Identity management and authentication have long been a core aspect of information security. So let’s assume that “better authentication” means something more than passwords. Why? I’m not sure anyone is a big fan of passwords — there is a reason “password fatigue” has its own Wiki entry. IT departments usually dislike having to support large numbers of schemes and resets, and, more importantly, the usability of passwords is not great given we interact with a great deal of services online — and now mobile — and everything now needs a password.
So, if passwords are not great for users and organizations do not really want to use them, why are they so common? Historically when it came to practical implementation of “better” authentication, the ease-of-use and operational costs of alternatives became major stumbling blocks except in high-value environments.
This begs the question, will we see another decade of the status quo being passwords? That’s doubtful and I think it’s safe to say that we are in the midst of real fluctuations that will fundamentally change the way organizations handle authentication in consumer, enterprise and citizen applications.
Let’s take a look at what is propelling this change.
First, organizations are maturing their understanding of risk in legacy environments and this is being driven by the attention coming from retail breaches, nation-state cyber incidents and other high profile attacks. Together, with the operational advantages of cloud, it’s moving the focus on information security from high-security industries to the mainstream.
Second, we are also seeing consolidation in the services that organizations are offering. It’s not just in the mid-to-high risk areas that we’re seeing changes but in the broader consumer environment, cloud and social, and via applications such as Facebook Connect and Google+ — which are all now providing opportunities for password consolidation. And they’re not stopping with consolidation as each of these service providers are now starting to offer authentication options beyond passwords.
And, probably the most significant change is coming from consumerization and mobility. It’s worth stepping back and looking at consumerization — as we believe it will be a primary driver not just in the consumer environment — but will also play a major role in the digital workplace and citizen services environments.
In the consumer space, rapid changes in the mobile environment are driving significant changes in expectations. Mobile enables us to have anytime-anywhere access and personalized, real-time services — think Uber, ApplePay, Instagram, Snapchat, etc. Consumers are starting to expect a seamless experience whether online at home, on the go with mobile devices, or in a store or branch location.
This expectation is also putting pressure on enterprise environments and how governments interact with their citizens. It raises the bar and sets a different expectation. As citizens, we expect our governments to function with the same connectedness — and offer the same convenience — as our favorite retailers, whether we are traveling across borders or accessing e-government portals.
As employees, we take advantage of mobile technologies and applications to access information and collaborate in more productive ways. These shifts have been happening gradually for more than a decade, with many subtle changes in the ways we interact with our world occurring without us hardly realizing. Today, connectivity and consumerization have reached a critical tipping point, with the changes growing faster and the impacts more critical and more complex than ever before.
These changes, however, provide opportunities for organizations to differentiate through their interaction with consumers and the relationships they build with their users. It enables enterprises to realize productivity gains and enhance organization effectiveness through the digital workplace and it enables governments to more effectively and efficiently deliver citizen services.
Nevertheless, just when we develop some level of maturity in understanding how to secure the organization, these behavioral and technology trends are changing the game. To exacerbate the issue, IT now has to secure more information and organizations are now taking advantage of the time-to-market and operation cost savings of the cloud. The result is a shift from a Windows-only environment with perimeter-based security to one in which services and data are available anytime-anywhere and delivered from multiple sources. This environment raises the bar for organizations to understand who — or what — is consuming a service and what they are trying to do.
So, what is it that we do now to ensure better authentication and more security? Do we just jump back to the discussion circa 2005 of issuing tokens to everyone? Not likely. There is an upside to all of this, though.
When utilized correctly, the proliferation of mobile and availability of information are changing the ease-of-use vs. security equation that’s hindered the adoption of “better” authentication. No longer does strong authentication have to equal not-so-good user experience. Access to information enables for “smart” and context-driven authentication decisions.
For example, location and driver app services that we have at our fingertips today are great because they take situational information — where you are — to streamline answering the user need, “I want a ride from where I’m at.”
Authentication now works the same way. The authentication decisions can take information such as what the user is attempting to do, along with from what, where, etc. to assess risk and select authentication techniques based on the risk policies set by the organizations. The mobile platforms are also great for strong, transparent authentication. They can combine the contextual information above with embedded security (certificates, OTP generators and more) for transparent authentication.
Finally, not only can we now make some of the authentication transparent, we can use the computing power and connectedness of the device to put the user back in control with things like confirmations about access, signing of transactions, and much more. And, it all works just like the rest of the great applications being delivered to meet user expectations.
The key here is to remember that it’s not just about replacing passwords with stronger authentication. It’s about understanding the changing user behavior, the resulting approach organizations will take to meet user expectations, any change to the risk profiles, and leveraging the same technology and approaches to not just fit authentication into the environment, but to enable additional applications by reducing risk. If we do this right, then it’s not just stronger authentication, but better authentication.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December and January, these panelist’s predictions are published at SecureIDNews.