroke pattern, typing rhythm, mouse movements, iris patterns, and other attributes that can’t easily be mimicked or spoofed.

The totality of these measurements is used to build a mathematical representation of that user’s behavior, which is then compared to the real-time behavior taking place within an application. When there’s a deviation, that creates a risk score that tells the app how much access to provide.

Throughout the user’s interaction with the mobile app or the web app, we can determine whether it’s the legitimate end user actually using the device and interacting with us based on their previous behavior. We can prove that out mathematically. The risk score populates into the app and the app decides how much access to provide throughout the interaction. That’s a continuous behavior-based authentication. You will not find this kind of approach described in NIST standards or any other control framework because it’s an unconventional control—one that is becoming critically important because conventional controls like passwords are failing. Control definitions in risk frameworks evolve incrementally over time while innovative and unconventional controls enable enterprises to change controls as threat actor tactics change.

Model-driven security is essential today

This kind of model-driven control is especially important for privileged users. Cyber weaponry such as what was unleashed in the WannaCry and NonPetya attacks goes straight after the privileged user as the target. With that kind of weaponry, there’s only one possibility for some level of resilience, and that is privileged user monitoring driven by a model—a mathematical representation of past behavior and a measurement of actual behavior compared to that.

In real time, that model can reject suspicious privileged access to mitigate the damage. It’s the only thing that will work.

There’s a whole class of unconventional controls that comprise model-driven security. My own company already has seven implementations of this in production today. Model-driven security is the future of identity and access management, and it’s absolutely essential because bad actors know how to circumvent traditional IAM controls.