In the past few years, the approach of risk-based authentication has gained in importance, particularly in banking. The goal is to anticipate possible attacks on the basis of information gained from Fraud Detection solutions used for authentication, and – in these cases – to refrain from authentication.
Another trend focuses on the convergence of physical and logical access control systems, as realized by Imprivata as part of its Single Sign-On solution. Here, too, the user context is the decisive factor, in this case the user location.
Expanding on the topic, we should see user identity also as part of the user context – for example the user´s identity as a private person or an employee. There is the device that he uses and the location where he uses this device, the level of strength of authentication and many other factors.
On the other side, we have the systems that are accessed. In every application, a large number of different tasks can be permitted to users – depending on the context. This implies a good risk assessment in different scenarios: Which size of business transaction is reasonable via mobile telephone with weak authentication, and which from an internal client computer with two-factor authentication and additional authentication link to the physical access control system?
And how is this controlled? To what extent does the context, in which actions are carried out, need to be considered?
These questions lead us to the field of context-based authentication and authoring. This topic will be included in the relevant Track of the European Identity Conference 2008, where Dave Kearns will discuss it from different angles of view.
KCP believe that this is an extremely important approach http://blogs.kuppingercole.de/kuppinger/. Today´s most common, but rather vague approach of authentication without consideration of the context or – at best - one with supplementary measures for VNP access, will be insufficient when it comes to address the growing GRC requirements and many other problems yet unsolved in this area – as the Société Générale affair has shown.
- In our opinion, a series of important fields of further development should be addressed:
- Authentication systems that on the basis of a flexible and modular concept are able to include in their decisions various information about the context and that deliver a standardized assessment of the risks involved in an authentication.
- Applications that take such information into account when it comes to authoring decisions.
- A user-defined Identity Management that allows the user to easily and flexibly provide context information and that enables him to present his own view of his context.
- Auditing approaches that take this into consideration.
For enterprises, this is a challenge not only in the field of e-commerce and the protection of intellectual property and other sensible data, but also with respect adhering to compliance rules, such as to those controlling access to financial data.
We are convinced that the consistent realization of these concepts, put into practice with reasonable effort, will help to solve many of today`s IT challenges more easily and more fruitfully. Further discussions can be followed on the European Identity Conference.