Table of Contents
- RSA SecurID Access Product Overview
- Administrators
- Company Settings
- Identity Routers
- Identity Sources
- Assurance Levels
- Access Policies
- Clusters
- High Availability
- and Backups
- Relying Parties
- RADIUS
- Certificates
- Integrated Windows Authentication
- Identity Providers
- Web Applications
- User Application Portal
- Authentication Methods and Emergency Access
- Users and Authenticators
- End User Rollout
- RSA Authentication Manager Integration
- Cloud Administration APIs
- RSA SecurID Authentication API
- Logging
- Troubleshooting
The Cloud Authentication Service can establish high or low confidence in a user's identity based on data it collects when users attempt to authenticate over a period of time. The service leverages machine-learning algorithms to profile the user’s normal activity in order to understand deviation from that activity in the current authentication request. The Cloud Authentication Service evaluates the individual user, total population, and known risky authentication patterns to determine the identity confidence score. Older historical events are weighted less than more recent events, so past behavior ages out of the system and new behavior is more impactful.
The Identity Confidence attribute is available with the Premium Edition of RSA SecurID Access.
To learn more, see:
You can perform these tasks:
Learning User Behavior Through Data Collection
The Cloud Authentication Service collects data about users over a period of time to learn the following attributes about users.
| Attribute | Description |
|---|---|
| Time | Time at which an application is accessed. |
| Weekend | Whether or not the user authenticated during the weekend. |
| Uncommon Applications | User authenticates to an application that he normally does not access. |
| High Authentication Velocity | User unsuccessfully authenticates quickly numerous times. |
| New Device | User accesses a device he has never used before. |
| Location | Physical location of a user (estimated from IP address and HTML5 Geolocation). |
| High Device Access Rate | A user account is being used simultaneously on at least two devices. |
| Users on Device Velocity | Multiple users authenticating from the same device. |
| Users on IP Velocity | Multiple users authenticating from the same IP address. |
The collected data is specific to your company. Data from a large user population collected over a long period of time ensures more reliable results than data from a small user population collected over a short period of time. Identity confidence results can vary from company to company depending on these factors.
Confidence Threshold
The user's identity confidence score is categorized as high or low confidence in relation to the Confidence Threshold. The Confidence Threshold is calculated based on information collected from all users within your company.
The Cloud Authentication Service requires an initial learning period of at least 1,000 authentications (authentication minimum) to collect sufficient user history to optimize identity confidence scoring. Prior to reaching the authentication minimum, the system uses a default threshold (0.37) for determining identity confidence. It is likely that more users will receive low confidence scores in this scenario. After this minimum has been reached, the Cloud Authentication Service adjusts the threshold up or down every seven days as it learns each user's behavior to optimize the low confidence scores.
RSA recommends that you require multifactor authentication for all users until the system has reached the minimum number of authentications.
The following table summarizes what high and low scores represent in relation to the Confidence Threshold.
| User's Overall Confidence Score | Meaning |
|---|---|
| Low score (low confidence) | A score that is lower than the Confidence Threshold indicates low confidence (high risk). This means the Cloud Authentication Service cannot identify the user with a reasonable degree of certainty. You can choose to deny the user access to protected resources or require the user to authenticate at a higher assurance level. |
| High score (high confidence) | A score that exceeds the Confidence Threshold indicates high confidence (low risk). This means the Cloud Authentication Service has high confidence that the user is indeed who he says he is. |
Identity Confidence Dashboard
Use the Identity Confidence Dashboard to view information that can help you identify anomalous authentication activity in your company. In most cases, anomalous behavior does not indicate a cyberattack or require you to take action. The dashboard provides your company with the necessary tools to analyze user behavior and make decisions that keep your company safe. The dashboard reports the following information.
