Risk-based Authentication
This section describes the elements of risk-based authentication (RBA).
RBA Evaluation
Each resource protected by DirX Access can be paired with any number of risk conditions. When requesting this resource, the RBA evaluation is employed. At the highest level of abstraction, it is a simple comparison of two numbers: assurance level and risk level.
The assurance level is a number that is relevant to each user. It is the highest assurance level among the authentication methods that the user successfully used in the current interaction (session) with the DirX Access-protected system, so it is user-dependent.
The risk level is the sum of the risk condition evaluations relevant to the currently requested resource, so it is both user- and request-dependent.
The risk-based evaluation takes place in the processing of each request, as shown in the Figure 1
Authentication Request
DirX Access distinguishes between initial and step-up authentication.
Initial Authentication
To connect multiple user requests, a session exists between the DirX Access server and the user that is time-limited.
At the time the user accesses the system without a valid session, the initial authentication takes place.
First, the credentials (in any form) are checked.
On success, additional user data are evaluated according to the risk conditions.
If the evaluation succeeds, a new session is created and an audit message (corresponding to the authentication method) is logged.
If the RBA evaluation fails, the user is challenged to provide other means of identity verification, no session is created and an audit message is logged (code: DXA850AN320E).
Step-up Authentication
Again, DirX Access recognizes two kinds of step-up authentication: directly assigned, and risk-based.
Directly-assigned step-up authentication is configured by a direct assignment of an authentication method to a relevant resource via an authentication policy. This kind of policy demands that a user possess an assurance level that is greater than or equal to a certain value. If this condition is not satisfied, the user is requested to use the defined authentication method.
Risk-based step-up authentication is invoked if the request risk level exceeds the user’s assurance level.
This event is audited (code:
DXA850AN321E) and user is required to reauthenticate via an Authentication Application.
For a more detailed description of this process, please refer to the “Authentication Application” section.
Authorization Request
In the case of an authorization request during an active session, there is no need for a credentials check.
However, the RBA evaluation is still employed.
If the RBA policies are violated, the user is required to reauthenticate.
He is informed about this action by an explicit prompt and the event is audited (code: DXA850AN321E).
Common Configuration
The RBA is configured using the condition configuration object (DirX Access Manager: Policies | Authentication | Conditions). To differentiate it from the authorization conditions, we use the term risk condition here. Once defined, a risk condition can be assigned to any authentication policy. The means of evaluation provided by a particular risk condition depends mainly on its type.
The data model of the RBA-related configuration objects is described in the Figure 2.
For details on these objects, see the relevant sections in Administrative Tasks.
General Risk Conditions
General risk conditions work with request data only, not with user data. The request must satisfy the condition otherwise the risk level is increased. The increase is directly defined for each general risk condition. This means that the evaluation can output either 0 (risk condition satisfied), or [risk_level]. DirX Access recognizes the types of general risk conditions described in the following sections.
Callout
Following the callout concept of DirX Access, this type of condition enables implementing custom risk level evaluators and applying them to resources. The condition can return any integer as a risk level (as opposed to the other general risk conditions). For more detailed information, see Risk Condition Plug-ins.
IP Address Range
The IP address range condition evaluates whether the IP address (contained within the user request) falls into a specified range. Both IPv4 and IPv6 can be evaluated.
DirX Access retrieves the IP address from the user HTTP request by having the algorithm go through the following list and return the first non-empty meaningful value:
-
X-Forwarded-Forrequest header -
Proxy-Client-IPrequest header -
HTTP-CLIENT-IPrequest header -
HTTP-X-FORWARDED-FORrequest header -
ServletRequest#getRemoteAddr()method ServletRequest (Java EE 6).
Protocol Header
This condition compares the value of a request header with the one defined in the condition. The possibility of using of regular expressions increases the expressiveness.
Resource Sensitivity
Resource sensitivity is a static condition that always returns the defined risk level (and thus can be applied to any resource to automatically increase its risk level).
Time Range
The time range condition enables defining the time intervals at which the defined risk level is assigned to the request. The times are set in UTC and the evaluation process is not dependent on the time zone from which the request comes.
