Account Takeover (ATO) attempts are increasing 55% year over year, and they are relatively easy for attackers to execute. An attacker can obtain a username+password combination in several ways: via a marketplace on the dark web, or by tricking (phishing) a user, or by simply guessing a poorly-constructed password.
Once an attacker has obtained a user’s password, they can log in to the user’s account and potentially perform all kinds of bad actions: make purchases with the user’s stored credit card, redeem the user’s loyalty points, or even change the user’s original password so that the attacker has exclusive access to the account.
One of the most effective ways to foil an ATO attempt is to require Multi-factor authentication (MFA), so that a bad actor needs not only a password but also an SMS code or some other factor to successfully log in to an account.
While MFA is certainly effective at reducing successful ATO attempts, it adds friction to the experience of valid users as well, often causing them to abandon a site or a purchase. We’ve all been there – having to pull out your phone can cause you to just close the site altogether.
Given the negative effect of MFA on valid users, identity providers have tried to become more sophisticated and targeted in issuing MFA challenges to smaller subsets of end-users. But, these attempts usually result in a set of complicated rules (block certain IP addresses, new machines, etc.) that are difficult to maintain and troubleshoot, and often, because they are rules-based — they’re ineffective in blocking sophisticated ATO attempts which intentionally circumvent the rules.
So how can we make sure that bad actors get challenged for MFA but valid users don’t?
Forter’s Identity Protection solution addresses this challenge by looking at the user context and comparing it against a proprietary dataset of identities we’ve established through our fraud prevention solution.
When a user logs in to a website, and after they complete password authentication, a request goes to the Forter APIs. If it comes back positive, the user is simply let into the website. Otherwise, and only for suspicious cases, the user is prompted to perform MFA.
To achieve such accuracy, Forter looks at not only the “hard” data points related to a user — IP address, OS, etc. — but also how that user has historically behaved on the web. We’ve already helped many customers achieve great improvement in reducing friction while increasing security at login.
However, if you’re using an identity provider, it can be a challenge to integrate an external solution such as Forter into your authentication flow, simply because identity providers’ login rules often do not support incorporating an external decision engine into an authentication flow. So, with an identity provider, it can be difficult to separate the evaluation of the username and password from the MFA policy.
Enter Auth0 and their Actions capability.
Auth0, however, offers an Actions capability allows you to call out to an external decision engine during the authentication flow. Essentially, this capability allows you pause the authentication flow and automatically call out to Forter from the back end to get an extremely accurate recommendation regarding how to handle the authentication attempt: allow, deny, or challenge. The Action then allows you to either let the user continue as-is with their authentication, deny the attempt altogether, or directly invoke the Auth0 MFA engine to challenge the user for a second factor.
This evaluation happens in milliseconds, after the user’s username and password have been verified by Auth0 but before Auth0 issues an ID token to represent the authentication.
Auth0 can also host your login page for you, and the Forter javascript library works seamlessly with the Auth0 lock.js front-end library, allowing the user context to flow to the back end Action.
So, at the end of the day you have a solution where:
- Your application is doing none of the “heavy lifting” during the authentication process
- Your application is getting authenticated users that have been vetted by Forter’s best-in-class ATO prevention solution
- Your valid users are experiencing far less friction during authentication
- Bad actors are being blocked by MFA or outright denied
It’s a powerful combination of Auth0’s authentication capabilities and Forter’s extremely accurate decision engine.
Before concluding, I should also note that Forter and Auth0 can also be used extremely effectively together at other points in the user journey: account sign-up and in-app actions, for example.
If you’d like to see what the combined solution looks like, reach out to Forter and we will be glad to give you a demo!
Written by Tom Smith, Principal Solutions Consultant, Forter
