November 11, 2016 By Patricia Diaz 3 min read

Before I was in the identity and access management (IAM) space, I hardly ever thought about strong authentication or the role of IAM as a standalone discipline beyond the occasional time I forgot my username or password. If I have learned one thing, however, it’s that security truly starts with people.

Think about some of the most impactful cyberattacks to hit the headlines, like the recent Mirai botnet attack or the numerous campaigns against governmental entities. What do they all have in common? At their core, they are all about the wrong people having the wrong access to sensitive information. Every strong security strategy must start with effective access controls.

A Double-Edged Sword

According to Verizon’s “2016 Data Breach Investigations Report,” stolen, weak and unchanged default credentials account for 63 percent of confirmed data breaches. For this reason, the authentication process is now seen as more than just a gatekeeper — it is a critical player within the security immune system.

But as organizations have developed new technologies to meet user expectations, particularly as they relate to mobile, authentication provides more security at the expense of the user experience. In other words, mobile authentication can be a double-edged sword. It helps to ensure appropriate access but it also causes friction that limits employee productivity and customer engagement.

Three Keys to Strong Authentication

So how can we strike a balance between secure mobile authentication and a positive user experience? Consider this three-tiered approach to strong authentication:

1. Multifactor Authentication and Biometrics

Users have come to expect a level of ease of use during their sessions on mobile devices. That presents a challenge to security and IT teams. Employees often resort to convenient tools and apps that may or may not be secure to get their work done. Customers also create security loopholes by using the same password for numerous accounts, making life easy for fraudsters.

Deploying strong mobile multifactor solutions with biometric authentication is one way to strike a balance between security and customers’ expectations. Fingerprint authentication is the most widely adopted biometric authentication method due to its convenience.

2. Continuous Authentication

During a session, be sure to leverage as many data points as possible about that user, device and environment. These data points, unique to each user and his or her session, do not interfere with the experience but merely match access risk to that individual.

If a user logs in from a known device and IP address and provides accurate credentials, that user can be granted access to an authorized resource. If a user provides accurate credentials and attempts to access multiple resources they are not allowed to access, the administrator should either challenge the user with security questions or flat out deny the request.

An access management solution that can assess risk, not only at the time of login, but also throughout a user’s session, is critical to an effective cybersecurity strategy.

3. Infuse Access Management With Fraud Protection

Integrations within IT systems are essential to a well-rounded security strategy. A holistic access management and fraud prevention platform, for example, uses indicators of fraud risk based on identified common threat vectors in a particular user session to prevent any potential fraud. The access management solution can, based on access policy input, determine the best course of action given a specific user request.

What’s Next?

IBM developed IBM Verify, a mobile multifactor authentication capability that offers one-time password generation, biometric authentication, step-up authentication for desktop login and more through an app available for Apple and Android devices.

IBM Verify is a part of a holistic approach to access management designed to help IT teams control access policies related to cloud, mobile and on-premises applications from one central appliance. This enables not only strong authentication and better security, but also a seamless user experience.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today