John Barco, VP global product marketing at ForgeRock discusses how online security is increasingly moving away from password-based security towards more progressive identity-centric solutions fit for the 21st century.
Every internet user is familiar with the traditional username and password approach to online security, but for some time it has been apparent that it’s no longer enough to keep sensitive information safe. The growing prevalence of sophisticated phishing attacks makes it all too easy for criminals to acquire and abuse user login details, putting the internet at their mercy if a new security approach isn’t adopted. For businesses everywhere, this threat has forced them to rethink how they protect user information without compromising on usability or the overall customer experience.
Does mobile hold the key?
The mass adoption of mobile around the world presents one of the best opportunities to raise the online security game. By harnessing this existing installed base, businesses can adopt two-factor or multi-factor authentication systems without having to provide the secondary devices at their own expense.
Under these systems, traditional usernames and passwords remain the first line of authentication, but a second factor (typically a unique code sent to a mobile device) is also needed to gain access to the accounts. Multi-factor authentication can also be used to add a further biometric layer if needed.
Fortunately for consumers, all signs indicate that the days of simple username and password-based security are numbered. Mobile-based two-factor authentication is taking over as the new normal in areas such as online banking and shopping. However, even this approach is not completely without risk.
With a growing volume of a malware specifically targeting smartphones, criminals are clearly adapting their approach in response to the adoption of more robust security. Such malware can be used to scrape verification codes directly from the devices if they are sent over a data network. User experience is also a concern, as many consumers do not like having to enter multiple passwords each time they want to access online accounts.
One solution is to adapt the two-factor process to use push authentication, increasing security without impacting on customer experience as heavily. The first time a consumer signs into a website, they are asked to scan an on-screen QR code with their mobile device. This creates a ID tether between the user and device.
With the tether created, the next time the user logs in a push notification is sent to their device and all they have to do is tap ‘approve’ in order to proceed. Importantly, these messages are usually sent using a different network, the cellular network most often, making interception by malware or other criminal monitoring of data activity more difficult.
The next evolution: behaviour-based monitoring
As robust as multifactor authentication is becoming, it is still fundamentally a lock and key approach. This means once someone is through the front door (i.e. they have gained access to the account), there are few obstacles between them and the data. By contrast, adaptive risk authentication and continuous security approaches are based on a more ongoing view of online security, meaning the front door is not the only line of defence.
What does this mean in practice? Adaptive risk authentication creates a score of user behaviour based on key criteria such as IP address, device ID, number of failed login attempts etc., in order to establish if it is consistent with established ‘normal’ behaviour patterns.
Any deviations result in a higher risk score, which triggers further security questions, re-authentication, or if necessary, the removal of the token assigned to the online session. Importantly from a user experience perspective, the algorithms responsible for scoring each session run silently in the background, meaning the user is only made aware of them if their behaviour is deemed to be suspicious.
Usernames and passwords still have a place online but they are no longer enough when used in isolation. Adding advanced security – such as multifactor authentication, adaptive risk and continuous security – is becoming table stakes for business today. Ultimately, even the most robust lock-and-key solutions will give way to more progressive behaviour-based monitoring, as businesses use the technology at their disposal to stay one step ahead of online criminals.
The author of this blog is John Barco, VP Global Product Marketing at ForgeRock.
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus
