Bring Your Own Authentication is upending online security practices
- 25 April, 2017 00:37
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Seeing the success of the Bring Your Own Device movement, a cadre of leading companies are starting to explore if a similar approach can be used to address the authentication challenge. If BYOD essentially makes the device a proxy for the work environment, can that same device serve as a proxy for customers online?
This new movement, known as Bring Your Own Authentication (BYOA), holds the same promise of reimagining the way we think of authentication, putting the consumer (and device) front and center in the interaction, and relegating passwords to the background or eliminating them completely. But there are challenges to overcome in order for mass adoption.
Passwords have never been more risky or ineffective, and the traditional strong authentication methods employed by the masses to reinforce this legacy form of authentication are both cumbersome and inadequate.
As their effectiveness continues to wane, multifactor authentication (MFA) continues to rise as the new holy grail of consumer security. MFA is the practice of using multiple types of authentication factors – such as a fingerprint scan (an inherence factor), PIN code (a knowledge factor) or proximity of a specific device (a possession factor) – in conjunction to authenticate the customer.
Fortunately, consumers are already growing accustomed to using multiple methods of authentication with mobile one-time passwords (OTP) commonly employed on top of passwords to access all types of accounts—everything from online banking accounts to mobile wallets to social media profiles.
But while creating a layered defense, MFA can also create friction – after all, multiple methods of authentication can create multiple opportunities for confusion, frustration and administrative headaches.
Enter BYOA, which allows consumers and businesses to employ a variety of authentication methods that are simple to setup and convenient to use. The key is decentralizing the authentication layer onto the device.
How to Bring Your Own Authentication
Much as companies establish BYOD policies around specific devices they will support, in BYOA the business establishes policies dictating the amounts, types and methods of authentication employed by their end users at any specific time – methods such as device signature, fingerprint scan, geofencing or even Bluethooth proximity (e.g. one or more Bluetooth devices like an Apple Watch or a FitBit are within proximity to the consumer).
Consumers link their mobile devices to their account and choose their preferred authentication method(s) for any given transaction. Businesses can also instantaneously push authentication requests to consumers to obtain their authorization for remote login and logout, real time transaction approval, and on-demand identity verification for websites, mobile apps, kiosks, and other online systems. As warranted, businesses can dynamically adapt the level of authentication required in real time. For instance, a login might require a certain type of authentication (is the device known?), but a transaction might require a more stringent type of authentication (fingerprint scan coupled with geofencing).
By getting consumers involved in how they are authenticated – and making those methods of authentication agnostic to platform and demographic – security is improved while friction is reduced.
Despite the promise of BYOA, there are a number of hurdles to overcome in successfully weaning consumers off passwords. First, BYOA must be frictionless, with the lynchpin being that initial setup. Then the solution must authenticate users at all touchpoints along the customer’s online journey, dynamically adjusting authentication requirements at key customer touchpoints to maintain an appropriate level of security all while enabling a positive experience.
The biggest hurdle may be the needed context to make authentication dynamic - how the businessbecomes aware of the risks and associations surrounding a customer’s device, including knowledge of each device’s history, usage and relationships to the many devices and networks around the world. This reveals critical details like a customer’s global location, device anomalies, attributes and more. Context is the foundation to successful mobile MFA.
So, will BYOA be the new BYOD? Given recent trends, it certainly seems to be headed that way.
About iovation: Headquartered in Portland, OR, iovation offers an intuitive and high availability product suite that focuses on authentication and fraud prevention. Iovation identifies trustworthy customers through an advanced combination of device authentication and real-time risk evaluation. The company safeguards tens of millions of transactions against fraudulent activities each day.