1 Executive Summary
Enterprises of all sizes and types experience cyber-attacks daily. Financial information, PII, patient health information, government data, and intellectual property all are targets of these attacks. If digital identity is the new perimeter, then authentication is the gateway. Password-based authentication is still pervasive but grossly inadequate to mitigate contemporary cybersecurity risks.
Data owners and security administrators have differing needs for securing the resources under their watch. Practitioners must consider a variety of regulatory regimes, including GDPR and PSD2 in the EU, and PCI-DSS, HIPAA, SOx, etc. in the US. Enterprise policies also drive data protection, e.g., organizations must protect their intellectual property. However, in today’s global marketplace, companies, non-profits, and other institutions must secure data inside their networks as well as collaborate safely with other enterprises across security domain borders and embrace SaaS and IaaS. Organizations need to integrate mobile devices with client-server, web, and cloud-based infrastructures, because users want to fully employ their mobile devices for everyday work.
In most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations and policies often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data.
The problems with username/password authentication are well-known. Both usernames and passwords are easily and often forgotten. Password resets are expensive, in terms of both help desk costs and lost productivity. Passwords are easily guessed by hackers. There is no such thing as a strong password. Telling users to choose complex passwords and use different passwords for every site is futile. Most cyber-attacks and data breaches that have made the news in recent years have involved the perpetrator(s) gaining access to systems and data by compromising usernames and passwords.
Higher assurance authentication is fundamental to reducing risk of fraud and data loss. Stronger authentication techniques also enable greater compliance with policies and regulations.
Fortunately, better alternatives to passwords exist. Many enterprises have deployed SmartCards and USB tokens for the highest levels of assurance. Biometric solutions, using something about oneself as an authenticator, such as fingerprints or iris scans, are proliferating due to their popularity among users. Out-of-band and step-up authentication and authorization options via mobile devices are becoming more common and accepted by users. Thus, the focus of this paper is on the use of biometrics and mobile authentication technologies.