Step-Up JIT is an authentication mechanism that combines the security of MFA with the flexibility of contextual risk assessment. Instead of requiring MFA challenges for every authentication attempt, Step-Up JIT dynamically evaluates the risk associated with each access request based on various factors such as:
- Resource and Action : Is the resource privileged such as updating passwords or transferring money?
- User identity : Who is attempting to access the resource?
- Device : What device is being used for access? Is it a recognised and trusted device?
- Location : Where is the access request originating from? Is it a familiar and secure location?
- Behavior : Is the user’s behavior consistent with their normal patterns?
Based on this real-time risk assessment, Step-Up JIT determines whether to grant access seamlessly or to step up the authentication process by requiring additional MFA challenges. This allows for a balance between security and user convenience, providing a frictionless experience for low-risk access attempts while maintaining a high level of security for potentially risky situations.
Example
When a user has logged in using a less secure form of MFA (i.e. sms code or email code) and they want to access a highly privileged resource such as updating their password or adding additional methods of MFA the system, using Step-UP JIT the system can decide to issue them a MFA Challenge to ensure that this is the correct user and someone has not hijacked their session.
Benefits of Step-Up JIT
Step-Up JIT offers several advantages over traditional MFA approaches:
- Improved User Experience : By reducing the frequency of MFA challenges, Step-Up JIT streamlines the authentication process, making it less intrusive and more user-friendly.
- Enhanced Security : Step-Up JIT adapts to the context of each access request, dynamically adjusting the level of security to match the risk. This ensures that sensitive resources are adequately protected while minimising unnecessary authentication friction.
- Reduced Operational Costs : By automating the risk assessment process, Step-Up JIT can reduce the burden on IT teams, freeing them up to focus on other critical tasks.
Technical Implementation
The technical implementation of Step-Up JIT involves the integration of various components:
- Risk Engine : This is the core of Step-Up JIT, responsible for analysing contextual factors and calculating risk scores for each access request.
- Authentication Policy : This defines the rules that determine when MFA challenges are required based on the risk assessment.
- MFA Providers : These provide the various authentication methods, such as one-time passwords, push notifications, or biometric factors.
- Identity Providers : These manage user identities and provide user attributes for risk assessment.
Adding Step-Up JIT to an existing system
It’s likely that any existing system will already have 3 of the 4 Integration Points (Authentication Policy, MFA Providers, and Identity Providers), there will most likely be some small enhancements that are required to enable them for Step-Up JIT. The Risk Engine however will most likely be new.
The Risk Engine does not need to be complicated, initially the risk engine could be as simple as a rules engine with a single rule, If the action is Highly Privileged and the MFA provider security level used is not High then force Step-Up. From this rule more can be added when the data and risk controls of the business dictate.
Challenges and Considerations
While Step-Up JIT offers significant benefits, there are also challenges and considerations to keep in mind:
- Complexity : Implementing Step-Up JIT can be complex, requiring careful planning and integration of various systems.
- False Positives/Negatives : The risk assessment process can sometimes lead to false positives (legitimate users being challenged unnecessarily) or false negatives (malicious actors bypassing MFA).
- Privacy Concerns : Collecting and analysing user data for risk assessment raises privacy concerns.
Privacy Concerns
As with all expanding systems, when collecting or shipping data to a new location it is very important to ensure that data about Users is only collected if required and stored and managed appropriately. This means employing robust security measures like encryption, access controls, and regular audits. It also means being transparent about how data is collected, used, and shared. Remember, trust is earned, and respecting user privacy is key to building and maintaining that trust.
Conclusion
Step-Up JIT is a powerful tool that can help organisations strike a balance between security and user experience. By dynamically adjusting the level of authentication based on real-time risk assessment, Step-Up JIT provides a seamless and secure access control mechanism. However, careful planning and consideration are crucial to ensure successful implementation and address potential challenges.