Table of Contents

Hot Topics at Gartner® IAM Summit 2022: CAT Chases the Tail of ATO Fraud

Gartner VP Analyst Paul Furtado kicked off his talk with a reality check: it’s been 948 days since the Gartner Identity & Access Management Summit was last held in the US in person. During the pandemic, many of us attended events online. In some ways, it was easier (no flight delays), but the fear of missing out (FOMO) made virtual events more difficult.

In person, you see a booth that catches your eye and hear others raving about a great talk, a cool demo or bombdiggity chachkies. Our t-shirts emblazoned with “P@s$wordzSuck!” seemed to resonate. When you’re physically in the mix, you pick up on details — amid the full context.

I emphasize “context” because it was a hot topic at Gartner IAM. I’ll explain in this article why context-aware security is so important when it comes to protecting customer accounts and improving the user experience. Gartner has been talking about this concept for 10 years, but its vision, terminology and recommendations are evolving. I’ll get to that, but first, let’s talk about the elephant in the conference hall.

ATO fraud is booming

The opportunistic rise in account takeover (ATO) fraud that surged with the pandemic continues to plague us. After all, our habits have changed. One speaker noted more of us are buying cars online, so what’s to stop a fraudster from buying a Ferrari? The increasing audacity and complexity of fraud were mentioned, or covered in depth, in most sessions.

An ID proofing vendor said their analytics show identity fraud rates have climbed 44% since 2019. Other stats revealed the sheer volume of account-based identity fraud. According to an IAM vendor, companies saw 1 billion known ATO attempts in 2020 alone.

Another speaker charted the evolution of ATO, which historically tracked along a typical work week, Monday through Friday, with a notable peak in fraud on Tuesdays. Fun fact: Tuesdays are the day all of us are most productive. What’s new is fraudsters are now “productive” seven days a week, 24 hours a day.

Holes in your authentication strategy

If account fraud is so successful, it stands to reason IAM security is not. Gartner’s Paul Furtado said, in his talk, “State of User Authentication, 2022,” spoke about the issue that authentication is riddled with security holes. In sum:

  1. Passwords are completely insufficient
  2. Account recovery has emerged as a big vulnerability
  3. Email and SMS OTPs are increasingly attacked
  4. Exceptions are made for “fringe” use cases

The bad guys are leveraging the security we put in place to launch their attacks. An exception when using passwordless authentication, for example, may involve falling back to a password to bind a new device. If you use passwords at all, you’re still vulnerable.

Full context: continuous adaptive trust (CAT)

It’s clear we need stronger account protection, but adding friction is bad for business. This is where “context” enters the conversation. Continuous adaptive trust (CAT) requires real-time risk and trust assessments that discern known good behavior vs. bad behavior in the context of the full user journey and all that we know.

In a session on CAT, Gartner Senior Director Analyst David Chase explained, “…we can use context-aware attributes and try to balance the signals to make our access decisions at runtime [for] trust elevation or even mitigation techniques.” Less friction and better security is the goal.

Chase said, “Adaptive approaches can improve your user experience. If the credence in the [user’s] identity keeps going up and up, I don’t need to interfere with their day; I can let them continue what they are doing and accessing applications. But I can add friction to the user journey if its determined that it’s necessary by the amount of risk…if they enter a new password or user is in the ‘forgot my password’ flow, they suddenly appear in a new location with a new IP address…”

Paul Furtado’s talk also led to CAT as the ultimate solution with great outcomes: “By 2025, organizations that embrace a CAT approach will reduce ATO and other identity risks by 30% and improve authentication UX by reducing prompts by a factor of 20.”

Orchestration: the lynchpin

CAT sounds like a cure-all, right? Continuous adaptive risk and trust assessment (CARTA), an earlier iteration of this concept, sounded equally brilliant. So let’s get on with it! But some experts are saying CAT is still “aspirational” because it requires highly sophisticated orchestration to pull all the pieces together and make decisions in runtime.

But wait, Transmit Security does that! We’ve been doing orchestration and context-aware security since 2016. The only thing missing are the buzzwords CARTA and CAT. It’s fair to say, we strongly agree with their assessments of CAT, except the aspirational bit. It’s possible today!

So what is orchestration and why is it essential to CAT? To assess trust within the full context of all that’s happening, you need to apply machine learning to evaluate the data, score the level of risk and dynamically respond to activity throughout the user session.

“Reality is a little bit messy,” said Chase. “Today there are a lot of different components listed there, but the one that makes it possible is orchestration. We need something that is going to wrap these things together for us and be able to apply some intelligence as far as what you should do next.”

“So, key takeaways here?” asks Chase. “We want to look at investing in analytics that are going to allow us to create orchestration or user orchestration tools within our ecosystem to balance our enable this continuous adaptive trust. Additionally…do we need to modify how our applications are architected so that we can inject decisions at runtime rather than just that one-time authentication event.”

Chase explains, “So it becomes more and more important to look at some more tools to help us manage these in a real-time process because it’s generally not something that easily configurable through, like a tree. Are they on the right device on the network? It’s not quite as linear as that.”

Passwordless is the first step towards CAT

Furtado stated emphatically, “If [passwordless] isn’t on your roadmap, you may want to be asking yourselves, why not.” To build a strong foundation of trust, you must first authenticate your customer with confidence. The only way to do this is to eliminate passwords.

Most IAM professionals know this, which may be why our talk on passwordless was a top three trending talks at Gartner IAM. Who would want to hear about, “Rolling Out Passwordless to 200 Million Banking Clients in 160 Countries,” with Citigroup? If you missed it in person but have an all-access pass, see it on demand. Or read our blog to get the highlights.

Modernize CIAM for Your Customers

When you look at customer identity and access management (CIAM), don’t think of it as a one-time event. Consider the entire identity lifecycle, starting with registration, identity verification, authentication, account recovery and always-on risk assessments — for continuous adaptive trust (CAT) across the entire journey. See how Transmit Security Account Protection and Embedded Orchestration brings it all together.

 

GARTNER DISCLAIMER: GARTNER is the registered trademark of Gartner Inc., and/or its affiliates in the U.S. and/or internationally and has been used herein with permission. All rights reserved.

Author

  • Brooks Flanders, Marketing Content Manager

    In 2004, the same year the U.S. launched the National Cyber Alert System, Brooks launched her career with one the largest cybersecurity companies in the world. With a voracious curiosity and a determination to shed light on a shadowy underworld, she's been researching and writing about enterprise security ever since. Her interest in helping companies mitigate deceptive threats and solve complex security challenges still runs deep.

    View all posts