Balancing usability with strong authentication
25 February, 2015
category: Corporate, Digital ID, Financial
John Zurawski, Vice President of Marketing, Authentify
There is a dichotomy between the authentication practices of an employee versus those of the consumer or home user. An employee is influenced by a paycheck and the corporate IT department and as long as they’re being paid, the IT department specifies and directs what type of authentication strength the employee is required to use.
While members of the U.S. military might not enjoy carrying security tokens and Common Access Cards, they must – and they do. The Defense Department understands it is a high profile target. For wider adoption of stronger user authentication practices, businesses of all sizes, as well as consumers, must realize that they too are potential targets.
Broad, general hacks initiated by an individual are often highly automated. Computers don’t get tired or take vacations. A computer can be set up to sniff networks and potentially operate 24×7, and is indiscriminant to the size of the company at which it finds a weak spot. The discovery and aftermath of the Heartbleed SSL vulnerability offers proof of this point. Once a patch was configured and the vulnerability made public, hackers targeted the vulnerability. Firms that were not fast enough in patching the weakness quickly became victims. The search and exploit effort was initiated by humans but the execution was computer driven.
When all companies accept that they are targets as well as a potential gateways to other targets, they will understand stronger user authentication as a fact of life in totally connected commerce.
For some small to mid-sized businesses, cost might be a barrier to using strong authentication practices, or a lack of expertise. The businesses should recognize that the usability and effectiveness of cloud-based authentication services or security as a service are affordable, especially when measured against the alternatives of suffering a costly breach. Security as a service is also managed and protected by security pros that a small business might not otherwise be able to afford. They are more hacker resistant than average.
Poor password practices and poor employee Internet hygiene are among the other onerous security problems that make strong authentication techniques very attractive. Some firms have discovered that disabling administrator privilege is an effective way to keep malware off company devices.
This restriction can prevent an .exe from installing or a registry change from being made on an end user machine. While this is strong protection, it is also a very unpopular practice with the rank and file end users. The alternative of using stronger authentication in exchange for some level of usability privilege can be a motivator for the employee to accept stronger authentication.
Consumer uptake of better or stronger authentication is a completely different story. The risk of serious financial harm is sometimes limited by statute. Without a financial incentive, it’s difficult to force a consumer to adopt strong authentication unless it’s the ONLY way to gain access to what they are after.
Another consideration in the consumer facing, transactional e-commerce world is that the user experience remains king. Security practices that contribute to a slower or cumbersome user experience are avoided in favor of behavioral analytics and risk profiling.
The wider availability of devices with biometric compatible sensors, or wider use of app-based authenticators that took advantage of biometrics could also spur increased usage. Unfortunately, there are still many misconceptions about biometrics or the danger of a biometric breach permanently negating the value of a biometric.
One way to achieve wider adoption of stronger authentication would be to place additional authentication steps throughout a user session. Clearing multiple hurdles simply to gain access to an online account is annoying. A username and password on a device with a properly enrolled digital certificate would be great for login. Once the user has invested time in an online session, an additional authentication step or steps would be more palatable.
For instance, if working on a laptop or desktop, scanning a QR code displayed onscreen with a secondary mobile device. If working on a mobile device, speaking a confirmation phrase or gesture swipe could be added to the work flow and not adversely impact the user experience.
Another potential way to accelerate adoption among consumers is to create online loyalty programs in which consumers are rewarded for clearing stronger authentication. Use multi-factor authentication and build your trust profile to receive a 10% discount, or other award points. For a number of years, eBay has offered an additional buyer or seller ranking “star” in exchange for an out-of-band authentication of a phone associated with the account.
In a best case scenario for any segment, business or consumer, advanced authentication would be used more frequently if it were automatic, fast and a seamless part of completing the task at hand. Ultimately the need for better authentication may become clear to consumers as the drive to connect home appliances, entry doors, and heating and cooling systems to the Internet of Things advances. It is one thing to discover an intruder has breached your email account. It’s something else entirely to find them in your home.
About the AVISIAN Publishing Expert Panel At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December, January and February these panelist’s predictions are published at SecureIDNews.