Security Starts With People: What it Takes to Ensure Simple Yet Strong Authentication on Mobile
Before I was in the identity and access management (IAM) space, I hardly ever thought about strong authentication or the role of IAM as a standalone discipline beyond the occasional time I forgot my username or password. If I have learned one thing, however, it’s that security truly starts with people.
Think about some of the most impactful cyberattacks to hit the headlines, like the recent Mirai botnet attack or the numerous campaigns against governmental entities. What do they all have in common? At their core, they are all about the wrong people having the wrong access to sensitive information. Every strong security strategy must start with effective access controls.
A Double-Edged Sword
According to Verizon’s “2016 Data Breach Investigations Report,” stolen, weak and unchanged default credentials account for 63 percent of confirmed data breaches. For this reason, the authentication process is now seen as more than just a gatekeeper — it is a critical player within the security immune system.
But as organizations have developed new technologies to meet user expectations, particularly as they relate to mobile, authentication provides more security at the expense of the user experience. In other words, mobile authentication can be a double-edged sword. It helps to ensure appropriate access but it also causes friction that limits employee productivity and customer engagement.
Three Keys to Strong Authentication
So how can we strike a balance between secure mobile authentication and a positive user experience? Consider this three-tiered approach to strong authentication:
1. Multifactor Authentication and Biometrics
Users have come to expect a level of ease of use during their sessions on mobile devices. That presents a challenge to security and IT teams. Employees often resort to convenient tools and apps that may or may not be secure to get their work done. Customers also create security loopholes by using the same password for numerous accounts, making life easy for fraudsters.
Deploying strong mobile multifactor solutions with biometric authentication is one way to strike a balance between security and customers’ expectations. Fingerprint authentication is the most widely adopted biometric authentication method due to its convenience.
2. Continuous Authentication
During a session, be sure to leverage as many data points as possible about that user, device and environment. These data points, unique to each user and his or her session, do not interfere with the experience but merely match access risk to that individual.
If a user logs in from a known device and IP address and provides accurate credentials, that user can be granted access to an authorized resource. If a user provides accurate credentials and attempts to access multiple resources they are not allowed to access, the administrator should either challenge the user with security questions or flat out deny the request.
An access management solution that can assess risk, not only at the time of login, but also throughout a user’s session, is critical to an effective cybersecurity strategy.
3. Infuse Access Management With Fraud Protection
Integrations within IT systems are essential to a well-rounded security strategy. A holistic access management and fraud prevention platform, for example, uses indicators of fraud risk based on identified common threat vectors in a particular user session to prevent any potential fraud. The access management solution can, based on access policy input, determine the best course of action given a specific user request.
IBM developed IBM Verify, a mobile multifactor authentication capability that offers one-time password generation, biometric authentication, step-up authentication for desktop login and more through an app available for Apple and Android devices.
IBM Verify is a part of a holistic approach to access management designed to help IT teams control access policies related to cloud, mobile and on-premises applications from one central appliance. This enables not only strong authentication and better security, but also a seamless user experience.