1 Introduction
Many organizations across both the public and private sectors are looking for modular authentication services to augment and modernize their existing IAM infrastructures. With the occurrences of data leaks and fraud on the rise, risk-adaptive and multi-factor authentication are capabilities that can help improve security postures on multiple fronts. Authentication is a pre-cursor to enterprise access control: one of many possible inputs to authorization systems. Properly implemented authentication can allow for personalization in consumer and government-to-citizen use cases, while respecting privacy as mandated by regulations via consent management.
Authentication has been one of the areas within IAM that has experienced the most technical advancement. Researchers and vendors have sought to address the inherent weaknesses of password-based authentication and have thus developed many different kinds of authenticators and protocols to increase assurance levels. Biometrics on mobile devices, out-of-band applications, mobile push notifications, and a variety of hardware tokens are visible examples. Authentication processes have also been improved by invisible measures such as the evaluation of user attributes, history, and behavioral analysis; behavioral biometrics; device identity, history, and health; and environmental context, including request types and history, locations, and networks. The unobtrusive means can operate as required in the background, only interrupting users with explicit need for input when deviations from their established baselines occur, leading to continuous, risk-adaptive authentication.
Regulations written with the goal of improving cybersecurity across various industries have taken effect in multiple jurisdictions. In the EU, the European Banking Authority’s (EBA) Revised Payment Security Directive (PSD2) requires Strong Customer Authentication (SCA), which is defined in the common way of two or more factors plus risk evaluation mechanisms. This regulation has been a driver for authentication upgrades at banks, financial institutions, retailers, and other businesses across the continent. In the US, legislation such as the New York SHIELD Act imposes penalties of up to $250,000 per incident for organizations that allow unauthorized access to personal information. Therefore, stronger authentication controls are on the radar for many organizations that hold the personal data of New Yorkers.
Organizations with older IAM stack solutions in place sometimes find that they are not equipped to meet these regulatory and security challenges or take advantage of newer technologies. Modular authentication services, whether deployed on-premises or from the cloud are increasingly popular alternatives to full IAM stack upgrades or replacements.
Authentication services are important threads in Identity Fabrics, which are gaining traction in industry today. An Identity Fabric is an architecture that can be composed of disparate data sources and capabilities delivered as discrete services. Identity Fabrics permit organizations to add and upgrade segments of their infrastructure or contract with service providers to meet business objectives in a more agile manner. Given the widespread availability and adoption of cloud-hosted services running the gamut from IaaS to PaaS to SaaS, more vendors are packaging their solutions in containers such that they can provide the same types of functions regardless of deployment models. This means that on-premise software ships as images or virtual instances that can be deployed on most of the common operating systems or IaaS/PaaS platforms or made available as micro-services via the vendor or managed service providers.
Use cases can be grouped into several major categories: Business to Employee (B2E), Business to Business (B2B), Business to Consumer (B2C), and Government to Citizen (G2C). In heavily regulated industries, strong and/or MFA may have been in place for employees and even contractors and partners for years already, but generally based on hard or soft tokens. B2C and G2C use cases where MFA is present or planned are more often served by having smartphones act as the MFA facilitator. This has spurred development of mobile app-based authenticators and secure SDKs that allow customers to create their own integrated apps. Authentication solution providers that serve all these market segments must provide a range of options that satisfy customer expectations and improve security.
Consumer IAM (CIAM) use cases are typically solved with a common set of features including self-registration, ability to deploy multiple types of passwordless MFA and account recovery mechanisms, analysis of risk factors within authentication contexts, ability to present consumer portal to manage consent, and various reporting facilities, including inbound and outbound API access for third-party identity and marketing analytics tools. SaaS delivery of CIAM services is trending upwards and will likely remain the default choice for most organizations.