Contextual authentication – coming soon to a portal near you
The struggle to balance security and convenience is getting easier
If we’ve learned anything from the mega-breaches reported over the past five years, it’s that passwords are not the best means of security. But for now, passwords are a necessary evil. They are too embedded in legacy systems and engrained within our Internet experience to eliminate them overnight. But that could be changing, and sooner than you think.
According to Statista, approximately 64 percent of users will access online content through their mobile phones, and in a recent report by Ericsson, almost 70 percent of the world’s population will have smartphones by 2020.
Given this growing proliferation, many are now looking at using mobile devices to enhance or replace passwords as the primary authentication mechanism for consumer portals and mobile apps, leveraging out-of-band one-time passwords (OTP), push notifications, device fingerprinting, and biometrics.
Balancing security with user convenience
Each authentication mechanism has advantages and disadvantages, and each organization will need to weigh these to determine which works best for their users. In some cases, the answer may be a combination of authentication for different use cases – for example, out-of-band OTP for password reset and push notification for step-up authentication.
The trick will be to adopt a holistic approach that supports multiple authentication credential types, which can be deployed on a case by case basis. In addition, the challenge is not only where or when to implement these alternative forms of authentication – but how often you can use them without burdening your users.
A perfect example is Apple. While I love its products, its new security measures drove me crazy. Why did I need to authenticate every time I downloaded a new app? I can understand the authentication when there was a cost to the app, but why the need to authenticate me for a free app?
To make matters worse, one you authenticated, it kept your “authorization” open for a while. I cannot tell you how many coins or points my son, who at the time was three years old, accidently bought after I purchased a new app for him.
Apple has since changed this, but for the consumer it was frustrating. Apple was lucky in that many consumers were not going to switch over to Android just because of the authentication process. But can you say the same for your users? Will they remain loyal and continue to use your site or mobile app if you make the authentication process cumbersome?
User behavior and context takes center stage
This is why it’s time for contextual authentication to have a seat at the table. I was dismayed to see that the Forrester global password survey did not include risk-based analysis and user behavioral profiling as potential options for enhancing or replacing passwords.
The value of any type of stronger login credential is exponentially increased when it is front-ended with some intelligence. Understanding legitimate users’ usage and behaviors means that when they are acting within known and expected patterns, we can allow them to access applications and data unimpeded; when they are not, we can then challenge them with the credential or technology of our choice.
Rating your authentication views
I worked with a great sales manager who used to say that some things are interesting and some are important. How do you view contextual authentication to your organization? Is it interesting or important? To help you answer this question, ask yourself:
User login credentials are being compromised every day. The Verizon 2015 Data Breach Investigations report showed that 95 percent of Web incidents were the result of a hacker harvesting authentication credentials and then using them to log into web apps.
If the risk of compromised credentials for your organization is minimal, then maybe simple passwords are fine. But if the risk is high, then the time is right for contextual authentication.
Find out more about how contextual authentication can help verify a user’s identity without getting in the way in this new YouTube video. And stop by booth #3109 at the RSA Conference next week to see a demo.