Login Failures and Login Interval
These two types form a specific category of risk condition. They have some characteristics of other categories. Similar to the general risk conditions, the evaluation result is either 0 or [defined_risk_level]. Moreover, the situation in which the risk level is assigned is explicitly stated in the condition configuration. On the other hand, some user-specific data needs to be stored.
DirX Access enables leveraging both the Application and the User repository for the storage of the user-specific data. The User repository has the higher priority, but can be used only if Do update user account (User repository) is set to true. Otherwise the Application Repository is used, but only under the condition where Do update user account (Application repository) is set to true. If both switches are set to false, the data needed for evaluation of these types of conditions are not stored and the conditions are not included in the evaluation.
From the evaluation perspective, these conditions enable comparison of the number of consecutive login failures and the interval since last login, respectively.
User-Context-Aware Conditions
Compared to the general risk conditions, the user-context-aware conditions represent a much more powerful mechanism. This mechanism depends strongly on the user behavior, which enforces the collection and storage of the relevant data for each user separately. In addition, the risk level estimation cannot be as easily foreseen as in the case of general risk conditions.
The risk level returned by a user-context-aware condition is a floating point number from the interval <0; [defined_risk_level]>.
The usage of user-context-aware conditions extends the RBA evaluation process from the initial diagram shown in Figure 1 to the diagram shown in Figure 3.
The request data are evaluated against the data collected during the history of user-system interaction – user model. The data collected during the active session becomes relevant in the next session. In the case of a successful evaluation, request data are included into a new user model, following the rules set by the configuration of RBA data collectors. When the session ends, the new user model is propagated from the temporary storage to a persistent one (the new user model becomes a historical one).
From the operations upon persistent repository perspective, there are two processes: data loading during the session creation (read operation), and data persisting during the session destroy (read + write operation).
RBA Data Collectors
The RBA data collector configuration object (DirX Access Manager: Subjects/Persistent data) determines the data to be collected from the user request. The collecting then takes place even when there is no condition utilizing the data. DirX Access enables to set up the real-time aspect of collecting via the sampling rate attribute. The possible choices are: collect on initial authentication, on each request, and on each request after defined minimal number of seconds.
Removal of the RBA data collector configuration object using the DirX Access Manager differs substantially from removal of any other configuration object. As the RBA data collector is responsible for collecting of the RBA data, once it is removed, these data become useless. Therefore, DirX Access takes care of deletion of all the related user-specific data in a following manner. Firstly, the configuration object switches its state to ToDelete. It is no longer manageable via the DirX Access Manager and has no effect on the subsequent collection and evaluation process. Simultaneously, the removal of the related data from Application Repository begins. If interrupted, the removal is reinvoked by any create/update/delete action on any RBA data collector configuration object. Once all the data are removed from the Application Repository, the RBA data collector configuration object is deleted. As can be seen, this whole operation might be computationally demanding and should be handled accordingly.
If any RBA data collector is defined, the data collection is active. In such case, the Application Repository might contain some personal data (according to the type of collector), which has to be reflected by fulfilment of all necessary legislative steps.
Currently, DirX Access employs the approach that the data type determines the evaluation process. This means that the evaluation process is completely dependent on the type of data (access time, request header and so on) used for the evaluation. The data type is defined by the type of RBA data collector assigned to the risk condition.
Ordinal Evaluation
The data types access time, IP address, and geolocation are evaluated according to the closeness to the expected values. The closeness is handled internally to provide the most accurate results.
The access time is recorded for later use with precision to hours, so the reasonable setting of max number of collected values parameter is 24.
The geolocation data for the evaluation are collected implicitly by Authentication Application only, and passed to DirX Access in the Geolocation header according to the standard draft http://tools.ietf.org/html/draft-daviel-http-geo-header-05 . For more information about the data collection via Authentication Application, see the “Authentication Application” section.
String Evaluation
The data types RBA data callout and request header are evaluated using a strict match to the previously-collected values. We can leverage the regular expressions to extend the comparison possibilities. For more information about the RBA data callout implementation, see the “Risk Conditions Plugins” chapter in the DirX Access Integration Guide.
Device ID
The evaluation of device ID type is based on the deployment of a long-term cookie on the client side. This cookie takes its parameters partially from the configuration of the Web PEP it is deployed by (domain name, path, version, secure cookie, HttpOnly), and partially from the RBA data collector (cookie name). The expiration of the cookie is set to the same value that the user model counts with (more information is given in the “Spatial Complexity” section of this appendix), but maximally to one year.
