Authentication: Past, Present, and Future
Identity and access management is one of the most critical areas in today’s risk based security landscape. Adequate security controls, processes and impacts to productivity, transformation goals and user experience all must be taken into account. Credential based security alone is no longer enough to protect against the relentlessness of today’s most common attacks like account take-over (ATO), fraud, synthetic identity fraud, phishing lures and credential stuffing.
When it comes to managing security risk, defending against attacks is only the beginning. Current and emerging compliance mandates, including GDPR and PSD2, are also raising the stakes. And despite large security investments, many “secondary authentication” solutions create more problems than they solve. Attempting to divine authentication’s potential effects on business enablement and organizational security in this environment is hardly easy, but it’s not impossible.
How deep authentication helps enable digital transformation
Every organization is moving toward digitalization in one way or another, whether to increase resource efficiencies, find new revenue verticals, or cut costs, and authentication plays a role. Moving from more traditional channels into the digital cyber world doesn’t remove the security issues that authentication aims to address, in fact it becomes even more complex.
In the early stages of digital transformation, authentication costs were relatively high. Many organizations began using physical security tokens to authorize users. The tokens themselves however represented only a fraction of the overall security spend. Investment in infrastructure, like call centers, was necessary to manage both token allocation and replacement, should they be lost or their batteries run out.
Transparent and frictionless software approaches have a much smaller cost of total ownership than legacy tokens, and better returns. Typically, the more complex the security, the more it may impair the user experience and the less it will be used as a result. As digital transformation puts more of an emphasis on a seamless user experience, removing any barriers to that becomes increasingly important. Suddenly, practitioners must consider things beyond security with an emphasis on digital transformation business success.
Businesses will need to introduce more frictionless authentication to truly achieve success in the next iteration of digital transformation. This means taking the onus of security off the consumer – whether via complex password rules or tokens – and putting it back on the fraud and security specialists where it belongs. Removing the internal and external challenges that prevent users from trusting and using digital applications will be essential to businesses increasing market share and gaining access to new and previously unavailable markets.
The indirect impact of breaches
Breaches and digital transformation seem to go hand in hand. While consumers don’t necessarily hate passwords, they do dislike the management of them. Password policies meant to ensure secure access often have the opposite effect. The more strenuous they are, the more likely users will repeat these passwords across multiple applications and breaches will result. Security practitioners need to work off the assumption that user credentials will be stolen or lost and add extra layers of security – like behavioral biometrics among other two-factor (2FA) and multifactor authentication (MFA) technology – to reduce the overall value of pilfered passwords.
Account take-over (ATO) prevention
Fraudsters have organized and automated the use of breached credentials to attack and gain access to systems quickly with an arsenal of tools and people to use them. While modern networks have a multitude of advantages to those of 20 years ago, they do make it easier to create the infrastructure necessary for this kind of large scale, often successful criminal operations. Still, when the right security procedures and technology are in place, attackers are going to go somewhere else to get the job done.
The most cost effective cyber attacks continue to rely on human weaknesses and social engineering. After all, simply fooling someone is a lot cheaper than building a complex attack infrastructure. On the other hand, the type of lock used should match the value of the data, and passwords are pretty cheap. If we’re going to continue to ask consumers to safeguard their security with easily stolen credentials, we must put extra practical protection mechanisms in place to make them more useful. Ones that detect abnormalities in user behavior (pages not normally visited, transactions not commonly performed) or unusual patterns when compared to the population overall.
PSD2 and strong customer authentication (SCA)
PSD2, the second Payment Services Directive (PSD) will come into full effect throughout the European Union on September 14. PSD2 aims to provide consumers with greater transparency, particularly around data transfer and collection. Among other provisions, demands businesses institute stronger identity checks for online payments.
While still early days, PSD2’s stringent requirements mean it’s likely to become the gold standard for developing frameworks with strong authentication procedures. Companies with large operations overseas and cloud based global infrastructure are likely to prefer a one size fits all approach, quickly driving its adoption outside the EU where it’s currently leading. Many of our own customers have endorsed the benefits of behavioral biometrics toward ensuring they remain compliant with these new payment provisions. As PSD2 standards find their way into the way systems are built and designed throughout the world, behavioral biometrics are likely to follow.
Interested in learning more? Listen to myself and Behaviosec CEO Neil Costigan as we tackle these questions and more in our webinar “The State of Authentication”.
BehavioSec Platform Recognized with 2019 Tech Ascension Award