“Organizations continue to face challenges with providing consistent, convenient and secure access from different devices to enterprise, third-party applications and cloud-based services,” according to Gregg Kriezman, VP, Research at Gartner.
“Organizations that proceed with disjointed Identity and Access Management and Enterprise Mobility Management may delay or lose opportunities to provide users with consistent convenient access while adequately protecting the enterprise against threats that increasingly overcome traditional access controls.”
In today’s global and connected world, customers, clients and citizens expect to have immediate, secure and easy access to business services (for example banking, online shopping, e-government, etc.)and their personal data in order to interact with businesses and governments while employees, contractors and 3rd party suppliers expect to have immediate, secure and easy access to their relevant computer infrastructure, applications and data to remain productive in their jobs, regardless of location and device.
The number of human users has also grown exponentially. Smart phones and tablets continue to evolve. IOT devices (watches, fitness devices, cars, etc.) and mobile applications have joined the demand for connectivity and interaction, multiplying the points of exposure even further.
Traditional credentials (username and password) have also proven to be vulnerable.
As a result, the need for additional access and authentication controls has arisen to assist enterprises in reducing risk without compromising the end user experience.
The term “Authentication” refers to the process of verifying a user’s identity when requesting secure access to IT systems.
Digital authentication takes place when someone or somethingwith a particular known identity (e.g. a user name, a digital certificate, etc.) proves that identity to the system to which access is required.
The person or “thing” must prove exclusive ownership of the identity by presenting information only he, she or it possesses. This can be a password, a biometric trait, a token, etc. Successfully submitting the correct credentials and having it verified by an access control system constitutes the process of authentication whereupon access is initiated.
Traditionally “One-Factor Authentication” refers to a username and password login while “Two-Factor Authentication” requires an additional separate credential in order to complete the login process. This second credential may be a biometric fingerprint, a hard token or an OTP (one time PIN which changes every time the user logs in).“Multifactor Authentication”or “Advanced Authentication” refers to a combinationof authentication methods – dependent on the user, the situation, the device, the location, the user’s role, the data sensitivity and the risk of a particular transaction.
For example, accessing an email application from inside the workplace from a desktop by a known user that has entered the building with a biometric access control system may only require one-factor authentication as the risk is relatively low to the business while a customer accessing his/her banking application from out of the country on an unknown device would require multifactor authentication (e.g. username and password, OTP, a security question and voice dialing) as the risk has grown exponentially.
By adapting an appropriate level of authentication based on situational risk, organisations are able to tailor the user’s authentication experience to the proper strength. Solutions such as Micro Focus’sAdvanced Authentication Framework and Access Manager allows the administrator to define context-based policies, such as the user’s location, device and time of access to assess the risk of the desired request, resulting in a dynamic approach to balancing simplicity and security making it more difficult for the malicious person to be identified as someone he or she is not.
Advanced authentication mechanisms assist in defeating hackers, simply because it is more time consuming to defeat multifactor authentication than stealing or hacking a password.
Advanced authentication consists of the following 3 standard authentication factors:
“Something you know”– knowledge committed to memory, such as a password or an answer to a secret question.
“Something you have” – an item that is owned or carried, such as an access card, a smart card or a token.This equates to an identity document or a driver’s license presented at a bank.
“Something you are” – a physical attribute that can be identified, such as a fingerprint or voice.
Authentication is achieved by combining“something you know”, “something you have”and/or “something you are” in various ways.
Effective authentication has gone from a luxury to a necessity. High-profile stories about online attacks, compromised data, data and identity theft and online fraud dominate the news on a daily basis, resulting in reputational damage to the enterprise and the significant loss of trust and business.
In addition, governments are tightening up on data protection laws that are holding company boards legally liable in the case of data breaches. Therefore companies and governments need to ensure that their authentication solutions are not only resistant to attacks, but also easy-to-use, flexible and cost-effective.