Skip to main content

December Auth Node Roundup

The goose is getting fat.  Presents are wrapped.  Tree is up.  AND, some new authentication nodes have been added to the Backstage Marketplace.

Threat Management

The entire bot protection, threat intelligence and DDoS awareness space has grown massively over the last few years.  Instead of just relying on network related throttling, the auth trees fabric really makes it simple to augment third party systems into the login journey.

Two pretty simple nodes that were added include the OpenThreatIntelliegenceNode and the HaveIBeenPwnedNode.  The open threat intelligence node, basically calls out to the https://cymon.io site, sending a SHA256 hash of the inbound client IP address.  The response is basically a verification to see if the IP has been involved in any botnots or malicious software attacks. 

Have I Been Pawned is a simple free site, that takes your email address and checks if it has been involved in any big data breaches.  If so, it might then be prudent to prompt the user in your system to either use MFA or perhaps change their password too.

Threat Focused Auth Tree

Another addition in this space was the Google reCaptcha node to prevent against bot attacks.

SLA, Metrics and Timing

Two recent additions, form ForgeRock's very own Craig McDonnell.  Craig has built out two interesting nodes for monitoring time and metering.  First up is the MeterAuthTreeNode.  This node can be dropped into any part of the tree and basically add a configurable string to the DropWizard meter registry within AM.  So for example, if you're tracking which browser users are logging in from using the BrowserCheckerNode, you could simply drop in a couple of meter nodes to add incremental counters that are updated every time that specific browser is seen during the login journey.  This becomes massively important when building out user experience analytics projects.  The metrics can the be viewed using something like JConsole and retrieved into nice dashboards using JMX or pushed to a Graphite Server.

A cousin of the meter node, are the TimeAuthTreeNodes.  Similar to the meter, they can basically time each part of the auth tree.  As tree's are likely to include upwards of 20 data signals, and 3rd party processing, it may be essential to understand response times and SLA impacts.  The timer nodes are part of a pair - a starter node and stop node.  The time calculated in between is then sent to the same registry as the meter and can be viewed using JConsole.

Monitoring Response Time of a 3rd Party Call Out During Login

Device Analysis

From a security perspective it's quite common to pair a trusted user to their login device.  But what about verifying if that device itself has the correct browser or operating system?  The OSCollectorNode and sister node BrowserCollectorNode, allow basically analysis of the incoming client request.  This can be extended right down to the versioning, to allow for redirects, blocking or perhaps a more personalised experience.  If a service provider knows you are logging in from a mobile device on 4G at 8am, they can likely infer you are commuting and may respond differently to different content.  The information collected, can be simply added into session properties and delivered to down stream protected applications.

OS and Browser Analysis During Login

A few other noteworthy additions this month include an updated IPAddressDecisionNode, KBAAuthenticationNode and ClientSideScriptingNode which allows for the delivery of JavaScript down onto the client machine.

Comments

Popular posts from this blog

WebAuthn Authentication in AM 6.5

ForgeRock AccessManagement 6.5, will have out of the box integration for the W3C WebAuthn. This modern “FIDO2” standard allows cryptographic passwordless authentication – integrating with a range of native authenticators, from USB keys to fingerprint and facial recognition systems found natively in many mobile and desktop operating systems.
Why is this so cool? Well firstly we know passwords are insecure and deliver a poor user experience. But aren’t there loads of strong MFA solutions out there already? Well, there are, but many are proprietary, require complex integrations and SDK’s and ultimately, don’t provide the level of agility that many CISO’s and application designers now require. 
Rolling out a secure authentication system today, will probably only result in further integration costs and headaches tomorrow, when the next “cool” login method emerges.
Having a standards based approach, allows for easier inter-operability and a more agile platform for change.
AM 6.5 has int…

OAuth2 With Contextual Binding

I've blogged a few times regarding the trend of implementing Zero Trust and CARTA (Continuous Adaptive Risk and Trust Assessment) style journeys during typical Web single sign on flows.  I want to riff on that process a little, with an update on how to implement something similar for OAuth2/OIDC access tokens.

Why is this important? Well sometimes it is important to apply some context to a particular authorization flow.  Not all access decisions are the same.  Think of the following nuanced situations:

Two users with the same set of scopes, have different API consumption patternsA particular user has downloaded a malicious app which alters the botnet reputation of the request IP addressA particular user has registered their work email address with a site that experienced a credentials breachA media site is behind a paywall and limits access to organisational IP ranges, but a user frequently works in the field These sorts of flows, are a little bit different to the standard Proof of…

Implementing Zero Trust & CARTA within AM 6.x

There is an increasing focus on perimeterless approaches to security design and the buzzy "defensive security architectures".  This blog will take a brief look at implementing a contextual and continuous approach to access management, that can help to fulfil those design aspirations.

The main concept, is to basically collect some sort of contextual data at login time, and again at resource access time - and basically look for differences between the two.  But why is this remotely interesting?  Firstly, big walls, don't necessarily mean safer houses.  The classic firewall approach to security.  Keeping the bad out and the good in.  That concept no longer works for the large modern enterprise.  The good and bad are everywhere and access control decisions should really be based on data above and beyond that directly related to the user identity, with enforcement as close as possible to the protected resource as possible.

With Intelligent AuthX, we can start to collect and s…