Knowing who’s on the other side of an online conversation isn’t easy. Sure, everyone learns early on that good user authentication consists of something you have, something you know or something you are, but getting people to use those techniques isn’t as simple as security pros would like.
Employees and consumers aren’t always excited to use high-assurance security technologies. One of the biggest obstacles is usability, Gartner says, and vendors are starting to recognize this.
Examples abound in the company’s recent “Magic Quadrant for User Authentication” report. Author Ant Allan notes that bring-your-own-device demands are forcing vendors to change their products and services in response. Users want sign-in to be as easy as using any other app on consumer phones. A swipe here, a PIN there is about all most are willing to do.
“The desire is for an authentication methodology – say a mobile app – that provides the right level of trust and doesn’t reduce the user experience,” Allan says.
Companies that made physical authentication tokens thrived for years knowing that their target market was smart, security-minded technicians. These users would put up with the somewhat cumbersome keyfob to type in one-time passwords on demand.
That market still exists, but the number of people who need a secure way to sign in has exploded. Vendors, in response, are making it easier not just to “know,” but to “have” and, even “be” something that can be used for authentication.
The “have” side is simple enough. Instead of sticking with the traditional plastic token that generates passwords on the fly, companies such RSA and Symantec have responded with soft tokens that reside on smart phones or almost any digital device – PCs, laptops and tablets included, Allan explains. The switch brings several benefits. For one, they are much cheaper. For another, they are familiar and easy to use. They are also integrated into something people have with them all the time. So not only are soft tokens handy, but they can be integrated into a device people are actually using to access their networks.
Contextual factors – location especially – will be increasingly important in the next few years, Allan says. Location is popular because virtually every smart phone includes sensors to pick it up. More important is what the location says about a user. While home and office may be widely known, seldom could an individual’s life schedule be predicted well enough to reliably spoof an identity. Thus, restrictions based on location can withstand attacks over the long term.
Biometrics such as face, iris and fingerprint are well known, but behavior-based biometrics is emerging, too. Almost any physical motion related to device use can be tracked, from the way we type on our phones, tablets and keyboards to the way we go from one screen to the next. Users can invent their own gestures for shaking devices, if they like. Once identified, these behaviors can then be used for future authentication.
All of this eventually turns into math, just like previous methods. The difference, however, lies in the depth of defense. “If you have a legacy method, you have a specific credential that you are connecting to a user,” Allan says. “If you are doing contextual authentication, you don’t have any one piece of info that is strong by itself. Having multiple pieces of information together add up to give you an overall score. It’s rather like having a bundle of sticks than a single branch.”
Recent attacks against infrastructure of all sorts suggest the security business should be booming. That’s true up to a point: Companies that specialize in incident response, for instance, claim to be turning customers away because they cannot keep up with demand. Authentication specialists, on the other hand – the folks on the front line where attacks should have been stopped in the first place – report that their business is growing but not at the same rate.
Overall, Gartner estimates perhaps 20% growth in user volume for 2013, but only 10% growth in revenues due to the increased use of lower-cost cloud and soft-token solutions.
Hackers aren’t standing still. They’ve already compromised at least one – now remedied – one-time password algorithm and are working on a host of others. They could move on, but browser-in-the-middle attacks are growing, Allan says, because they are easier to execute than many authentication hacks.