| Analytics Reported | Description |
|---|---|
| Multifactor Authentication Attempts | Counts the number of user attempts to access resources protected by access policies that do and do not include the identity confidence attribute. The total count includes attempts when users satisfy policy conditions that allow them to skip multifactor authentication. At least one attempt must be found to display results. |
| Attempts Based on Identity Confidence | Counts the number of authentication attempts that resulted in a low or high confidence score. The confidence threshold determines if an evaluation results in high or low confidence. |
| Reasons for Low Identity Confidence | A low confidence score occurs when the Cloud Authentication Service does not recognize the user's behavior, device, or location in an authentication attempt because the user has changed behavior, device, or location since the previous attempt. Or the score may be low if the user is new and has not authenticated enough times to earn a high confidence score. Low confidence can be due to one or more of these factors:
Undetermined cause is reported when the Cloud Authentication Service cannot identify a single factor as the predominant cause of the low score. Multiple factors always play a role in confidence scores, and sometimes one particular factor does not stand out. |
| Top Anomalous Users | Lists users who exhibit anomalous behavior. “Severity” is the difference between the user’s Confidence score and the Confidence Threshold at the time of authentication. The larger the difference, the higher the degree of anomalous behavior. Up to four factors that contributed to lowering the score are provided. Use this information to decide whether these users require further action in accordance with your company’s security policies. In most cases, anomalous behavior does not indicate a cyberattack or require you to take action. |
| User Behavior Over Time | The dashboard displays a graph that shows the following information for a single user over a period of time. Click points on the graph to see:
|
Configure Identity Confidence in Access Policies
Configure identity confidence by using the Identity Confidence attribute in an access policy. In the following sample policy, users with high identity confidence can access the resource without performing additional (step-up) authentication. Users with low identity confidence are denied access. For configuration instructions, see Add, Clone, or Delete an Access Policy
View Risk Analytics and Track Behavior for a User
Use the Identity Confidence Dashboard to view authentication information for all users in your company or for individual users within a specified timeframe.
Procedure
-
Open the Cloud Administration Console and click Users > Identity Confidence Dashboard.
By default, the initial pie charts that display reflect authentication activity collected over the past 30 days for all users in your company who have authenticated through the Cloud Authentication Service.
-
You can view data for a specific user in either of two ways:
-
In the Filter by field, enter the user's email address and the timeframe (1-30 days). Click Go.
Note: The search criteria must be able to return at least one authentication attempt in which identity confidence was evaluated. Otherwise, no attempts are displayed.
-
Select a user's email address from the Top Anomalous Users table on the right.
The page is updated to show authentication activity for the selected user. Click Reset if you want to return to the display for all users in your company.
-
In the following example, the graphs on the left show information that is filtered for one user.
In the following graph, the blue line represents the user's authentication activity and the red line represents the Confidence Threshold over the same period of time. Each blue authentication point has a corresponding point on the Confidence Threshold line indicating the threshold on the day and time of authentication. Click a point on the blue line to see the user's Confidence score and Confidence Threshold on a specific day and time. If the user's score dips below the Confidence Threshold, indicating low confidence, a list of Contributing Factors appears.
We want your feedback on this feature. Tell us what you think.
View a User's Identity Confidence Score in the User Event Monitor
The User Event Monitor reports the following information in the Authentication Details column for event 25001. All of the attributes described in Learning User Behavior Through Data Collection contribute to these scores.
| Confidence Details Reported in User Event Monitor | Description |
|---|---|
| Confidence | The user's overall identity confidence score, which is influenced by the user's separate scores for Device Confidence, Behavior Confidence, and Location Confidence. |
| Confidence Threshold | Confidence scores higher than this threshold indicate high confidence, while lower scores indicate low confidence. The threshold calculation is based on information collected from all users within your company and adjusts over time as the Cloud Authentication Service learns about your users and as more users authenticate. The initial default threshold is 0.37. After at least 1,000 authentications have been reached, the threshold is updated daily. |
| Device Confidence | Level of confidence based on attributes associated with the user's device. These attributes describe device characteristics and user behavior. The Device Confidence score starts at 0.0 if the user has not previously used the device and increases each time the user successfully authenticates from the same device. |
| Behavior Confidence | Level of confidence based on attributes associated with the user's behavior. For example, this score is adjusted when the user successfully authenticates to access the same application within the same timeframe. |
| Location Confidence | Level of confidence based on attributes associated with the user's location. For example, this score is increased if the user successfully authenticates from the same location every day and decreased if the user successfully authenticates from different locations every day. |
| Contributing Factors | If a user's overall Confidence score indicates low confidence, the User Event Monitor reports up to four factors that most contributed to lowering the score. These factors are listed as Contributing Factors, in order from most impactful to less impactful. Factors that contribute to raising a user's overall score are not listed. For example:
In this example, the factors numbered 1, 2, 3, and 4 most contributed to lowering the user's overall Confidence score. |
Disable Data Collection for Identity Confidence
RSA recommends that you leave data collection for identity confidence and location enabled. If your company requires you to disable data collection for identity confidence, do not use the identity confidence attribute in access policies. To obtain maximum benefit from identity confidence scores, RSA recommends that you also leave location data collection enabled. If you must disable data collection, see Configure Company Information and Certificates for instructions.
On this page
