Secure your small business:
Apps → Data →

What Plurilock’s Defense Contracts Reveal About Authentication Today

Plurilock has just been awarded another government contract to develop new cybersecurity capabilities, this time for Canada’s Department of National Defence.

Like some of our previous contracts with United States national defense agencies, our task is to push the cybersecurity envelope, using machine learning to enable forms of protection that haven’t previously existed.

Beyond Credentialed Login MFA

We talk a lot here about providing invisible, device-free multi-factor authentication for login workflows and about providing continuous authentication for enterprise computing sessions, all of which we do.

The lone human hacker is giving way to the distributed, cloud-based attacker—automated, methodical, patient, and sophisticated. Machine learning provides better tools to combat this threat. © Microhostcloud / CC BY-SA 4.0

But our government contracts point to the fact that authentication as a practice is rapidly evolving in order to combat a wider variety of threats:

  • Script and bot attacks, malware, and trojans. Traditional authentication credentials don’t protect here, especially in-session, and most strategies to deal with them—such as rate-limiting or sledgehammer-like auto-blocks—tend to interfere with legitimate users. Machine learning and behavioral biometrics can thread the needle, distinguishing between machines or automations and real human use.

  • Phishing attacks and phished credentials. Education is important, but what if the worst occurs and legitimate credentials are unknowingly lost to the wild? With Plurilock’s machine learning, behavioral biometrics, and adaptive factor stack protecting targeted systems, those credentials can’t be used by the attacker even after they’re captured.

  • Walk-aways seized by malicious insiders. Sometimes legitimate users simply forget to log out when stepping away. With the device inside the perimeter and the session already authenticated, the ground is set for someone else to step in quickly and wreak havoc. Machine learning and behavioral biometrics make sure that doesn’t happen.

  • Off-policy or prohibited uses. Legitimate use policies against scraping, scripting, account sharing, or subcontracting are commonplace, and for good reason—but they can be devilishly hard, not to mention expensive, to enforce and document. With machine learning and behavioral biometrics, enforcement is automatic and the violations leave a paper trail.

  • Insecure work-arounds. Privileged access management, multi-factor authentication, and zero trust can lead to some pretty heavy authentication overhead for users, who then tend to respond with work-arounds. Machine learning and behavioral biometrics enable this load to be lightened while at the same time significantly strengthening the authentication flows that remain.

Legitimate human users are increasingly penalized by obsolete authentication strategies—without protecting against contemporary threats. The landscape is changing. © Christina Morillo / Pexels

Authentication is Evolving

There’s a reason that defense agencies are moving beyond simple questions like “how do we harden our perimeter and credential checks” and toward attacking the particular activities and uses that are problematic instead.

The more onerous and frequent login workflows become, the more unintended blowback and overhead they cause. Yet without machine learning and behavioral biometrics, they all suffer from the same problem—a vulnerability to ever-more sophisticated attacks and credential reuse or impersonation.

Defense agencies are running ahead of corporate environments here, but we believe that cybersecurity is destined to ultimately move in the same direction.

Today, the focus is shifting away from credential-based login authentication and toward a world in which systems use machine learning and all available data streams to determine who’s actually providing input at any given moment, what they’re actually doing, and whether the activity in which they’re engaged is conventional and authorized—or suspect and illicit. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.