Before I was in the identity and access management (IAM) space, I hardly ever thought about strong authentication or the role of IAM as a standalone discipline beyond the occasional time I forgot my username or password. If I have learned one thing, however, it’s that security truly starts with people.

Think about some of the most impactful cyberattacks to hit the headlines, like the recent Mirai botnet attack or the numerous campaigns against governmental entities. What do they all have in common? At their core, they are all about the wrong people having the wrong access to sensitive information. Every strong security strategy must start with effective access controls.

A Double-Edged Sword

According to Verizon’s “2016 Data Breach Investigations Report,” stolen, weak and unchanged default credentials account for 63 percent of confirmed data breaches. For this reason, the authentication process is now seen as more than just a gatekeeper — it is a critical player within the security immune system.

But as organizations have developed new technologies to meet user expectations, particularly as they relate to mobile, authentication provides more security at the expense of the user experience. In other words, mobile authentication can be a double-edged sword. It helps to ensure appropriate access but it also causes friction that limits employee productivity and customer engagement.

Three Keys to Strong Authentication

So how can we strike a balance between secure mobile authentication and a positive user experience? Consider this three-tiered approach to strong authentication:

1. Multifactor Authentication and Biometrics

Users have come to expect a level of ease of use during their sessions on mobile devices. That presents a challenge to security and IT teams. Employees often resort to convenient tools and apps that may or may not be secure to get their work done. Customers also create security loopholes by using the same password for numerous accounts, making life easy for fraudsters.

Deploying strong mobile multifactor solutions with biometric authentication is one way to strike a balance between security and customers’ expectations. Fingerprint authentication is the most widely adopted biometric authentication method due to its convenience.

2. Continuous Authentication

During a session, be sure to leverage as many data points as possible about that user, device and environment. These data points, unique to each user and his or her session, do not interfere with the experience but merely match access risk to that individual.

If a user logs in from a known device and IP address and provides accurate credentials, that user can be granted access to an authorized resource. If a user provides accurate credentials and attempts to access multiple resources they are not allowed to access, the administrator should either challenge the user with security questions or flat out deny the request.

An access management solution that can assess risk, not only at the time of login, but also throughout a user’s session, is critical to an effective cybersecurity strategy.

3. Infuse Access Management With Fraud Protection

Integrations within IT systems are essential to a well-rounded security strategy. A holistic access management and fraud prevention platform, for example, uses indicators of fraud risk based on identified common threat vectors in a particular user session to prevent any potential fraud. The access management solution can, based on access policy input, determine the best course of action given a specific user request.

What’s Next?

IBM developed IBM Verify, a mobile multifactor authentication capability that offers one-time password generation, biometric authentication, step-up authentication for desktop login and more through an app available for Apple and Android devices.

IBM Verify is a part of a holistic approach to access management designed to help IT teams control access policies related to cloud, mobile and on-premises applications from one central appliance. This enables not only strong authentication and better security, but also a seamless user experience.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…