Agile authentication: Techie toy or digital business imperative?
- 06 August, 2015 10:20
The move to digital services and the rapid pace of technological change means IT infrastructure decisions have become business decisions, and a new term has entered the lexicon – ‘business agility.’
Organisational requirements are constantly changing, so technology infrastructure must be built so it can accommodate – or better, facilitate – rapid change.
Business agility is not a new concept but with the explosion of the digital economy, we are getting to crunch time. Companies that haven’t created agile processes are now seriously hampered in their efforts to compete with innovative digital services being offered by their competitors.
They may experience a gradual reduction in competitiveness, or they may be unable to adapt to rapid changes brought on by disruptive technologies or services like Uber or Airbnb.
I’d like to give an example of some technology infrastructure we all use every day which typifies the challenges organisations face in being agile and competitive. It’s an example which shows how the business has to take responsibility for technology infrastructure and not just leave the choice up to its technical people.
Right now most of us log into various systems and services using usernames and passwords – a process known as authentication. This basically matches digital identity information stored by the organisation to a person or, in some cases, a service.
The authentication options available to us are rapidly changing. A username and password may not be enough to do a bank transfer, for example – we may be prompted for a 6-digit code sent by SMS.
In the past, it was common to issue special tokens to be able to access various high value services, and these are being replaced in some cases with device-specific services. We may be able to log into our Internet banking on an iPhone by using our thumbprint alone, with no username and password required.
There are at least three good reasons for organisations to embrace new authentication methods, which are:
1. Security. The issues associated with usernames and passwords are well known (and frequently exploited). Every authentication method has a certain risk profile, however, that may make it more or less appropriate depending on the situation.
If an authentication method is compromised for some reason, it needs to be replaced. And that replacement process needs to occur quickly and painlessly to minimise disruption to the business and its customers.
2. Convenience. You may be happy enough to log into a service using a username and password but what if the provider offered to authenticate you using a voiceprint instead?
That would be one less username and password to remember and you might only have to say ‘hello’ to get access. Ease of use and quality of customer experience are important differentiators between digital services, so convenience is also a competitive advantage.
3. Meeting customer expectations. If you are the last organisation left in your sector that doesn’t offer two-factor authentication for high value transactions, your customers will perceive your services as less secure.
Service providers that rapidly embrace new authentication methods, on the other hand, will be perceived as more innovative and secure. Customers may also want to bring their own authentication, for example a FIDO Alliance smart card or device, and be highly motivated to replace all their usernames and passwords.
These reasons are essentially business demand driven. But the process of embracing new authentication methods depends on the underlying security infrastructure. Unless your digital infrastructure has been built to accommodate changing authentication methods, it may be cumbersome and slow to implement them.
What we are seeing now with changing authentication methods is only the tip of the iceberg. Like everything else in the cyber security world, there is an arms race going on between the people who want to compromise systems and the people who want to protect them.
As the risk profile of any given authentication method changes – generally for the worse – it will eventually become unsuitable for certain transactions. This has already happened to usernames and passwords when it comes to high value financial transactions.
As a result, new authentication methods are coming out continuously, and different authentication methods are supported by different devices. The iPhone supports Touch ID, a fingerprint identity sensor. Android phones on the other hand, can identify their owners by scanning an image of their face.
Then there is the FIDO (Fast IDentity Online) Alliance, an organisation formed to address the lack of interoperability among authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.
Its new standard will allow any website or cloud application to interface with a variety of FIDO-enabled devices – such as smartcards – that the user has for online security.
As usernames and passwords give way to more secure authentication methods the landscape will become increasingly fragmented. To keep pace, organisations need to think about building the appropriate infrastructure.
If your organisation hasn’t yet evolved beyond usernames and passwords, there’s a danger that your technical people will resist new authentication methods rather than enable them.
Usernames and passwords may be hardwired into back-end IT infrastructure such as business applications. There may be some work required to break down the dependencies that exist between your digital identities and the authentication of users.
Ideally, you want a pluggable authentication service that is agile and extensible. Then you will be in a position to adopt new authentication methods quickly and easily to address changes in risk or customer expectations.
A term I heard recently was ‘lick to authenticate’. In other words, regardless of what authentication method you support now, you should be able to swap it out and replace it with whatever is trending or appropriate in the future.
Your pluggable authentication service should also support ‘authentication workflow’, which handles the interactions with customers around their authentication.
Most of you will be familiar with the concept through services like Google which warn you about potentially suspicious access, such as when someone logs in from a new device for the first time. This might trigger the need to answer a secret question, for example.
These interactions both aid security and build trust with customers, which ultimately deepens the relationship. They also serve to educate customers about security and reduce any pain they experience – and reputational damage to the organisation – when a change in their behaviour is required.
As a technical person, a pluggable authentication service is a great toy to be able to play around with. Not every techie will see it that way, however, as some will be wedded to their existing systems. The decision to implement agile authentication, however, is one that the business needs to drive, and not leave to the technologists, if your organisation wants to compete in the digital economy.
Jan Zeilinga is a director of KPMG First Point Global with a leadership role within the KPMG Cyber Security team and responsibility for the company’s identity and access management technology strategy.