The Rapidly Changing Authentication Infrastructure

by Tim Sloane 0

Biometrics Eye Scan

Mercator predicted mobile devices would require a rapid shift in authentication methods here and here. This article in CSO Online introduces the apt term of “Goldilocks zone” to describe when individuals should be challenged with a multi-factor authentication:

“I recently read a story in CSO that explained how hackers can crack just about any password. The story didn’t surprise me. Security experts have known this for a while. Yet, passwords continue to serve as the go-to method for accessing just about everything online.

Most experts recommend adding multi-factor authentication, but with the wide range of cloud services available and the mobility of our workforce, how much is too much?  How little is too little to be effective?

Companies need to strike a balance between users reaffirming who they are without inhibiting their work. The best-case scenario entails an employee, who’s doing what she normally does, is left alone. If she suddenly does something out of the ordinary, she would need to verify it’s really her. Verify users are who they say they are when they are already inside doing something unusual, not only when they are at the door.

Credit card companies have become very good at this process. They understand cardholders’ regular purchases, and thus don’t bother them every time they use their card. However, if a purchase seems unusual, the card company will send a text asking the card holder to verify it’s her. If she cannot verify the purchase, they freeze her account. Sounds simple, right?

We need this kind of simplicity in cyber security. Companies cannot apply multi-factor authentication to everything a user does. It’s too much. There’s a Goldilocks zone for multi-factor. It can’t be too hot. It can’t be too cold. It must be just right. And companies can pull off just right by using behavior analytics.”

The two publications also identified behavioral biometrics as a key component of the overall authentication solution but also suggested that it be implemented right away to detect robots and account takeovers and then expanded into the general authentication solution set as the organization develops risk profiles for all of its consumer and business interactions as also identified in this article:

“Behavior analytics working in tandem with multi-factor authentication would enable companies to verify users are who they say they are when they are detected doing something unusual. For example, we often see a use case that we call “The Prospector.” Like a gold miner digging for gold, insiders will mine for valuable data assets, accessing applications and systems, looking for the crowned jewels. Behavior analytics would detect an employee digging around, accessing a system that he typically doesn’t access and/or isn’t authorized to access. Multi-factor authentication would then come into play asking the employee to verify it’s really him. If he does not verify within a certain timeframe, then his account is shut down before he accesses the jewels. On the flip side, if that employee is accessing a system that he typically accesses to do his job, he wouldn’t be bothered at all.

Call it “Smart Multi Factor Authentication.” A bad actor would fail the second layer of authentication while the trusted employee can do his job uninterrupted. Malicious insiders would also be hindered because they know they are being watched.”

 

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the full story here