Adaptive and mobile biometric techniques usher in a more secure future
By Mark Diodati, Technical Director – Office of the CTO, PING Identity
Do you feel the acceleration of change in identity management? Modern identity presents many new challenges – particularly with user authentication. Two new technologies are here to stay to help address the new challenges – adaptive and mobile biometric authentication.
The good old days
Gone are the days of managing the user’s computing environment, which delivered some semblance of device security posture. Workstations were bound to a trusted Active Directory environment; Windows Group Policy delivered centralized policy management, and at times, credential management; Enterprises could push the latest anti-virus scanner software to most of their devices with a mouse click. These tools aren’t as effective in this era of modern identity that is characterized by device-anywhere access, expanded user constituencies and delegated authentication.
Device-anywhere identity access
We are now in the era of “device anywhere” access, a term that implies great heterogeneity for the user computing environment and network topology. The result is a loss of control. Devices like PCs, tablets, and smart phones have different operating systems and therefore varying security capabilities. Device ownership matters, too. There is a loss of control moving from corporate-owned laptops to COPE (corporate-owned, personally-enabled) devices, to BYOD (bring your own device).
Partner and consumer constituencies
Additional user constituencies are forcing changes to how we authenticate users. In the good old days, user constituencies with meaningful access to applications included employees and maybe contractors. Enterprises now must craft a strategy for newer constituencies like partners and consumers because they require more meaningful access to applications. And as the “distance” increases between the organization and the user constituency, fewer authentication options are possible. Smart cards or other hardware authentication methods may be tolerated by your employees and contractors but not by your partners and customers. Yet these new constituencies need an appropriate authentication method that is commensurate with their increased access.
Delegated authentication forces us to think outside the monolithic box of authentication and application access.
First, there is the pressure to leverage social network logins for access to enterprise applications. This is coming from by all user constituencies including employees. But the problem is one of “impedance mismatch.” Social logins alone don’t provide enough assurance for access to corporate applications, so something else is required to make them useful for the enterprise.
Second, your partners and contractors may be using a federation system to authenticate their users for connection to your applications. Federated authentications may be browser-based by using the SAML protocol, or API-based using OAuth.
New school authentication techniques
Two relatively new authentication techniques can help overcome the challenges of authenticating users in the modern identity area – adaptive and local mobile biometric authentication.
Adaptive authentication – sometimes called contextual authentication – is a passive, second-factor method. Its job is to bolster the assurance level of the primary authentication method – typically passwords. In most cases, the user is unaware that adaptive authentication is occurring. It originates from the fraud detection systems used with credit cards. Credit card companies will contact the consumer when there is unusual activity that doesn’t correspond to typical transactions – either by geography, nature of items purchased or amount of transaction. Financial institutions began using commercialized adaptive authentications around 2005 to reduce fraud and comply with new guidance from the Federal Financial Institutions Examination Council.
Financial institutions are very concerned about customer experience, and despite this concern they failed on usability with early attempts to saddle U.S consumers with hardware authenticators. In contrast, adaptive authentication happens behind the scenes, leaving users unaware of the techniques.
The system inspects device characteristics like fingerprinting, geolocation and IP address for matching against blacklists. In addition, the system looks at user behavior, such as time of day, day of week, transaction amount and transaction frequency. A risk score is calculated from the device characteristics and user behavior.
Depending upon the risk score, the institution may authenticate the user a different way – sometimes called step-up authentication. The institution may opt to stop the transaction in its tracks. After a bumpy start – with excessive false rejects that annoyed both banks and customers – adaptive authentication has become ubiquitous for consumer authentication for financial transactions.
Adaptive authentication deployments didn’t stop at banking. Financial services, retail, and social networks leverage adaptive authentication, particularly device characteristics.
The Holy Grail – raising the assurance levels of enterprise authentication systems via adaptive – is an ongoing journey. Adaptive authentication systems typically rely on browser-based interactions, but enterprises want to use device identification for user logon to Active Directory. Two hurdles have precluded this use case: adaptive authentication systems require browser interaction, and the challenge of inserting an adaptive authentication system between the workstation and Active Directory is daunting.
As users become untethered from workstations, adaptive authentication becomes possible. At the same time, the new school trademarks of user access – device-anywhere, external user constituencies and delegated authentication – make adaptive authentication much more valuable for the enterprise. The result is that adaptive authentication is finding its rightful place in federation, Web access management and multi-factor solutions.
Mobile biometric authentication
When looking at the techniques that constitute adaptive authentication, it is easy to conclude that adaptive authentication is really biometric authentication. After all, it leverages device attributes and user activity and has false positives and negatives. This provides a nice segue to the next game changer – mobile biometric authentication in which the biometric match occurs locally on the device, rather than on a remote server.
The smart phone is suitable for biometric authentication because it has a variety of sensors – camera, microphone, accelerometer, touch screen and often a fingerprint scanner. The phone is almost always in the hand of the user, which overcomes a common problem associated with traditional hardware authentication.
But how can mobile biometric authentication – something that happens on the device – become useful for authentication to applications? Enter the Fast IDentity Online (FIDO) authentication standard. One of the FIDO protocols is the Universal Authentication Framework (UAF), which provides a way for mobile biometrics to transition to applications using a standards-based approach. In brief, a successful on-device authentication enables the client to authenticate to a specific application via public key technology.
Unlike smart cards with a handful of private keys for different uses, a specific private key exists for every application. Or for greater interoperability, the user can authenticate to a service that understands the FIDO system rather than relying a specific private key for every application. After a successful authentication, the service provides credentials like SAML for browser-based sessions or OAuth access tokens for API-style transactions.
The proliferation of adaptive and mobile biometric authentication is inevitable to address the challenges associated with modern identity management. Of the two new authentication techniques, adaptive authentication will be most ubiquitous because it is a second factor. It can raise the assurance levels of primary authentication methods with minimal user friction. Mobile biometric authentication is also here to stay and can improve assurance for all user constituencies, including employees and consumers. Regardless of the authentication methods in play, they become more valuable when they can interoperate with standards-based credentials like SAML and OAuth.