Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
Usernames and passwords act as a gateway. Insert another authentication step on top of these credentials and this gateway becomes harder to infiltrate. But once access is gained, how can the device or Web application be certain that the authenticated user is, in fact, the same person throughout the entire session?
For example, you may log in and walk away from your device, creating an opportunity for someone else to take over your session and thus, your identity. Or more commonly, you may hand the device to a colleague – a non-authenticated user – trusting they won’t do anything nonsensical or malicious. In fact, according to a survey by B2B International and Kaspersky Lab, 32% of respondents who share an Internet-enabled device with their relatives, colleagues or friends noted that they do not take any precautions in protecting their information.
The reality is clear: People share devices and web applications with little concern for the potentially detrimental consequences – whether a coworker gains access to proprietary information or an acquaintance accidentally views personal medical records or bank account details. Traditional one-time or two-factor authentication methods are no longer sufficient. Without continually checking you are who you say you are, it’s next to impossible to tell who is actually using the device or web application at any given time.
The future of identity and access management (IAM) must be rooted in continuous authentication. So, where is the industry in developing these tools? And, what needs to occur for continuous authentication to take hold as a reliable, more secure element of IAM?
Tools in development
A promising form of continuous authentication is centered around unique human behaviors. Known as behavioral biometrics, these tools can monitor things like keystroke patterns – which analyze typing rhythm, mouse movement, iris patterns and more. The technology acts in the background, unbeknownst to the user.
By tracking these actions and building a unique behavior-based profile, the technology can automatically and continually check to see if a device switches hands, or a Web application switches users. For example, when tracking keystroke patterns, the tool can determine how quickly you find the right key and how long you hold down certain keys. If the typing pattern becomes abnormal, the non-authenticated user will get locked out of the device or Web application.
Other techniques being developed include behavioral profiling, which uses Webcams to monitor your face and even the color of clothing, as well as micro-movement and orientation dynamics that take into account how you grasp, hold and tap your smartphone.
For continuous authentication tools to take hold in the enterprise, much more research and development is needed to ensure precision. People don’t have the tolerance or patience for inaccuracies. For example, if you are authorized to access a particular Web application and the device continually restricts access, the frustration mounts. You are you but explaining that to the computer requires IT intervention.
Think of it in these terms: You try to enter a bar with a legitimate ID, but the bouncer believes it’s a fake and won’t let you in. You know you have the right to go in, but there’s little you can do. The bouncer has made up his mind. Obviously not being able to get into work devices and Web applications has more severe consequences, as it hinders productivity and your overall livelihood. It leaves you turning to less-secure devices and Web applications, getting less done or potentially compromising confidential information.
It’s unlikely that employees will ever rid themselves of the bad habit of device and password sharing – a recent survey shows 46% of respondents share logins with multiple users. The onus to recognize these challenges and amp up security falls on you.
While continuous authentication is still in its early stages, businesses are adopting technologies like context-based authentication that define trust by contextual elements such as user role, geolocation, device type, device health and network. When you log into a Web application, contextual factors are analyzed and access is granted or denied.
Beyond authentication lies authorization – what you can and can’t do within the application. If you are already logged into a Web application and move from the trusted corporate network to an unknown wireless network, context-based authorization can dynamically re-shape the features, functions and data that you are able to access.
What’s clear is continuous authentication needs to evolve into a more accurate and proven method before enterprise adoption is seen. But once this step is taken, the security and convenience it provides will be an ideal fit for today’s increasingly mobile workforce.
Walters is SVP of security products at Intermedia.