Categories
Articles

It's Time to Rethink Identity and Authentication

Digital Strategist Chris Hood
Get daily Dark Reading top stories every morning straight into your inbox
Follow us @darkreading to stay up-to-date with the latest news & insider information about events & more
Get daily Dark Reading top stories every morning straight into your inbox
Follow us @darkreading to stay up-to-date with the latest news & insider information about events & more
Get daily Dark Reading top stories every morning straight into your inbox
Follow us @darkreading to stay up-to-date with the latest news & insider information about events & more
Legacy identity and authentication systems are not equipped to handle modern needs. Zero-trust security, compliance, privacy, and ease of access all require a new approach: frictionless, identity-based authentication.
Identity is today’s most-valued digital currency. Once verified, it gives you access to almost everything. Historically, identity has been validated by a birth certificate, government-issued ID, and passwords, and more recently by mobile devices and biometrics.
Amid constant attacks from cybercriminals, we’re seeing a shift in how we define identity and ensure proper authentication. Legacy security methods assume the person logging in is who they say they are, but modern security standards (such as NIST 800-63-3 and FIDO2) imperatively focus on identity assertion and move away from legacy passwords.
This shift in security must incorporate user needs as well. With several accounts and passwords to remember, security is a cumbersome process that still puts users at a substantial risk of credential compromises.
Here are four ways we need to think differently about identity and authentication.
There are two major issues with keeping identity information and means of authentication separate, especially when dealing with both employees and customers. First, authentication will never be “frictionless” for your user. They’ll be dealing with multiple passwords and usernames, which is a vulnerability. Second, if your employee uses your platform for personal reasons as a customer (think: bank employees also having checking accounts with you), you’re not able to prove it’s the same person, only that the person has the right customer credentials.
We don’t need usernames and passwords anymore to authenticate individuals. Biometrics, mobile devices, and multifactor authentication are strong tools. Combining these methods with definitive ID proofing at the start reduces user friction and improves overall security.

Given these options, user control of identity and authentication must be a requirement. It’s the obligation of all businesses users interact with to reduce their own risk and that of their employees and customers.

Authentication should support multiple methods, but it can include corporate account verification, email address access, and biometrics — in addition to SMS and OTP, as previously mentioned.
Organizations don’t need to implement all factors available to them but should identify their uses on a case-by-case basis according to the risk of their organization and users. Factoring back in users wanting to control their own identity, to maintain a positive experience, it’s also important to realize the need to potentially allow them to decide when to adopt newer authentication methods.

The concept of identity has been around for decades, yet authentication has not caught up to its advanced threats — until now. It’s time to stop hoping for the best with legacy systems and embrace new means of authentication and storing information. This will create better authentication efficacy, user experience, and organizational security.
Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

Leave a Reply

Your email address will not be published. Required fields are marked *