Eliminating or reducing the number of passwords in the enterprise remains a top focus of management and security professionals alike. While single sign-on technologies, such as password managers, identity federation, and operating system-based technologies, that reduce and simplify the number of passwords have been in use for years, the number of passwords and emerging technologies to address the problem has also increased.
Many enterprises have deployed strong authentication technology to strengthen, reduce, and even bypass the use of traditional passwords, but in many cases, the user’s password still exists, and the strong authentication technology is only useful in certain authentication scenarios. This creates a weakest link scenario whereby hackers simply focus on alternative points of access.
The Business Landscape Has Evolved
In the past, anything other than or in addition to a password was generally considered to be “good-enough” for most enterprises, with the main staple for two-factor authentication being the tried and true one-time password (OTP) token. Organizations could get away with focusing on strengthening authentication only for user accounts that had remote access privileges or access to the most privileged information.
However, today’s business landscape has evolved, leaving organizations to face the reality of an increasing number of cyber-attacks, stricter regulatory requirements, and growing end-user demand for simplicity. One basic form of authentication is simply no longer enough in the enterprise.
For instance, doctors in a hospital may require logon to twenty or more kiosk systems during the course of their rounds. Additionally, they may login to numerous applications following every operating system logon and may be required to provide additional authentication to order controlled substances. Requiring doctors to use an OTP token in this scenario would not be convenient.
Enter Risk-Appropriate Authentication
To effectively protect against attacks, all points of access must be strengthened with stronger forms of authentication; however, one form of strong authentication is likely not convenient or enough to address all authentication scenarios within the enterprise. Simply put, you need risk-appropriate authentication that strikes a balance between risk and convenience.
So, what is risk-appropriate authentication? According to Gartner, risk-appropriate authentication calls for an organization to consider multiple use cases and evaluate minimum levels of assurance and accountability, commensurate with the level of risk. Additionally, other constraints must be factored in, such as lowest acceptable ease of use and the justifiable total cost of ownership.
The first step on the road to risk appropriate authentication is to identify all the points of access. This may include remote access by employees or vendors, local and network account access to corporate owned computers, local network access to a corporate network from personally owned computers, shared (kiosk) systems, employee portals, remote desktops, or cloud services provided by third-party providers.
Once all points of access have been identified, analysis must be performed to determine the acceptable level of risk associated with each access scenario and the appropriate level of authentication that is associated with each access.
A user accessing a company owned computer, on a closed network, in a secured facility, for example, may be allowed to use a username and password to authenticate, whereas a user accessing a company owned computer off the network may need to authenticate with something stronger than username and password, such as a fingerprint, in addition to their username and password.
The Solution: The Authentication Platform
A common challenge has historically been managing authentication technologies for remote and on-premises users simultaneously. This was primarily due to the fact that remote access users typically used OTP tokens, which either didn’t support operating system logon or provided a poor user experience. Therefore, enterprises typically deployed smart card technology, fingerprint technology, or something else to address authentication to operating systems and specific applications. However, this required the deployment of different systems and processes.
Advancements in the management of authentication technology have made it possible to manage multiple forms of authentication from a single platform. Gone are the days where enterprises needed to procure, deploy, and manage multiple authentication technologies from multiple vendors.
Today, these technologies can all be managed by a single solution. Authentication platforms can manage multiple forms of authentication simultaneously and multiple forms of authentication can be assigned to end users for different access scenarios. This solves a number of problems for both enterprise security personnel and end users.
With an authentication platform, enterprises can deploy stronger forms of authentication that meet the needs of all use case scenarios. This enables organizations to successfully address the concerns of security personnel, ensure compliance, and simplify the user’s experience.
While passwords may have a continued place in the enterprise for years to come, it is important to understand when it’s appropriate to use passwords and when stronger forms of authentication are required.
Through the deployment of an authentication platform, the enterprise can decide where and when it’s best to strengthen authentication, while providing end users with a more seamless authentication experience. And, risk-appropriate authentication ensures that the appropriate level of security is being applied, without interfering with the user experience.