Mike Adler at RSA describes the different types of authentication available and emphasises the importance of continuous authentication.
In the last 12 months, many organisations found themselves needing to authenticate large, dispersed workforces. At the time, the need to maintain business continuity outweighed any concerns about potential digital risk and whether their approach is the right one for the long-term. Now that most organisations are past crisis-mode, it’s time to reflect on the changes made: have new applications, services, partnerships or processes introduced identity risks?
Do new authentication methods balance security with usability? Solving authentication issues, such as gaps in defences or poor usability, is crucial. The good news is that there are now many options out there.
Are you considering going passwordless?
The 2020 Verizon Data Breach Investigations report revealed that 80 percent of data breaches resulted from compromised or ineffective passwords. Because of this, there’s been a lot of effort put into eliminating passwords from authentication altogether.
While many seemingly ‘passwordless’ technologies are still reliant on a password and username for account enrolment and recovery, users no longer have to remember login details. This improves usability while also improving security, as attacks that target passwordless authenticators are still extremely rare as they require a lot more effort on the part of the attacker.
Three common authenticators that do not require users to input passwords are:
1. Hardware and software-based token authenticators
Traditional tokens remain the gold standard in authentication; users can identify themselves no matter their location or the device in use. Traditional tokens also work well for use cases where mobile devices are not acceptable or users do not wish to have software installed on their personal devices.
Last year, tokens made it possible for organisations to quickly roll out secure virtual workforces, in some cases overnight. However, one of hardware tokens’ limitations is getting physical devices to users. A highly dispersed workforce can add complexity to the distribution process and impact cost.
In these circumstances, organisations may instead opt for software-based tokens. Software tokens are most often deployed on mobile phones, but can also be deployed on laptops or other common devices. Deployed digitally to users for convenient and secure access, they provide the same level of security without the provisioning roadblocks.
2. Push authentication
Push authentication validates login attempts by sending access requests to a user’s registered mobile device. When logging in, instead of remembering and entering a complex password, users simply authenticate with the short code or keyword provided.
However, for larger enterprises with thousands of employees, setting up push authentication can be a time-consuming process. Push authentication also requires workers’ devices to be connected to the to a network, so it is not suitable for every scenario.
3. Biometric authenticators
Biometric authentication uses biological or behavioural traits such as fingerprints, face verification, voice recognition, and iris scans. In these scenarios, an authentication request is sent to a mobile application that the user authenticates to on their mobile device using device specific biometrics. There are no codes, passwords, or tokens for users to remember, and biometric tokens cannot be stolen in the same way a password or PIN can. This adds a considerable degree of certainty that the employee accessing work remotely is who they say they are.
However, biometrics are often touted as the ‘silver bullet’ of authentication, which can create a false sense of security. Using a single method of biometric authentication doesn’t provide complete security, especially if users can bypass the biometric step with a PIN or password, which are more easily hackable.
Additionally, obtaining work-issued devices with biometric capabilities can be costly for organisations, and many may need to ask workers to use their personal devices, or be forced to use an alternative method altogether.
Ultimately, passwords are frequently targeted by cyber-criminals and are a pain point for users too, so any efforts made to remove them from the authentication process should reap rewards.
Multi-factor authentication considerations
Given that the rate of compromise for accounts using any type of MFA is less than 0.1% of the total according to Microsoft, you could say MFA is now essential. An organisation can be highly certain of a user’s identity if they can get more than one proof point before allowing access – these might include any of the above authenticators combined.
Another advantage of MFA is that other data points that help to prove someone’s identity can improve reliability. A device, for example, could send additional location, behavioural or some other risk context information to confirm a user’s identity.
Each of the authenticators performs only a single one-time authentication. This means that the authentication is valid only at that moment and can’t be ‘reused’ to authenticate in the future. In some scenarios a single authentication for an entire session may not provide enough security. Applications or services could be exposed if they assume the user never changes mid-session.
One response to this challenge is to continuously authenticate users and automatically log them out when they stop using the service, when their device changes, when their location changes or any other behaviour expectation changes. This is typically done by monitoring – in the background with little user interaction – behavioural, temporal, or biometric factors about the individual. Wearable technologies, such as bracelets, in combination with location-aware devices (e.g. laptops, mobile phones) are being trialled to enable this.
To take MFA to the next level, organisations can monitor access requests and user behaviour to look for anomalies that might suggest a malicious party is attempting to access corporate assets. This could be as simple as blocking known bad IP addresses, through to recognising whether a single user could physically log in from different locations within a short period of time, or knowing that a given geo-location doesn’t often send access requests. This type of anomaly detection should be built into authentication systems, so they automatically deny access or request further authentication.
Striking the right balance
Every time an employee is asked to undertake an authentication measure, the balance is tipped in favour of security over usability. Organisations must therefore think carefully when putting in place more authenticators as it could create unwanted user friction. Combining continuous authentication with background monitoring – known as risk-based authentication – incorporates machine learning to monitor for and identify changes in behaviour. This can help determine how often the system should prompt a user to re-authenticate.
MFA is also not a ‘one size fits all’ approach. A range of methods may need to be used to ensure that different users can authenticate across different devices in different locations. For instance, an employee working in a call centre or on a factory floor may not be able to use a mobile phone as a primary device to authenticate. In this instance, a different authenticator may be more suitable.
Working environments have transformed in 2020, so now really is the time for innovation in authentication: whether it’s adding in new passwordless methods of authentication, ensuring that multi-factor authentication is applied across the board, or taking MFA to the next level with anomaly detection, organisations need to be sure that the people accessing their data really are who they say they are. Crucially, this must be done in a way that balances security with usability and doesn’t create hurdles that users may be tempted to circumvent.
Mike Adler is Chief Product Officer for Security at RSA where he is responsible for product strategy and execution for RSA’s Security Business Unit. Mike has over 20 years of experience in security and specialises in delivering enterprise class software and services.
Main image courtesy of iStockPhoto.com