Using only a password for authentication is fraught with problems. Even supposedly strong passwords used on a “3-strikes and you are suspended” login are fundamentally flawed, and must be considered insecure and a very long way from best-practice as far as authentication is concerned.
The gold standard for authentication has long been the use of multiple factors. Something you know (password), you have (token), you are (fingerprint).
Adoption of multiple factors has been slow. For one thing it costs money to distribute tokens or similar and integrate these into the login process, let alone making biometric scanners available to reliably read a fingerprint or iris.
With the widespread adoption of smartphones, some of these issues are being reduced. Still, the overall integration of all of these individual factors into multiple application servers’ login procedures remains expensive, and in many instances an outright intractable proposition. 3rd party applications can often not be modified for love or money.
Mercifully the bulk of these issues can be resolved by cloud-based IDaaS solutions. These provide a single, feature rich point of authentication while the targeted applications can remain completely unchanged. Being cloud-based they also resolve a range of Internet related attack vectors that ordinarily would make it expensive and risky to make applications internet accessible. Being able to access business applications from anywhere at any time is a major driver of productivity. Reducing the time and cost of enabling secure universal access to everything makes IDaaS such a hot topic.
Cost is not the only concern however. Users do not like having to spend an extra 10-20 seconds typing in some one-time-passcode when they wish to gain access to a tool they need to get their work done. Particularly when they are on the road, stressed and perhaps in a middle of a customer demonstration or other high-pressure activity. Combine that with having to repeat it over and over, possibly dozens of times or more a day, and it creates a real problem. Google “repeated password prompts” and consider the lengths people apparently go to.
The tipping point for such things to become a chore, with impact on morale and productivity, is surprisingly low and often underestimated by management and IT. The reason for this is that while doing a “of course it takes extra time but think of the added security” task once is fine, doing it many times a day is not.
This needs to be considered in designing stronger authentication into an enterprise, or such a project will fail.
In taking human factors into consideration there is a trade-off to be made. The number of times users need to “do security stuff” needs to be limited to “a reasonable amount per day”.
The simplest approach is to limit the number of applications that require extra authentication. That reduces the number of times users will have to expend additional effort – problem solved. However this also reduces the overall security posture because the bulk of the applications now are not well protected. This is trading off security vs. sanity.
Are there other ways to reduce user effort then? Is it possible to make the process simpler and control its frequency irrespective of the number of applications that are protected? The answer is a resounding YES – and this is where IDaaS again shines, because it provides the single point of control that is required to make this happen.
The first step is to make one-time passwords easier to use. When sending an SMS, don’t just send a 6-digit code, also send a URL that users can simply click on. An IDaaS identity provider can then accept the code being typed in on the one hand, but also be in waiting for the URL to be accessed, and complete the process that way. Its not only much quicker, its difficult to make a mistake, as there is no typing involved.
Even simpler usage can be achieved on Mobile phones via notifications that allow users to “Accept or Decline” instead of having to type a code. A simple swipe and click is all that is required in most cases. Similar can be achieved when using emails or other ways to gain out-of-band verification of a login.
It is important to note that the ease-of-use does not detract from the security of the one-time password. Nothing is lost in making this nice, we are merely leveraging our ability (courtesy of unified cloud-based IDaaS) to rendezvous the Application security MFA query with the user response in the Cloud.
This significantly lowers the burden on the user and thus increases the number of times users can be “made to jump through a hoop” – because it’s a bigger, lower hanging hoop and more a largish step rather than a jump.
But wait, there is more! An IDaaS solution can know a great deal of information about the current users disposition, as it sees everything the user does application- and authentication-wise. How long since they last authenticated, what device are they using to authenticate right now, which network are they doing this from and also how recently they have completed a multi-factor authentication step.
This makes it possible for applications to take a measured approach to multi-factor enforcement. Most applications would probably be sufficiently well served if a user had completed strong authentication in the last few hours – there is no need to insist on doing MFA every time an app is opened. This creates a situation where every application could require strong authentication, but it only results in users having to actually click “accept” two to three times a day, as applications leverage authentication complexity from one another.
There would still likely be a few applications considered special and always require more – but that is ok – there will be fewer users needing to access them typically and the importance of those applications is appreciated by staff. If there is negative feedback the policies can be fine tuned to provide highly visible relief to staff until everybody is happy.
It is clear that a cloud-based IDaaS solution is the only way to tick all the boxes to provide secure universal access from anywhere to all applications in an enterprise. No other combination of access control, VPN or similar provides that single point of control where all the parts in the equation can leverage information to the same extent as IDaaS can in order to provide an easy to use multi factor authentication, access and authorization solution.
That is why easy to use multi-factor authentication based on an IDaaS platform will make a big difference to security.