Authentication: Next security frontier

Simplify and secure access to your mobile usersAccess to information, whether on a tablet in Tallinn, a laptop in Luanda or a smartphone in Shanghai, is now a fact of modern life. Executives need to work on data, on the go and on all devices if they’re to embrace an increasingly connected world.

Yet companies are struggling to offer employees secure access to the systems they need. Stronger authentication models such as multi-factor authentication have been around for some time, but their use is still lagging. This is especially concerning since we are in era when cloud computing, mobile devices and social networks have radically transformed the way businesses operate.

A myriad of top cyber-security reports released earlier this year from the likes of IBM, Verizon, Dell, Symantec and Cisco all paint a grim picture: an escalation in targeted hacking, cyber attacks and security breaches. Juniper Research estimates this type of crime will costs businesses globally more than $2 trillion by 2019.

“It doesn’t help that the bad guys are getting way more sophisticated in their engineering of attacks,” says Kent Purdy, solutions marketing manager at Micro Focus, a multinational software and information technology company. “So it’s interesting to see where identity management is going to go. It needs to change.”

As we enter what many are calling the fourth industrial revolution, characterised by the digital economy with the intensive digitisation of consumption and production of goods and services, industries globally are seeing a proliferation of risk and the potential for wrongdoing, especially with people’s precious data.

“What is also different today is that billions of us have a mobile phone and increasingly a smart one. Companies want to facilitate anywhere, anytime access to anything from anyone through our devices,” says Mr Purdy. “Yet the adoption of technology has occurred faster than our willingness to secure and authenticate it.”

Our dissatisfaction with the insecurity of usernames and passwords already goes back nearly a decade, as do efforts to replace them. IBM developers discussed ditching them as early as 2008. Biometrics as a way to identify someone has existed for longer and is back in fashion. Now even mobile selfies are emerging as a way to verify people and payments.

“Authentication technology has evolved more in the last few years than it has in the last two decades,” says Mr Purdy, whose company has four decades of experience in enterprise software, including access management. “But less than 10 per cent of companies out there have any form of dynamic authentication.”

This way of verifying people is a lot smarter and secure. It goes beyond passwords and instead adapts to a user’s situation and risk profile. Many of us have already experienced dynamic authentication if we’ve had to call up our bank to unlock a credit card overseas or answer questions to login to Facebook abroad.

“Authentication must evolve beyond today’s password-centric framework. Organisations need to start developing a comprehensive risk-based strategy. If someone is trying to access a server remotely via a device in Beijing, the authentication requirements are going to be different from someone accessing them from a secured PC in a local office in Bradford,” says Mr Purdy.

Using adaptive authentication is a way to match user verification to the potential risk of access

“This new type of authentication can recognise changes in our behaviour, it isn’t static and context is crucial. For instance, is that person using the same device in their usual location? What else have they accessed lately? Does everything look normal?”

Facebook uses a similar type of authentication. Whenever a person logs on, servers look at data such as the network they’re logging on from, what browsers or devices that person typically uses and the third-party apps they have connected to their account. If something is odd, Facebook requests users to verify their identity by sending a code to a person’s phone or poses questions only that user can answer.

Social media isn’t the only sector using adaptive authentication, financial services and healthcare providers are leading the way globally when it comes to this advanced form of security because of the potential loss to client data, money and credibility.

“Using adaptive authentication is a way to match user verification to the potential risk of access. It works silently in the background with little impact,” explains Mr Purdy.

“Since much of the analysis is done behind the scenes, the technology makes it easier for you. When the measured risk is low, it can verify who you are easily without the need for re-entering credentials. But when the risk is high, further authentication is needed from the user. Because this dynamic approach to authentication is especially important to users away from the office, it’s important that we are able to deliver this experience on most devices.”

This type of cyber security is also called risk-based authentication because different people need different levels of access to data in relation to their work; while some work on sensitive information, others don’t.

Micro Focus has therefore embedded a so-called risk engine into its Access Manager software. “This gives each user a score depending on the access they need. We can easily set different levels of authentication since it is all about managing the level of risk. It asks questions – do you let them in as is or does he or she need more of a challenge? If a bit of data is so sensitive we might need to restrict access,” says Mr Purdy.

“Protecting sensitive information from outside threats, while keeping access simple for users, can be a complex challenge. Our focus is to use powerful new ways to verify a user’s identity. Businesses want convenience since it enables commerce; they don’t want lock down. So it is about getting the right balance between security and access.”

Advances in smartphones are pushing the envelope for authentication. There is now a greater emphasis on location technology as well as behavioural biometrics.

“These are going to be powerful new tools in the industry. You want a dynamic, adaptive intelligence guarding you – one that evolves over time,” Mr Purdy concludes.

For more information please visit