Jim Ducharme, RSA Security’s VP of Identity Products
The days where passwords and tokens were our only way of identifying people and systems is long gone. Today, we have a vast array of technologies, including: multi-factor authentication (MFA), standards-based solutions, biometrics and smartphone-based authentication – to name just a few.
This change has been driven by necessity. Whereas once upon a time, workers would be tied to their desks, now we have people who are glued to their mobiles, accessing applications through the cloud. This has a huge impact on the need to authenticate; previously, it would be pretty obvious if Bob from finance was accessing the company invoicing system, as you could see this was happening from his desk – the static nature of the workplace provided its own version of multi-factor authentication.
Today, Bob could be accessing it from anywhere, making it much more difficult to ascertain if it is actually him, or someone using his phone or hijacking an insecure line. These behavioural and organisational shifts are driving authentication methods in two directions: toward more convenient access to please users and toward more secure access to satisfy IT security teams.
Within this context, there are a number of authentication trends that any business should be keeping an eye on – here are my top five:
1. Context, location and behaviour – the holy grail of identity assurance: organisations have more multi-factor authentication choices than ever before and as we move into the future, this range of options is set to widen. In particular, watch the growing trend toward dynamic, frictionless solutions that can automatically recognise someone based on contextual clues and behavioural access patterns, while still providing a high level of identity assurance. Certified interoperability with on-premise and cloud apps will also become increasingly important as the number of applications grows.
2. Single sign-on (SSO) will need to move with the times: our reliance on technology is seeping through every facet of our working lives, meaning we are constantly having to log on to multiple systems and applications to get our jobs done. Single sign-on (SSO) provides tremendous benefits in this context, as users no longer have to remember reams of passwords. However, SSO is only effective if organisations have the assurance that users who request access are who they say they are. As we edge towards 2018, don’t be surprised to see more SSO providers partnering with security and authentication specialists to deliver solutions that use advanced analytics to increase security and transparency.
3. Practical standards to meet modern authentication needs: across an enterprise, there are many different roles and requirements for security and authentication. For example, you may have a different type of authentication method for an employee who routinely accesses lower-risk applications than for a privileged user. Yet this does not mean you need to abandon standardisation. Several emerging open standards and protocols for multi-factor authentication are making it possible to meet diverse user needs and still have consistent integration processes and user experiences across systems, devices and apps. This means that you can employ the same standards and protocols to incorporate and administer both.
4. Biometrics that live up to the hype: biometrics have been talked about for years and you can be forgiven for having an ‘I’ll believe it when I see it’ attitude to these promises. However, biometrics are finally coming into their own and we are starting to see them become a common method for enterprise authentication. Providing a fingerprint or retina scan may be easy for the user, but getting to this point has historically been costly and a complex challenge for enterprises to solve. Today however, with a maturing ecosystem of biometric-ready smartphones – coupled with the adoption of open standards – the stars finally seem to be aligning for the broader adoption of biometrics.
5. Mobile identity: smartphone-based authentication is becoming increasingly popular but it still poses challenges. Sure, you can use advanced authentication tools such as biometrics to provide assurance that the phone’s owner is the one using the phone; but how do you know if the phone itself can be trusted? This is the big question the industry is starting to step up to and address. We’re seeing phone manufacturers trying to establish a verifiable ID that will enable organisations to feel more confident about extending trust to a device. The increased popularity of enterprise mobile applications only heightens the need for a consumer-simple experience — one that provides access control commensurate with the risk of a given transaction. MFA, SSO, authentication standards, biometrics and smartphones will each continue to play a role as the market moves toward risk-aware authentication. So watch this space!
Keeping ahead of trends in this area can not only help to provide security teams with peace of mind, but also make life easier for users. Yet for these techniques to be effective, they need to be evaluated with the business in mind. The most important thing is to work out what is right for your individual business – where are your most ‘risky’ users, what applications or systems have the most vital company data and what kind of access do each of your users really need? These kinds of questions will help you focus your identity strategy on the needs of the business. Taking this business-driven security approach will not only help to lower costs, but will also reduce risks and improve the user experience.