An absolute nightmare for an IT security professional is when protected data is accessed by unauthorized personnel. While passwords, firewalls and other basic protection methods are becoming easily ‘hackable’, organizations are seen shifting towards Multi-Factor Authentication (MFA), which includes voice callbacks, SMS’s and OTPs, to combat the issue.
Although, MFA has been able to minimize the risk to certain extent and has become a necessity, it seems the way ahead for enterprises to protect their large data is by implementing adaptive authentication.
Here’s why:
MFA is the present, adaptive authentication is the future: While MFA could help in tackling the security issue in the present scenario, enterprises looking at a long-term perspective need to focus on integrating adaptive authentication. For instance, establishing the identity of a user through a step-up OTP might not be the most ideal solution, as it is device-dependent and anyone may access someone’s mobile phone or hack into the email id to get the authentication data.
However, adaptive authentication takes user and behavior context a lot more closely compared to multi factor, which is just another factor in authentication process. It is based on a matrix of variables that provides a risk profile of a user, and based on this risk profile the system generates additional authentication process before the user is allowed access. While MFA could be a part of the adaptive authentication process, it is much more intuitive and real-time, with factors such as knowledge-based questions, geo-location, and identity assurance making the authentication system robust.
Simple MFA is now moving away, and giving path to adaptive authentication.
Dynamic/real-time security: While MFA follows a set-pattern and has certain processes to be followed, with regards to adaptive authentication, the end-user is an integral part of the security process. Elements such as out-of-band (OOB) authentication through SMS or email, and knowledge-based authentication help in creating a dynamic security system, which is difficult to hack.
For giving an example, one of the sales partners from our client companies was visiting our office in Cranbury, New Jersey. While on his way from the JFK airport, he was trying to log-into the system, but as the system recognized some erratic behavior based on his geo-location, it denied access. The real-time security protocol required him to provide responses to questions based on client’s recent activities, and thus, after successful answering, it allowed him to access the system.
In large enterprises as well, similar integration of adaptive authentication is being adopted. For controlling access of the employees to their floors or designated areas, staff is provided with badges or biometric that has only conditional access. Such accesses might be very intuitive in nature and may deny entry to anyone based on the frequency of their visit to a particular place or area.
It has been seen that organizations are not even letting members or employees enter OTP or passwords for executing simple tasks such as renewing memberships. Sample this, a prominent retail shop introduced membership renewal process which is based on adaptive authentication – the system validates a customer through certain checks and balances – which is based on user’s shopping behavior in the past, along with other details.
The move is towards behavioral aspects of users rather than device-based simple passwords and OTPs.
Stringent identity verification: Adaptive authentication helps in setting up additional identity verification through various channels, including integrating hardware solutions such as biometrics. Although, integrating biometrics would mean additional budgeting, it is worth the investment.
As passwords are seen as the weakest link in any security system, backing it up with additional authentication, especially biometrics ensure that only the authorized person is able to access the system. Further, biometrics also protects or minimizes risks against data breaches, cyber attacks and fraud.
Companies are often seen to shy away from integrating adaptive authentication due to the perception of budget hike, there are companies that are providing these products at an economical cost, with even the implementation pricing at a lower spectrum. Further, given the number of breaches that are happening, safeguarding assets from theft should be the prime prerogative of organizations rather than cost-saving.
It is better to invest in stringent verification methods than face possible data breach issues.
Adaptive authentication adds a layer of security, helping companies protect their data from unauthorized access, while allowing users to access the system without frustrating them. However, adaptive authentication is still at a nascent stage and there is still a lot to be done.