BIO-key Blog

Ask Christopher – Contextual Authentication Security

Written by Christopher Perry | Apr 12, 2021 6:00:00 PM

I’m going to be very frank: a LOT of questions come through the support team here at PistolStar, Inc. That’s not a bad thing – in fact, I love it!  Questions keep me going, and I like to see what customers and prospects can come up with.  A good ‘stumper’ goes a long way!  Moving forward, I will be taking a look at the most popular or frequent questions that come through the support desk, and writing about them in a bit more detail.

These questions will range from simple user interface questions to the nitty-gritty curious integrations that keep life interesting.  So, now that we are here, let’s start with an oldy but a goody:

 

The Question

“How can we add extra security for users accessing our resources from off of the network without upsetting our on-network users?”

 

The Answer

If you are reading our newsletter you may already know the answer, but I’ll go ahead and give it to you again just in case.

PortalGuard’s contextual authentication allows administrators to configure varying security requirements for users based on where they are when they access the network resources.

For example, user Jdoe123 works diligently at the office from 9-5. He only ever has to input his username and password once to access all work-related resources. It is simple, straightforward, and helps him get his job done. At 7:30, while at home, Jdoe123 realizes that he needs to access his corporate files. Upon navigating to the corporate website, he realizes that this access is allowed, but with a new caveat: he’s asked for his username and password along with a One-Time Passcode. Since Jdoe123’s source IP address comes from off-network, he’s required to undergo Two-Factor Authentication to securely verify his identity.

 

Gimme the Details

Now you know the basics, but let’s be honest: that’s not all that fun. Sure, you know that adding extra security for external accounts CAN work, but how does contextual authentication work, exactly?

 

Give me a second, alright? I’m getting to that part!

 

Contextual Authentication - It’s All About the Context

With the PortalGuard Authentication Provider, Contextual Authentication pairs perfectly with Two-Factor Authentication. Specifically speaking, PortalGuard looks at the IP Address of the incoming authentication request and uses that to make intelligent decisions.

In the case of Jdoe123, PortalGuard references a pre-determined "white list" of IP Address ranges and requires Two-Factor Authentication because Jdoe123 is trying to authenticate from an IP Address outside of that range.

When it comes to adding security during a login, context is key.  Sure, you can always go the all-or-nothing route and just make everyone use Multi-Factor Authentication, but that can be a nightmare. If your authentication source looks at the Context of that login, it becomes much more straightforward and usable to dynamically increase or decrease security requirements.

 

Contextual Authentication is not limited to just IP Addresses. Through PortalGuard, it is possible to make decisions based on IP addresses, date/time ranges, and even geolocation. If you want to get real fancy, you can use a combination of those as well!

 

Interested in learning more about contextual authentication? Feel free to download our tech brief here

 

 

Final Thoughts

Security is important. Authentication security in the evolving digital market is arguably even more important. It’s easy to take these requirements too seriously, but you can always have a little fun if you know where to look. Contextual Authentication is no different: All the benefits of added security, with even more benefits of usability and flexibility.

 

 

 

 

Christopher R. Perry is a Senior Technical Support Representative here at BIO-key, Inc. He takes time to answer the most common questions that customers and prospects bring to the PortalGuard Support Team. His column, Ask Christopher, is featured in our Customer Quarterly Newsletter.