Enterprises take aim at the unpopular, hard-to-kill authenticator
11 June, 2014
category: Biometrics, Corporate, Digital ID, Financial, Government, Health, Smart Cards
As it stands, companies aren’t willing to accept social login credentials for access, Maler says. “Financial institutions don’t trust anyone else,” she adds.
Still, many enterprises are laying the groundwork for these federated models by implementing single sign-on systems that enable access to devices as well as traditional and cloud-based networks, says Garret Grajek, chief technology officer at SecureAuth.
But these privacy-enhancing, convenient and more secure identity systems don’t exist for the masses.
A glimpse at the future
Discussions around companies becoming identity providers have emerged as a possible solution. Consumers would pay a fee, undergo some type of identity vetting and then receive a high-assurance credential that could be used to provide identity online.
Relying parties – banks, retailers and government sites – would then accept the credentials for access. This is a vision for the identity ecosystem of the future. “The identity provider becomes high touch through single sign-on and the users and relying parties benefit,” Maler says.
There are many obstacles to realizing this future identity model but one of the largest is liability. Who is liable if an individual’s credential is fraudulently used or if a credential is given to the wrong person? Maler suggests looking at the payment card market as a model. “Companies outsource liability for payment data so it may also be viable for identity data,” she explains.
Another type of authentication model
Consumers and employees are accustomed to doing certain things in order to gain access to mobile devices, computers, networks or cloud resources. Sometimes it may be as simple as a user name and password, but other times it might involve entering a one-time passcode from a token or smart phone app. In other cases it might even involve a smart card or a biometric.
The growth of mobile is pushing in a new direction as these prior approaches have proved to be less suited for handsets and tablets. Providers are exploring risk-based and adaptive authentication technologies. “Authentication shouldn’t be tied to any one modality,” says Grajek. “It should be abstracted and then you determine what you want to do.”
This adaptive authentication model is what SecureAuth is providing, offering 21 different methods of authentication. Consumers or employees would enroll into a system and choose the type of authentication they would like to have available. Upon returning to that system, and depending on the transaction, the relying party would prompt for some type of authentication based on the risk. “If you determine that someone you know in the U.S. is trying to access information from a device in China then you would prompt for the higher levels of authentication,” Grajek explains.
CA’s Sirota concurs that risk-based analytics and the use of “big data” will increase for authentication events. “In the background you’ll have continuous monitoring of who is accessing what information,” he says. “Analytics will churn and determine how to challenge users and present them with a secondary challenge if necessary.”
The advancement of these analytic-based systems could eventually be the nail in the coffin of passwords, says Cowper. “They don’t put a lot of validity in the password itself, the validation comes from the user’s behavior,” he says.
Mobile brings more concerns
Mobile adds yet another layer of complexity to the fold. In the enterprise world, the employee isn’t always sitting in an office at the same computer to access resources. Sometimes they’re on a laptop in a hotel, sometimes using a smart phone and increasingly, a tablet. Device authentication is an option, but all possible devices need to be registered before they can be recognized.
Loading digital certificates on to each device is one solution but they have to be properly managed, says Authentify’s Zurawski. “There use of digital certificates is growing, but issuing, managing and protecting them are the keys to a successful implementation,” he explains.
The increased use of tablets and smart phones is another reason passwords must either be simplified or ceased, says Sirota. “Passwords are more difficult to enter on mobile devices,” he says.
Nok Nok Labs is working with companies to enable the authentication to take place on the mobile device. It might use a password still – in combination with other strong authentication techniques – but instead of that information being stored in a database somewhere, everything would be stored on a secure element in the consumer’s laptop, tablet or mobile phone, Cowper says.
If the strong authentication is first handled by an individual’s device, subsequent authentication requests can be transmitted to the specific service using an encrypted digital certificate, he says. The problem of numerous, complicated passwords is no more.
What’s next?
Any innovation in mobile authentication is likely to extend across the enterprise, impacting all use cases. This makes the mobile arena a key area to watch.
Additionally, risk-based and adaptive authentication schemes are starting to take root in corporate enterprise, as Grajek points out. “Enterprises will solve it first, make it work and then share the standards and protocols with the consumer markets,” he explains.
Eventually some sort of multi-factor authentication scheme will be second nature for consumers logging on to sites as well as employees using corporate resources. The key is making it easy to use. “We all need two-factor authentication, but if it becomes too onerous we’ll find a way to get around it,” Grajek explains.
Just like we did passwords.