Identity management and authentication have long been a core aspect of information security. So let’s assume that “better authentication” means something more than passwords. Why? I’m not sure anyone is a big fan of passwords – there is a reason “password fatigue” has its own Wiki entry. IT departments usually dislike having to support large numbers of schemes and resets, and, more importantly, the usability of passwords is not great given we interact with a great deal of services online (and now mobile) and everything now needs a password.
So, if passwords are not great for users; and organizations do not really want to use them, why are they so common? Historically when it came to practical implementation of “better” authentication, the ease-of-use and operational costs of alternatives became major stumbling blocks except in high value asset environments.
The question then becomes, “will we see another decade of the status quo being passwords?” The answer is – doubtfully. I think it’s safe to say that we are in the midst of real fluctuations that will fundamentally change the way organizations handle authentication in consumer, enterprise and citizen applications.
Let’s take a look at what is propelling this change.
- Organizations are maturing their understanding of risk in legacy environments – and this is being driven by the attention coming from retail breaches, nation-state cyber incidents, and other high profile attacks.
- Organizations are beginning to consolidate their service offerings to provide opportunities for password consolidation. And they’re not stopping with consolidation; each of these service providers are now starting to offer authentication options beyond passwords.
- The most significant change is coming from consumerization and mobility – which is a primary driver not just in the consumer environment, but also in the digital workplace and citizen services environments.
As consumers, rapid changes in the mobile environment are driving significant changes in user expectations. Mobile allows us to have anytime-anywhere access and personalized, real-time services (think Uber, ApplePay, Instagram, Snapchat, etc.). Consumers are starting to expect a seamless experience whether online at home, on-the-go with mobile devices, or in a store or branch location.
This expectation is also putting pressure on enterprise environments and how governments interact with their citizens. We expect our governments to function with the same connectedness — and offer the same convenience — as our favorite retailers, whether we are traveling across borders or accessing e-government portals. As employees, we take advantage of mobile technologies and applications to access information and collaborate in more productive ways.
These changes in expectations provide opportunities for organizations to differentiate through their interaction with consumers and the relationships they build with their users; it allows enterprises to realize productivity gains and enhance organization effectiveness through the digital workplace; and it allows governments to more effectively and efficiently deliver citizen services.
So, what is it that we do now to ensure better authentication and more security? Do we just jump back to the discussion circa 2005 of issuing tokens to everyone? Not likely. There is an upside to all of this, though.
When utilized correctly, the proliferation of mobile and availability of information are changing the ease-of-use vs. security equation that’s hindered the adoption of “better” authentication. No longer does strong authentication have to equal not-so-good user experience. Access to information enables for “smart” and context-driven authentication decisions.
For example, location and driver app services that we have at our fingertips today are great because they take situational information (where you are) to streamline answering the user need (I want a ride from where I’m at). Authentication now works the same way. The authentication decisions can take information such as what the user is attempting to do, along with from what, where, etc. to assess risk and select authentication techniques based on the risk policies set by the organizations. The mobile platforms are also great for strong, transparent authentication. They can combine the contextual information above with embedded security (certificates, OTP generators and more) for transparent authentication.
Plus, not only can we now make some of the authentication transparent, we can use the computing power and connectedness of the device to put the user back in control with things like confirmations about access, signing of transactions, and much more. And, it all works just like the rest of the great applications being delivered to meet user expectations.
The key here is to remember that it’s not just about replacing passwords with stronger authentication. It’s about understanding the changing user behavior, the resulting approach organizations will take to meet user expectations, any change to the risk profiles, and leveraging the same technology and approaches to not just fit authentication into the environment, but to enable additional applications by reducing risk. If we do this right, then it’s not just stronger authentication, but better authentication.