Spatial Complexity
DirX Access uses its Application Repository to store the risk-based authentication data. The RBA data collector configuration enables the complete control of the spatial needs of the data. Moreover, there is a trade-off between the amount of data stored and the accuracy of the evaluation result.
For each user, the maximal spatial complexity can be computed as a sum of the maximal spatial complexities of all defined RBA data collectors. The maximal spatial complexity of an RBA data collector is defined as:
[No. of periods]*([Max no. of collected values]*[Max value length] + 7) + C
where the first two items are parameters of the RBA data collector, the third item is to be learned from a context, and C is maximally in the order of tens.
On the other hand, we want the data collecting to mirror the real situation as much as possible - we need the data to age reasonably and we have two possibilities for how to achieve it. First, the period mechanism claiming: any younger period has a bigger impact on the evaluation result than the older one. In this way, we can appropriately set up the interval of interest and divide it into periods (number of periods parameter) of meaningful lengths (sampling period length parameter). For example, in the case of access times, we are interested in the last six months and want to handle the data from (approximately) a single month on the same level. Thus, we have the following settings: number of periods = 6, sampling period length = 30.
Note: the period does not have a floating character (user relative) - it is an interval with an absolute position within time and thus is the same throughout the system. The absolute position of any period depends solely on the sampling period length parameter determining the position of any period throughout the history.
Of course such an approach can be quite demanding for some deployments. To lessen the amount of data stored, we can decrease the number of periods (while increasing their lengths to preserve the same interval of interest). To enable the data to age in this situation, we can set up max value weight. It influences the system in the following manner: once any record has occurred during a single period [max value weight]-times, all the weights (numbers of occurrences) of all records are divided by two. With this method, the data age in a logarithmic-based manner.
It is worth mentioning that the estimated spatial complexity is likely to differ substantially from the maximal one. It may also depend on the sampling period length, as it is often improbable that the maximum number of collected values is reached.
Time Complexity
The configured user-context-aware risk conditions bring additional time complexity into the processing of user requests. This complexity depends both on the number of defined conditions and the number of records relevant to a single user and single condition. From the user point of view, the complexity differs in three basic operations: initial authentication, authenticated request, and logout.
The initial authentication operation has already been described in the “Initial Authentication” section. At the lower level, each such operation consists of loading of historical data, preprocessing of evaluation data, and evaluation. The loading of historical data invokes the read operation on the directory.
The logout operation consists of the evaluation data persisting only (no evaluation as such is needed). The persisting invokes both the read and the write operation on the repository.
By the authenticated request, any other user operation over a system protected by DirX Access is implied. This operation consists of evaluation and RBA data addition.
The resulting time complexity is a sum of the complexities of all applied conditions (as they are independent). Graphs of the dependency of the time consumption on the number of stored RBA records are provided. The time-consumption values are shown only relatively, as the actual times may differ according to the hardware in use. Each graph shows times for the basic operations (red – initial authentication, green – authenticated request, and blue – logout) with the light color standing for the operation without RBA conditions and the dark one with appropriate RBA condition(s). The recorded values are simulating the worst case – every recorded value is different. In the real world scenario, the maximum shown here (500 records) is far above the one expected for almost any reasonably-configured risk condition.
Generally, there are two significant low level time-consuming operations: preprocessing of evaluation data and repository writing. The former is a purely computational task with quadratic (or cubic) complexity. However, in the reasonable interval, the steepness is still very small so the time consumption can be significantly lowered by the system computational power. The latter is dependent on the repository performance.
The time was measured on PEPs, so taking into account the latency of communication between PEP, Web application and user client, the measured differences are insignificant.
Client Address IPv4 Type
This type is handled by the same mechanism as the access time type, so the graph for the access time type is not shown. Moreover, for the access time type, we can collect 24 values maximum in one period, so the following graph would show the evaluation of at least 20 periods.
Geolocation Type
This type is handled by the same mechanism as the client address IPv6 type, so the graph for the IPv6 type is not shown.
Device ID Type
This type is handled by the same mechanism as the request header type, so the graph for the request header type is not shown.
