Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing risks and newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). One of these such enhancements is Adaptive Authentication.
Adaptive Authentication (AA) is the process of gathering additional attributes about users and their environments and evaluating the attributes in the context of risk-based policies. The goal of AA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involve collecting environment data (such as IP addresses, geo-location, nearby WiFi SSIDs, etc.), keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
The Leadership Compass presented in this session provides an overview and analysis of the Adaptive Authentication solutions within the IAM market. These solutions are sometimes referred to as Contextual Authentication, or just Step-Up Authentication. All registered EIC delegates have access to this Leadership Compass and the complete KuppingerCole Research until End of May 2017.
With all the attempts for killing the password over the past years, the question remains: Will it ever happen? Passwords and other weak means of authentication such as PIN numbers are still the by far most widely used way to authenticate. On the other hand, we observe an uptake for strong(er) authentication, be it the built-in biometrics in mobile devices, be it cloud-based MFA, or be it easy-to-use and rather cheap tokens. Thus, the question is: Are we already reaching the "break-even" for strong authentication, the point where strong authentication finally starts displacing passwords as the main way for authentication? If not, when will we reach that point, if ever? What does it need for doing so? Is it having cheaper, easier-to-use, more flexible authenticators? Is it thinking authentication from the customer, making it adaptive to all devices and use cases, instead of dictating a certain means of strong authentication? Who will be the providers that benefit? Will it be the technology suppliers to banks, mobile phone manufacturers, or governments? Will it be independent sellers of strong authentication tokens? Will it be cloud-based services?
There are many open questions – the experts in the panel will provide their view on this already "classical" topic. Maybe we are finally approaching the "password dawn".
