Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional Authentication #200

Open
apapaa opened this issue Sep 15, 2023 · 0 comments
Open

Conditional Authentication #200

apapaa opened this issue Sep 15, 2023 · 0 comments
Labels
new-technique
Milestone
1.0.0

Comments

@apapaa
Copy link

apapaa commented Sep 15, 2023
edited
Loading

Note: all sections are required.

Credential Hardening > Conditional Authentication

The name should indicate which digital artifacts are in play, and what actions are applied to those artifacts.

OR
Credential Hardening > Contextual Authentication
Credential Hardening > Conditional Access

Digital Artifacts

What are the relevant D3FEND Digital Artifacts to this new technique, please propose new artifacts if you cannot find them in D3FEND.

d3f:Credential
d3f:UserBehavior
d3f:HardwareDevice
d3f:PhysicalLocation
d3f:UserInterface

Definition

One or two sentence definition in the style of other d3fend techniques.

Conditional authentication considers the context in which a specific transaction occurs. A decision is made to either allow or deny an authentication action based on these contextual elements and their compliance with the organisation's policy.

How it works

Section explaining how the technique works.

When a user or device authenticates, it does so within a specific context - a specific application or browser is used, from a network located in a specific country at a particular time of day, for example. This technique differs however from the UEBA techniques that detect contextual anomalies in the normal pattern of behaviour. Rather, conditional authentication is granted based on predefined policies put in place by the organisation with the aim to make their attack surface smaller. An organisation may decide that authentication requests outside of their home country should be denied, regardless of any other factor.

Considerations

What should people know about this technique, pros/cons, pitfalls etc.

  • Conditional authentication is a key decision element in Zero Trust Architectures. Since ZTA is a set of principles, vendors tend to implement conditional authentication in different ways with varying levels of maturity and capability.
  • Restrictive conditional authentication policies may impede legitimate business requests. Before enforcing policies where authentication is denied if the conditional checks fail, policy rules should first be switched on in monitoring mode so that administrators can determine their effectiveness.

References

High quality publicly available technical documents.

https://en.wikipedia.org/wiki/Conditional_access
https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-zero-trust
@netfl0 netfl0 added this to the 1.0.0 milestone Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-technique
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
2 participants
@netfl0 @apapaa