The inherent challenges of confirming a person’s identity remotely are nothing new. From the days of letter writing, businesses have struggled to find sure-fire methods for ensuring that the person they are working with is, in fact, who they claim to be. At one time, signatures, notaries, and phone calls all worked to verify identities to prevent fraud. For the most important transactions, this process was managed in person. Technology has changed all of that.
Today, 26% of all business in the U.S. is transacted online and more than 28 million people are working remotely. This makes Identity and Access Management (IAM), especially strong authentication, essential to the operations of any organization. Ensuring that the right people are accessing the right data at the right time builds the confidence needed for companies to feel secure. When an organization can’t tell who is accessing their networks, data, or systems they leave themselves open to fraud, data leaks, and attacks such as ransomware, phishing, and account takeovers.
How can enterprises truly know who is behind the screen?
First Piece: Adding Layers of Security
Multi-factor authentication (MFA) has become a standard practice for most organizations looking to secure their data and applications against cyber-attacks. By requiring more than a single authentication method, MFA prevents approximately 90% of breaches.
When implementing a strong MFA strategy, it’s important to have all the right layers in place. Authentication methods fall into three main categories — something you know, something you have, and something you are. Passwords are a prime example of something you know, a secret shared by the user to the organization to prove their identity. But passwords are weak. The next layer of authentication needs to be more stringent, something that can’t be hacked or phished as easily.
Something you have is another approach. These methods require having a particular device, like a smartphone, present in order to authenticate a user. Most users will be familiar with one-time passwords (OTPs). These are codes sent directly to a user’s device to prove that the device's owner is the person being authenticated. Something you have adds a more secure method for authentication to a password-based system, but ultimately confirms the presence of a device rather than the identity of an individual.
And this leads us to something you are. A biometric like a palm scan or fingerprint uses something to authenticate that can’t be phished, stolen, or handed over. When used as a centralized architecture and enrollment, like in Identity-Bound Biometrics (IBB), organizations can pair a template on file directly to something completely unique to that individual. This visibility into “something you are” provides a company with a key piece of information — they know beyond doubt which person is performing which action and when.
Second Piece: Context is King
The next step in piecing together a robust authentication strategy is to go beyond traditional MFA and into the context of an authentication attempt. Adaptive authentication is a risk-based approach to verifying a user’s identity. For example, if a user is authenticating from their own device, on their home network, during business hours, it’s likely that is a legitimate attempt by an employee to access the company’s network. The same cannot be said, however, if the same login method is used at midnight halfway around the world on an unknown device.
There exists a litany of metrics to measure when assessing risk. Geolocation allows organizations to filter authentications by location and device data can keep unknown devices from gaining access. One of the most advanced methods available is behavioral biometrics. Rather than something like a fingerprint, these track behaviors like keystroke dynamics, mouse use characteristics, and screen pressure can detect if the person being authenticated is acting like themselves. By employing all of these unique factors in assessing an authentication attempt it becomes pretty clear when something out of the ordinary is happening and can prompt more rigorous methods to verify the attempt as legitimate. This also removes the pressure that is put on the types of authentication methods as the only layer of risk reduction.
Third Piece: Continuous Authentication
The final piece of the puzzle is the frequency with which a user is authenticated after their initial login. Using contextual methods organizations can watch for any anomalous behaviors on a continuous basis that warrant rechecking a person’s identity after their initial login. This empowers organizations to have dynamic authentication based on the person’s actions and the variations in the level of risk those actions create.
If a person logs in at their office in Chicago and then is suddenly completing an action from San Diego, the system can prompt another authentication. If a user is checking their bank account balance after using a password and OTP to log in, that’s sufficient. However, if they decide to start transferring funds then a method like using Identity-Bound Biometrics to scan their fingerprint, which can tie the act directly to the person’s identity beyond just their device and password, may be more appropriate.
As organizations puzzle together authentication strategies they need to match the risk of action with the rigidity of the method being used to verify the person’s identity. This means having a number of different authentication methods ready to use, understanding the context of the attempt, and having a landscape of data to paint a picture of safe behaviors and red flags. Technology has opened up a plethora of methods to assess what makes a person unique — and to tie those unique qualities to their digital identity. Put all of these pieces together and a picture forms of a user that is immutably them.