Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240). Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!
Randy: Alright so we’re back at the Ultimate Window’s Security Booth at RSA. I’ve got with me this time Darin Pendergraft from SecureAuth. Darin we’re talking about authentication and there’s a lot of people doing authentication nowadays. Everybody seems to recognize, all of a sudden, that we need strong authentication which usually means a second factor.
Darin: Right.
Randy: So I just want to talk to you about what’s different with how you guys are doing it. First of all, I think maybe the first thing we need to get across is companies that have enterprise security requirements, that require them to control certain things on premise, you know, that’s a sweet spot for you – an on premise solution.
Darin: On premise solution is a virtual machine, so you know it’s housed on your hardware. You do have a physical appliance option for folks that want that. But we really feel that having that control is important to our enterprise customers.
Randy: The other thing we were talking about is two factor authentication and strong authentication, is all obviously that is one of the pain points we’re trying to solve. One of the big risks we’re trying to mitigate, but with SecureAuth you’re not done once you’ve delivered two factor authentication.
Darin: That’s right.
Randy: Tell me more about how you said that’s really just the beginning.
Darin: Right, right… You know with strong authentication the point is to protect the business and to make it harder for the attackers to get in. Getting that set up is important but what’s really important is then to start to understand the context of the authentication, who is using that credential? Where did they log in from last? Did they use a device we’ve seen before? And we call that adaptive authentication, because the level of, you know, risk really determines how easy or how hard we make for someone to log in. That’s something we firmly believe. We can’t just set the system up and let it run, because any system that is static like that, will be defeated. Right?
Randy: Right.
Darin: So our system really takes every authentication into account. We look at the context around it and then we either step it up in this situation that we see something that’s a little out of the ordinary. You know, if you log in here from San Francisco and then all of a sudden there’s a log in from somewhere in Eastern Europe… you know, that’s unusual.
Randy: Sure.
Darin: So we shouldn't just allow you to put your password in to get in – we should really challenge you and send you to that second factor.
Randy: So we could almost call it “Just in time Authentication”….
Darin: Yeah, Just in time is a good way to look at it.
Randy: ….that it’s appropriate for the dynamics for that moment for that user and all the other dynamics. I think that you talked about velocity…
Darin: Geo velocity…
Randy: Is this a device that we've never seen them on but we can add those things together and do it dynamically. Yeah, I can see the value of that. The other thing that I thought was important for folks trying to sort out, ‘how are all of these authentication companies different’-- is form factors. You've got flexibility… you want to talk about that?
Darin: Absolutely, we are always asked, “What’s the best second factor?” To be honest, the best second factor is the one that fits your use case the best. At SecureAuth, we don’t rely on any one technique for the second factor. We can send a text to your phone. We can use a hardware token that you've got from a third party. You know, it really depends on that use case. We have some customers that want a very good user experience so they want a really low friction second factor. In those situations, we rely on a device fingerprint to recognize the device to see if it’s been jailbroken and to see if there’s anything usual about it. In other situations and in very high security situations, our customers are very comfortable with having a hard token or a card or something like that. In SecureAuth we let the customer to decide what they want to do. We really fit the second factor to the use case so that the end users really feel like they are getting security and they’re not being put, unnecessary, through hardship. That it fits kind of the risk profile.
Randy: Do you see companies using a variety of form factors for different sets of users within the organization?
Darin: Yeah and because of the way our product is architected, you can mix and match. We have a lot of hybrid environments. We have some folks that are traveling a lot and they have everything on their phone and they say, “That’s what I want to do.” And yet, we also have sales people that are mainly, you know, laptop people or Blackberry people potential, right? So we can work with different form factors for those folks.
Randy: Gotcha…Well, there’s other reasons why a variety of form factors is important. We like to use a phone at my company, as a second factor. But if that phone is down, we don’t want to have to provision something else. So we don’t we have folks carry a one-time password token with them but they don’t need to touch it unless something happens to the phone.
Darin: In that situation, what our customers have done is they’ll actually… the customer’s administrative staff will present you with two or three different options so if your phone is lost or you leave it at home, so it’s not compromised or lost, or maybe you just don’t have it…
Randy: Yeah…
Darin: A lot of times when you’re presented with that second factor dialogue it’ll say: “Receive a call on your office phone” or “Receive a call on another number” or “Answer a question…” Like you said, have a one time PIN. So we can give you the flexibility to shut certain channels off or form factors off or offer the end user the option of two or more.
Randy: Well, cool. I appreciate your time and hopefully folks this useful to you if you’re trying to sort out differences in strong authentication offerings and I look forward to working more with you more, Darin.
Darin: Thanks, Randy. It’s a pleasure to be here, thanks.