The threats to organizations from data theft, ransomware and other forms of crime continue to increase. Organizations need to be vigilant and take appropriate precautions to reduce the risk of both physical and cyber-attacks being successful. One critical area that needs to be addressed is that of how individuals and devices are identified; this is known as authentication.
Identity and access management encompasses a range of processes and technologies that are intended to ensure that only authorized people and devices can access the physical and logical infrastructure to which they are entitled. The processes include the vetting of individuals, issuing of credentials, authentication, authorization and monitoring as part of a complete lifecycle management process. One area that needs careful attention is authentication.
Approaches and technologies for authentication have evolved considerably in recent years; however, the use of username and passwords, while known to be weak, is still common. Authentication methods can be summarized as follows:
- Something you know – like a password or PIN.
- Something you have – like a token, smart card or, increasingly, a mobile device
- Something you are – a biometric like a fingerprint.
Mutual authentication extends the authentication process to provide confidence to the user that the system they are attempting to access is genuine to avoid their credentials being revealed to fraudulent or spoofed sites. This often uses the exchange of a random number encrypted using public and private keys. Mutual authentication is inherent where it is based on the use of PKI and X.509 certificates.
The latest mobile devices include a TEE (Trusted Execution Environment). This can be used to hold encryption keys securely making the device as secure as a smart card for authentication. This is exploited by systems such as FIDO (Fast Identity Online). Some mobile devices include fingerprint readers that can be used to provide additional confidence.
MFA (Multi-Factor Authentication) increases assurance combining two or more methods. Adaptive authentication takes account of additional factors based on the risk of the particular transaction to add a further level of assurance. For example, the additional factors used may include the physical location, time of day and device being used to provide additional evidence of identity. NIST SP800-63B defines the levels of assurance that is provided by different forms of authentication.
Many organizations allow partners and suppliers to access their systems relying on the partner to authenticate their employees. This is achieved securely by using the identity federation standards SAML 2.0 and ADFS . This does not remove the need for authentication it merely transfers the responsibility to the partner or the identity provider.
Other standards have been developed for consumer access including OAuth2 and OpenID. OAuth is an open standard for access delegation, that is often used as a way for Internet users to grant websites or applications access to their information on other websites without revealing the passwords. This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.
OpenID allows users to be authenticated by co-operating sites using a third-party service. This eliminates the need for services to each provide their own ad hoc login systems, and allows users to log into multiple unrelated websites without having to have a separate identity and password for each.
In today’s world where users are highly mobile and transactions are conducted on the move from a variety of locations, it is no longer appropriate to use a single authentication method based on a fixed view of risk. User names and passwords provide only the lowest level of assurance in the identity of the user. Furthermore, they are very easily compromised and, because of this, have become the target of choice for cyber-criminals to get a foothold into organizational systems. Providing individuals with multiple different authentication methods and devices for use under different circumstances can increase assurance but poses management and usability challenges. Organizations can benefit from a single authentication platform that supports a range of authentication methods for physical, logical and mobile access throughout the enterprise.