1 Introduction
As the number and severity of data breaches rise, businesses, governments, and other organizations seek to improve the authentication experience and raise assurance levels to mitigate against continuously evolving threats. Cyber-attacks put personal information, state secrets, trade secrets, and other forms of intellectual property at risk. Fraud against consumers and consumer-facing businesses has ramped up significantly. Increasing security and improving usability are the twin goals of modular authentication service upgrade projects. Data owners and IT architects have pushed for better ways to authenticate, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Legacy IAM systems sometimes struggle not only to meet changing business requirements but also to keep up with the latest authentication technologies. This is especially true regarding legacy IAM solutions used by consumer-facing organizations. Many enterprises are choosing to augment their IAM systems by logically separating authentication from the IAM stack and utilizing discrete services that offer Multi-factor Authentication (MFA) with extensible risk analysis features informed by various types of intelligence. Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a "cloud-first" strategy.
MFA is the employment of multiple methods of determining that a user is who they are purporting to be in the context of an access request. Risk-adaptive authentication is the process of gathering additional attributes about users and their environments and evaluating those attributes in the context of risk-based policies. The goal of risk-based adaptive authentication is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by "step-up" authentication and/or the acquisition of additional attributes about the user, device, environment, and resources requested. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with biometrics, Smart Cards or other hardware tokens, and behavioral biometrics.
Behavioral biometrics can provide a framework for login, in-app authorization (e.g. for online payments) and/or continuous authentication, by evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile "swipe" analysis, and even mobile gyroscopic analysis. These methods generally require the use of client-side agents, either standalone or embedded into applications as SDKs.
Solutions in this space can present multiple authentication schemes, methods, and challenges to a user or service according to defined policies based on any number of factors, for example, the time of day, the attributes of the user, their location, or the device from which a user or service attempts authentication. The factors just listed as examples can be used to define variable authentication policies. User Behavior Analysis (UBA) employs risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which can trigger additional authentication challenges or attribute collection.
A wide variety of MFA mechanisms and methods exist in the consumer authentication market today. Examples include:
- Strong/Two-Factor or Multi-Factor Authentication devices, such as mobile biometric apps, and/or mobile apps that leverage operating system biometric capabilities,
- One-time passwords (OTP), delivered via phone, email, or SMS,
- Out-of-band (OOB) application confirmation, usually involving push notifications to mobile devices,
- Identity context analytics, including
- IP address
- Geo-location and geo-velocity
- Device ID and device health assessment
- User Behavioral Analysis (UBA)
Authentication and the related identity and context assurance values, then, can be considered a pre-cursor to authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies, changing risk factors and regulation.
In the case of regulation especially, strong authentication and/or MFA are often required, with some industries more regulated than others – for example, the financial industry. The EU Revised Payment Services Directive (PSD2) dictates that service providers in this sector must use "Strong Customer Authentication" (detailed below). In the US, the New York Department of Financial Services 23 NYCRR 500 has similar provisions for MFA.
Financial institutions are also subject to Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations in various jurisdictions globally. Compliance with these regulations requires collecting personal information about customers.
However, many countries and states within countries have regulations that are designed to protect the privacy of their citizens and residents when acting as consumers. The EU General Data Protection Regulation (GDPR) is one of the best-known privacy regulations, which imposes stiff penalties for non-compliance. In the US, the California Consumer Privacy Act (CCPA) and follow-on California Privacy Rights Act (CPRA) are models that are being enacted and/or explored by other states. Thus, the collection of personal information by consumer IAM and authentication systems must adhere to an expanding number of privacy regulations.
In light of the above, one of the more recent additions to the authentication armory is "Passwordless" authentication. It is a popular term among product and service vendors today. Some passwordless options have been around for a while but are starting to be implemented more at enterprises and consumer-facing businesses. Passwordless options include the aforementioned biometrics and mobile push apps as well as simple possession of registered devices. Passwordless can also mean the evaluation of contextual risk factors without interrupting the user flow (in happy path flows). Passwordless methods provide security advantages and usability benefits. In the consumer facing market especially, innovation in authenticators that improve user-friendliness can be a competitive advantage.
A final, yet key consideration for authentication solutions is account recovery: when users forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account and device linking. Help desk assistance may also be needed on occasion, but it is a costly measure.