Access control and identity management have become more important today as end users place a stronger focus on securit. While traditional factors of authentication are still in use, they are proven more and more insufficient. That’s why more advanced authentication factors are needed.
Access control and identity management have become more important today as end users place a stronger focus on security, amid crimes and data theft. While traditional factors of authentication, for example passwords and keycards, are still in use, they are proven more and more insufficient. That’s why more advanced authentication factors are needed.
That was the point raised by
Crossmatch, which offers solutions that go beyond conventional two-factor or multifactor authentication.
In physical and logical access control, several authentication factors have been used for quite some time. These include what you have – namely employee cards and tokens; what you know – namely passwords or passcodes; and what you are – namely biometrics. However, over time these have proven insufficient in protecting users as attack methods become more complex and sophisticate.
Passwords are an example. Users using a device’s default password setting was largely responsible for the
DDoS attacks in 2016. Changing to complex passwords, however, also has its problems. “When required to use complex passwords with upper and lower case letters, numbers and special characters, users resort to structures and patterns that are predictable and guessable,” the paper said. “Humans are conditioned to share with and cooperate with others in their social circle and well as those in positions of authority. In the former case, employees compromise security by freely sharing passwords with their coworkers. In the latter case, cybercriminals posing as IT administrators or upper management — via emails or phone calls — intimidate users into giving up their credentials.”
Drawbacks of MFA
Against this backdrop, two-factor and
multifactor authentication have been adopted. However they have their drawbacks as well, primarily in the forms of cost and poor user experience.
“The primary reason multi-factor authentication has not been widely embraced is its user experience. Users have many devices and applications, each one with a logon interface. It’s a huge inconvenience to enable and then authenticate with multiple factors on every device and application,” the paper said. “The cost and complexity of deploying multi-factor authentication is a major barrier and most available solutions do not deliver a seamless and user-friendly experience. This is especially true for small-to-medium businesses where the old mantra ‘If it isn’t broken, don’t fix it’ is alive and well.”
The paper adds that security isn’t that much strengthened anyway with two-factor authentication. “Given the insecurity of passwords, the inconvenience they cause for end users and the cost of resetting them, authentication solutions still incorporating them have only taken a small step forward. Indeed, combining a weak factor with a stronger factor does not add much to the security provided,” it said.
Given such, the paper argues that authentication beyond two factors or multi-factors is important and more and more needed. These can include: “what you do” through keystroke, mouse tracking and device orientation; “where you are” through GPS location, IP address and geofencing; and “when you act” through time frame and geo velocity.
Crossmatch’s solutions support a range of authentication factors. Keystroke biometrics are an example. “This technology uses continuous machine learning to authenticate users based not on what they type, but on how they type. The algorithm can verify who someone is based on how they naturally interact with their device and deliver instant identity verification, along with continuous authentication,” the paper said. “If we are to finally address the security needs of the modern organization, it is clear that we must remove the human element as a barrier to strong security. And we need solutions that provide universal, integrated access security coverage to the extended enterprise. Otherwise we will continue to play security whack-a-mole at great expense and for little return.”