That’s a pretty old saying – Trust, but verify. Depending on your age, or your own personal interests; that saying might mean something different to you than it does to somebody else. It has become a staple in any research field, and gets a lot of use in popular media as a way to treat both friends and enemies. The idea is never to be caught with your hand in the cookie jar – never let your guard down. Look at that Atlas Moth up there: it doesn’t look too terrifying to us, but for a predator – it might see what looks like a cobra attacking and decide to leave the moth alone. That is a natural example of the need to verify what looks a certain way on the surface. For the moth, the disguise is to protect itself from predators. For digital authentication, the disguise is used to bypass security; and we cannot be as simple as the predator to take the disguise at face value. In the realm of digital authentication, verification is of huge importance. If it weren’t, we wouldn’t have such issues with data breaches, a huge rush towards two-factor authentication, or a massive countrywide debate over the necessity and usefulness of encryption (Remember Snowden?). No matter how trusting you are, it is ingrained in our nature to trust with a small amount of reservation and trepidation. In the digital authentication game, one method of verification that often gets swept under the rug is contextual risk based authentication.
Verification and authentication – Gamertags and Identification
Here’s the way I think about verification and authentication – I love games. I don’t care what kind of game it is; I’ll try it at least once. I’m that kind of person. When it comes to more modern video games, almost every platform comes with an Internet service that requires you to choose a unique username or ‘gamertag.’ Any gamer worth his or her salt will tell you, vehemently, how important that tag is to whom they are.
Your gamertag is how you are identified online, and it is extremely personal. Take that image: a person who clings to a gamertag with all the dedication of a miser clutching his last gold coin, and imagine someone trying to act as that digital persona under false pretenses. The server trusts the login due to a matching set of credentials, but does it verify? If not, it could mean the end of the world for the gamer that owns that particular tag.
Photo Courtesy of: newsoflegends.com
But if there was a strong authentication protocol in place, this might not have occurred at all.
I place a heavy amount of emphasis on the word strong here. Typical authentication is limited to a unique username and a password. Today, almost anyone can determine your username, just by interacting with you on the digital plane that you prefer, or by looking you up online. Unique is well and good, but it is almost always public.
As we’ve been shown time and time again, the password is a laughably weak authentication solution. Relying on the password by itself is a mistake that could end up costing a user their entire digital persona – for a gamer that can mean losing hundreds of hours of time and devotion simply because a password wasn’t enough.
That’s where contextual risk based authentication comes in to play.
A New Challenger Approaches – Contextual Risk Based Authentication
Photo Courtesy of: kevster823 at deviantart.com
By now, you are probably wondering what I am talking about when I say contextual risk based authentication, right? You wouldn’t be the first. Secure authentication is such a huge market these days that the terminology and various meanings often get lost among the jumbled mess of information.
So let me clarify as best I can.
Contextual risk based authentication is a series of authentication methods that provide a set of transparent barriers to verify the login alongside the username and password combination. Typical aspects of contextual risk based authentication are as follows:
- Secure vs. Unsecure Wi-Fi access
- User Geolocation
- Registered Device
- Typical Business Hours
- Data collection and reporting
It’s really a larger scheme of authentication processes designed to strengthen the login of the end user, without sacrificing convenience, or the stability of the login process. It is the modern invocation of the trust but verify moniker – acknowledge that the user has the appropriate credentials, but double check to make sure you (or your server) are not being fooled. Since we’re talking about advice, here’s another piece to keep in mind:
Better Safe Than Sorry.
The Importance of Verification
Maybe this would work for gamers, but what about your typical work environment? You’ve got a strong password policy in place, and you have every confidence in your end users to keep their strong password confidential. There is no real reason to go much further than that, is there?
Well, take a look at this article on Cyber Security Intelligence (PDF) submitted by IBM Global Technology Services. Via a survey of investigated security incidents, IBM determined that “…over 95 percent of all incidents investigated recognize ‘human error’ as a contributing factor…” Think about how huge that number is for a second.
So really, it doesn’t matter how strong your passwords are, the human element in the equation is always a factor that could lead to a downhill trajectory. There’s nothing worse than building your business up for years, just to have it crumble because the wrong person managed to sneak into your systems and steal your secrets.
Contextual risk based authentication handles this situation with ease, allowing you to show trust in your employees and double down on the security of their login without negatively impacting them at all.
If you have a group of users that always login from the office computer in the morning during business hours, set up those contextual risk based authentication factors and they will not have any trouble logging in. If any of those accounts become compromised and those credentials are used outside of the office or outside of normal business hours – the intruder is locked out.
What about remote access, I can her you whispering – well that’s another beautiful feature of contextual risk based authentication: customization. With an appropriate knowledge of your end users access needs, you can provide transparent barriers specific to the user in question, including remote access from home or a foreign office. It is a simple authentication solution that provides significantly increased security at no substantial detriment to your end-users.
The best part? End-user adoption rates are typically high due to the minimal impact and convenience provided by properly implemented contextual risk based authentication. Your company gets to keep its secrets in a secure manner, and your end-users don’t have to take on any further frustrations. It’s really a win-win!
That’s the Long and Short
The need to increase security is a given these days – and there are many different ways to accomplish this. Integrity and verification are just as important however, even if the two topics never seem to make the headlines. Authentication is a multi-tiered process, and becomes increasingly involved when company secrets or personal information are involved. It is okay, and in fact often even praised, to trust your employees and end-users with the security of their accounts, but in the modern age it is becoming increasingly naïve to do so without proper verification. Contextual risk based authentication provides a method of benefiting both your end user and your business, while simultaneously preventing threats before they even make it through the front door.