Singapore (Dec 3): The right choice of authentication methods must be dictated, on one hand, by security concerns, and on the other – by meeting users' expectations. But it’s the latter aspect that has recently started to play a key role.
In recent years, the percentage of people using mobile devices has increased dramatically. Tools, which until now have been used only for individual purposes, are now gaining ground in the professional setting. According to the Bring Your Own Device (BYOD) paradigm, companies have started to accept private mobile devices in the work environment. This gave rise to the challenge of providing secure access to company resources from private devices, over which the company seems to have no control at all.
That’s because business devices can be preconfigured, unambiguously identified by the MAC address, and equipped with an antivirus package or PKI-based certificates. Better yet, limits for the devices can be imposed as to installing additional software on them. With private equipment, such policy seems to be simply unattainable.
Mobility comes first
However, companies more and more often decide to share company resources through private mobile devices of their employees. It has been noticed that an important component of employee satisfaction is the ability to perform high-profile tasks quickly and efficiently. Mobility plays a key role here. According to Forrester, companies have started providing their employees and customers with mobile applications in order to offer a greater number of business functions and improve interaction.
Mobile devices can also be used as Second Factor Authentication (2FA). Solutions based on biometrics, OTP technology and ECC/RSA cryptography increase the security traditionally based on password authentication. Gartner argues that by 2022, 60% of large and 90% of medium enterprises will have implemented passwordless authentication in more than 50% of use cases – an increase from less than 5% today.
Where do we draw the line?
Today, identity and access management is not only focused on a standalone corporate environment, but increasingly also includes private mobile devices. This issue raises many questions: how to properly protect the environment against unauthorized access? Where to set the limit in accessing company data from private devices? Is it necessary to work out a compromise between security and user-friendliness, or is it possible for these values to coincide?
Access from unregistered devices to company resources is often provided in offices via a dedicated WiFi network, and seems to be very limited, eg. granted only to the Intranet. However, this solution has one basic drawback: it’s the uncontrolled access to the company's "ecosystem". Such a precedent, with simultaneous lack of control over who is using the given resources, and inaccurate protection of other parts of the infrastructure, is nothing less than asking for trouble.
Not completely anonymous
One of the solutions used for reducing anonymity in a corporate network is to assign a specific device to a user (also known as onboarding, enrollment or device pairing). Apart from the psychological aspect, which allows for eliminating anonymity, this means using resources and functions assigned to a specific role in the IAM via a given device. Using IAM, it can be established that if a user logs in from a company device, they have full access to resources (in line with their role and log-in context), and if they log in from a private device, their access to a defined area is limited.
The onboarding process can take place in many ways. One of the most popular methods is sending an encrypted message to the user's account, where the QR code is located under a link. After scanning the code by the device, the latter is assigned to the client and recognized by the system.
Selfcare to the rescue
The most complete approach is to onboard users through the Selfcare portal.
By logging in to this portal (eg. with a login and password, or using PKI), the user can add another device to their profile, define a new token (software or hardware one) or change their password. Thanks to such a solution, they can manage their accounts autonomously, while maintaining full access control from the IAM.
The Selfcare portal is increasingly becoming an integral part of every modern solution of the Identity and Access Management class. Currently, it is not enough for the IAM to have such functions as Authentication Server, SSO or PAM. The market expects that a product of this class will support broadly understood user management based on such modules as Workflow, VPN, or the Selfcare itself.
Bring your own identity
Another issue related to modern and user-friendly identity and access management is the use of an identity source from an external provider (Identity Provider (IdP)). This approach, called Bring Your Own Identity (BYOI), is becoming particularly fashionable in the age of ubiquitous social networks such as Google, Facebook, Twitter, Office365, Amazon and Salesforce. They may be the source of your identity in the company system. However, few organisations still agree to this type of authentication.
A more willingly accepted alternative in the traditional model may be a bank or public service offering a trusted profile. Undoubtedly, such an approach is very convenient and expected by the end user. Depending on business type of and services provided, the approach may be sufficient (eg. creating an account and logging in to a private e-mail account using a social networking site) or not (eg. employee's access to corporate systems based on certificates from Google or Amazon). Also, 2FA can be of help here, which the IAM will require, for example, whenever the source of the user's identity is an external service.
Continuous authentication
The use of an external source of identity and private mobile devices are only selected aspects of managing access to corporate systems. The user authentication process should not only be momentary, but extend over time to ensure continuous control over corporate resources. This is where the Fraud Detection solution comes in. It enables in-depth analysis whether a given person is the one they claim to be, and whether a given device (both stationary and mobile) is unambiguously connected with a specific person. But this is a story for a completely different article.
Tomasz Grabowski is a product manager at Comarch, a global creator of innovative solutions and information systems.