Managing access to your applications, infrastructure and data can no longer be done exclusively at a network level. With the adoption of cloud services and remote working, ensuring the right people have access to the right resources at the right time mostly comes down to one thing: Securing your Identity. efficiently and frictionlessly. Today, in honor of Cybersecurity Awareness Month, we will examine how to use identity to address the challenges associated with identity theft and attacks.
While passwords have played a role in the last couple of decades, with the modern enterprise ecosystem and the constantly evolving threat environment, has made moving to modern authentication and authorization program a must. However, finding the right balance between securing your access and offering a good user experience is essential. Workforce users and consumers are nowadays familiar with 2FA (two-factor authentication) as part of their authentication journey. However, if the rate at which they are being subjected to it is too high, the post-adoption user and consumer experience degrades quite rapidly. A modern Access Management and Authentication solution should step up the authentication requirement only when needed while ingesting as many signals as needed to frictionlessly identify, authenticate and authorize the user. A user connecting to his workplace environment at the coffee shop using his personal device should not be provided the same Dynamic Level of Assurance (DLOA) compared to the same user connecting to the same application but with his company workstation at the office. On the other hand, a sales engineer who is always traveling should be able to reduce the friction perceived when accessing his applications with a trusted device.
Contextual information such as a user’s geo-localization, network reputation, the user-agent’s fingerprint and the devices should allow the Access Management and Authentication solution to compile a risk score associated with the access request to dynamically and continuously secure the business applications. Conditional access such as ABAC or RBAC can then be coupled with the Analytics engine to ultimately provide the best of both worlds: Ease of use and Security.
Challenges with Modern Authentication
We see users struggling with “MFA fatigue” due to the overuse of multi-factor authentication (MFA) the average user is asked to authenticate over 17 times daily – due to stovepiped systems that result in inconsistent processes for the end-user. These systems don’t share authentication information among different stovepipes, and timeout periods force the user to authenticate repeatedly. This MFA fatigue means users start taking shortcuts, making them vulnerable to hackers and compromising security.
Another issue is “push fatigue”. From news to social apps, the number of times a user is pinged on their device inadvertently can result in hackers taking advantage of this. Again, user experience suffers and security is negatively impacted. In response, I suggest organizations deploy invisible authentication. By leveraging the power of modern analytics, invisible MFA can provide greater security at authentication. Passwordless and biometric options can be a game changer in this respect: AI/ML can perform thousands of back-end checks in seconds, continuously authenticating through digital fingerprint matching and peer review. This will reduce the significant cost of reset and help desk assistance, and more importantly, avoid the creation of attack vectors, like legacy MFA pushes, that are all too easily exploited by hackers.