It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months:
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.
If a sign-in is deemed suspicious or risky for some reason–maybe it’s coming from a country oceans away from your last sign-in–we ask some simple questions about your account.
Yeah, man. Not that a targeted attacker won’t have those answers based on some rudimentary recon. Obviously there are ways to beat this approach, but for run-of-the-mill attackers, more challenging authentication provides enough of a bar to get them looking elsewhere. Remember, these folks chase the path of least resistance, and there are tons of cloud-based email services to chase that don’t perform this kind of sophisticated analytics on authentication requests.
And amazingly enough, it works.
Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.
Good on Google. Maybe they are evil, but at least they are trying to improve security.