Thursday 26 September 2013

The Changing Face of User Authentication and the Road to Bring Your Own Identity

I recently presented on an Infosecurity Magazine webinar entitled “How to Make Access to your Sensitive Data More Secure - The Easy Way”.  During my presentation I explored how user authentication is adapting to meet the changes created by a number of linked transformational trends that include cloud computing, mobility and the Consumerisation of IT.

The presentation focused on one of Goode Intelligence’s specialist areas, mobile-based authentication (both the phone as an authenticator and mobile authentication when an IT service is accessed from the mobile device). It also touched on other areas of Identity and Access Management (IAM) and the development of these corresponding areas is vital to the successful transformation of user authentication services (both mobile and non-mobile). It is imperative that we meet the security challenges of the next generation of IT services – to defend the borderless enterprise.

We are increasingly accessing a huge wealth of digital information, both inside and outside of the enterprise network, from a myriad of devices. In this new world of IT, traditional authentication solutions, both single-factor (passwords) and two-factor (smart cards and OTP tokens), have become clumsy, inconvenient and less secure. Password management is a headache; in the main we either write down strong passcodes or alternatively re-use passwords that we can easily remember (there are password management tools that exist).  Alternatively, when traditional two-factor authentication is used then this is often not designed for cloud, mobile or BYOD. Authentication solutions designed for traditional, behind firewall, enterprise systems are increasingly not effective for new, agile, IT services.

So what are the alternatives? How do we match convenience and security and ensure identity is successfully proven across a wide variety of different devices (enterprise-issued and employee-owned) accessing many services located on-premise, hybrid and wholly in the cloud?

I believe that we are close in achieving the goal of supporting a much more agile and mobile world of IT service provision with strong, convenient, authentication. We know what the problem is and we have many of the building blocks to make this a reality. These building blocks include Risk-based authentication (RBA), federated identity, multi-factor authentication and user choice.

Match risk with appropriate security – combining user intelligence with business context
At Goode Intelligence, we are seeing increasing demand for more intelligent forms of authentication where the choice of authentication method used is real-time risk driven. The financial services sector has been an early adopter of RBA technology as it has a history of measuring (managing) risk.

RBA matches the most appropriate authentication method to the assessed risk. To be successful in this you must first know who the user is and what they plan to do.

User intelligence can be gathered from a number of inputs and the mobile device can play an important part in this process. When combined with more active forms of authentication, by learning the unique characteristics of its owner; where they are usually located (geo-location), the days and times that they are normally active and even how they hold and touch the device (behavioural analysis).

An accurate risk score can be calculated by combining user intelligence with business context. What is the user trying to achieve - Is it a high-value financial transaction to an unknown recipient or attempting to access the latest sales data? Based on this risk score the authentication engine can then choose the most appropriate authentication method to prove identity. A one-time-password (OTP) generated by the authentication engine and sent to the user’s registered mobile device via SMS may be sufficient or alternatively the authentication level may be ‘stepped-up’ to a stronger factor – a biometric or even a separate hardware device.

Federated Identity – the road to single sign on and a more frictionless experience
For both enterprise and consumer users the prospect of having to uniquely identify themselves to multiple applications and web services is an onerous task. This is probably why for mobile devices the auto-authenticate option is widely deployed – thumbs up for convenience, thumbs down for security.

Organisations are increasingly turning their attentions to Identity federation, sometimes referred to as Single Sign-On (SSO), as one way to solve this problem. Identity federation allows for a standards-based way to share identity amongst multiple organisation and applications. Standards include the Security Assertion Markup Language (SAML), the OpenID protocol and WS-Federation.

The benefit to the user is that they only need to authenticate once to access a number of different organisations and applications. Using techniques such as SAML-insertion identity is then shared transparently with other applications. The user is authenticated once and then other application providers can verify the authenticity of the provided federated identity.

Multi-Factor Authentication/Identity Verification and context
Two-factor authentication (2FA) is so last year!

Over the last 24 months we have seen virtually all of the major internet players, Google, Twitter, LinkedIn, Microsoft and Facebook deploy some form of 2FA (mainly mobile OTP-based). Microsoft was so enamoured at mobile phone-based 2FA that it acquired a vendor, PhoneFactor. The option to use 2FA in these networks I usually optional so it is difficult to gauge how popular these services are outside the InfoSec geek community. 

In terms of trends in the authentication market there is a definite movement towards supporting multiple factors (MFA), sometimes referred to as infinite factors. This is not necessarily the third factor – often associated with what you are, biometrics. MFA is about allowing a choice of factors and then matching them against context.

I feel that the combination of MFA and contextual awareness is one of the most exciting areas of authentication at the moment and we expect it to be a standard feature of premium authentication solutions. Many of the authentication vendors, including RSA, Entrust and SecurEnvoy, have already increased their portfolio of factors that can be deployed for use with their authentication engines and I believe that the number of factors, and user choice, will increase in the next 12 months. Factors include both traditional – hardware/software tokens and smart cards – and emerging – mobile, biometrics, image-based and behavioural.

The power of having multiple factors at your disposal is multiplied when you add contextual analysis. This is where mobile devices really come into their own as authenticators. Smart mobile devices have so many in-built sensors that have the capability to capture important information about the context of how and where these devices are being used. Geo-location through a combination of GPS and cellular-network positioning (even more accurate with LTE/4G services), ambient noise levels captured through the microphone (important in voice biometrics), user identification through the camera and embedded fingerprint sensors (Even before Apple’s iPhone 5S and Touch ID there were over 20 million smartphones shipped with fingerprint sensors). All of this contextual information can be captured and then passed onto services that support risk-based and intelligence-based authentication. A relatively accurate identity scoring can be calculated on a continuous basis and then fed into the authentication service providing a method of identifying whether the authorised owner of the device is initiating a service and then calculating whether additional authentication is required. This is sometimes referred to as step-up verification (although step-up verification is also a part of non- mobile authentication and RBA services).

User choice – The road to Bring Your Own Identity (BYOI)?
We have bring your own device/platform/software…. Is it time for bring your own identity? Let the user choose what is the most convenient and secure way to protect their digital assets? People decide how best to protect their property and automobile cars why not let them choose how they should protect their digital lives?

I feel that we are already seeing evidence of this with Internet passports, e.g. Facebook ID and Google Authenticator, that allow registered users to authenticate to other services that support authentication from the passport provider. For instance, if I choose to I can use my Facebook ID to authenticate into my Spotify streaming music service. 

The big question is whether this will expand to services that are more sensitive, i.e. have more risk. Will my bank allow me to use my Google Authenticator to login to its internet bank service and then transfer funds out of the account? Does the bank trust credential s issued by a social network? Possibly not funds transfer but what about a balance enquiry? Step-up verification could be used for when I want to transact or to request an increase to my overdraft limit.


Alternatively what if a universal digital ID was issued by a government and managed by a trusted authentication service provider? I wouldn’t discount it but we are at the early stages of BYOI and perhaps initiatives such as the FIDO Alliance, Open Identity and the GSMA’s Mobile Identity Programme may help provide the plumbing and the initiatives to support it. 

Alan Goode September 2013 

No comments:

Post a Comment