The next graph shows the time complexities for all the previously-mentioned conditions applied together.
User-Context-Aware Risk Condition Deployment
Users of each system behave differently, so it is difficult to approximate the combined effect of various risk conditions. There is also the possibility that some systems will have users with such an irregular behavior that it can’t be modelled (hence evaluated) with some of the conditions.
To configure a user-context-aware risk condition properly, DirX Access provides the evaluation test mode switch that enables evaluation of the particular risk condition without including its result into the overall risk level. The results can be monitored using MBeans and should be analyzed in order to optimize the risk condition configuration.
The main analysis of the received data should address the probability distribution of the outcomes. Let us assume that almost all the data are collected from legitimate requests. With respect to this assumption, we want most of the data to have a negligible risk level, while the rest having the highest risk level (when a new behavioral pattern occurs). The more the real distribution comes closer to the one described, the more this configuration of risk condition is applicable.
The analysis can be performed using the PolicyServiceMonitorMXBean.
Authentication Application
This section describes how to configure an Authentication Application for use by RBA and provides information about Authentication Application RBA use cases and geolocation.
Configuration for Use by RBA
To leverage the Authentication Application to handle the case when RBA evaluation forces step-up authentication, a precise configuration is needed. If the configuration is not set up properly, the request is simply forbidden. This section explains how to configure the Authentication Application for RBA. If used, the user is redirected to the Authentication Application once the PEP finds an RBA policy violation.
-
Authentication Application: Configure an Authentication Application.
-
Authentication method: Configure an authentication method of type Authentication Application referencing the Authentication Application. The assurance level of this method does not have any influence on the evaluation process.
-
PEP: Set up the default authentication method identifier to the configured method.
The Authentication Application allows the user to authenticate via the method defined in its default authentication method for internal/external clients parameter. If this method is of selection type, its submethods are filtered using the desired assurance level to offer only the applicable ones. The assurance level of the selection authentication method does not have any influence on the evaluation process. If this method is of another type, its assurance level is compared to the desired one yielding either direct challenge or denial of access.
Authentication Application Use Cases
The following figure illustrates the Authentication Application use cases with respect to RBA.
Geolocation via Authentication Application
The Authentication Application can - under certain conditions - collect the geolocation data. It uses a simple JavaScript script that can appropriately fill in the Geolocation header defined in the standard draft Geographic extensions for HTTP Transactions .
To successfully determine the geolocation data, all of the following conditions must be satisfied:
-
The endpoint browser must have JavaScript enabled and support the navigator.geolocation API.
-
The browser must have access to the data from some kind of geolocation-determining system (for example, a Global Positioning System (GPS) sensor).
-
The user must explicitly give its consent to the data sent (ensured by the browser).
Restriction of collecting RBA User Data
For some cases it might be desirable to limit the data saved about the user, particularly RBA data used in User-Context-Aware Risk Conditions. The reason for this might be to comply with data protection regulations such as GDPR, which mandates limiting the collection of personal data, or to reduce the amount of data stored in the Application Repository. The Cluster can be set in a way that no RBA data are collected unless the user provides consent.
To enable this, set the Require user data consent parameter in Cluster → Authentication Service to true.
By default, no user consent is required, but when this parameter is set to true, RBA data will not be collected or saved unless the user provides consent.
The user can provide consent by setting the userDataConsent property of his AppRepoEntity to true.
This can be done through the SCIM API or through the Credential Manager.
Setting the flag Just-in-time provisioning of user record to AppRepo to false in the authentication method configuration will also disable the collection of RBA data for the users that are not in the application repository, to prevent creating theirs accounts in the repository.
Effect on the RBA Evaluation
If no user consent is provided, the RBA will not be able to store any RBA data about the users. This means that the evaluation of mainly the user-context-aware risk conditions will be evaluated as indeterminate.
The assigned risk level will then depend on the setting of the Assign risk level if Indeterminate parameter in the risk condition configuration.
So in case risk level is assigned if the decision is indeterminate, this will result in assigning the maximum risk level for the condition.
Similar behavior can be expected for conditions working with login intervals and possibly conditions implemented by a callout.
Login failures will always be collected, as the user consent does not apply to them, as this is taken as legitimate interest.