November 11, 2016 By Patricia Diaz 3 min read

Before I was in the identity and access management (IAM) space, I hardly ever thought about strong authentication or the role of IAM as a standalone discipline beyond the occasional time I forgot my username or password. If I have learned one thing, however, it’s that security truly starts with people.

Think about some of the most impactful cyberattacks to hit the headlines, like the recent Mirai botnet attack or the numerous campaigns against governmental entities. What do they all have in common? At their core, they are all about the wrong people having the wrong access to sensitive information. Every strong security strategy must start with effective access controls.

A Double-Edged Sword

According to Verizon’s “2016 Data Breach Investigations Report,” stolen, weak and unchanged default credentials account for 63 percent of confirmed data breaches. For this reason, the authentication process is now seen as more than just a gatekeeper — it is a critical player within the security immune system.

But as organizations have developed new technologies to meet user expectations, particularly as they relate to mobile, authentication provides more security at the expense of the user experience. In other words, mobile authentication can be a double-edged sword. It helps to ensure appropriate access but it also causes friction that limits employee productivity and customer engagement.

Three Keys to Strong Authentication

So how can we strike a balance between secure mobile authentication and a positive user experience? Consider this three-tiered approach to strong authentication:

1. Multifactor Authentication and Biometrics

Users have come to expect a level of ease of use during their sessions on mobile devices. That presents a challenge to security and IT teams. Employees often resort to convenient tools and apps that may or may not be secure to get their work done. Customers also create security loopholes by using the same password for numerous accounts, making life easy for fraudsters.

Deploying strong mobile multifactor solutions with biometric authentication is one way to strike a balance between security and customers’ expectations. Fingerprint authentication is the most widely adopted biometric authentication method due to its convenience.

2. Continuous Authentication

During a session, be sure to leverage as many data points as possible about that user, device and environment. These data points, unique to each user and his or her session, do not interfere with the experience but merely match access risk to that individual.

If a user logs in from a known device and IP address and provides accurate credentials, that user can be granted access to an authorized resource. If a user provides accurate credentials and attempts to access multiple resources they are not allowed to access, the administrator should either challenge the user with security questions or flat out deny the request.

An access management solution that can assess risk, not only at the time of login, but also throughout a user’s session, is critical to an effective cybersecurity strategy.

3. Infuse Access Management With Fraud Protection

Integrations within IT systems are essential to a well-rounded security strategy. A holistic access management and fraud prevention platform, for example, uses indicators of fraud risk based on identified common threat vectors in a particular user session to prevent any potential fraud. The access management solution can, based on access policy input, determine the best course of action given a specific user request.

What’s Next?

IBM developed IBM Verify, a mobile multifactor authentication capability that offers one-time password generation, biometric authentication, step-up authentication for desktop login and more through an app available for Apple and Android devices.

IBM Verify is a part of a holistic approach to access management designed to help IT teams control access policies related to cloud, mobile and on-premises applications from one central appliance. This enables not only strong authentication and better security, but also a seamless user experience.

More from Identity & Access

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today