Flexible Authentication: You’ve Got Some Choices to Make

Just because you can offer every type of authentication method under the sun doesn’t mean you should. Here’s how to identify which methods will best meet your organization’s needs.

rina test brandpost

The great thing about having an authentication solution that offers many different ways to authenticate is that you can pick and choose which ones you want to offer users—and which you don’t. The following information will help you decide what will be most effective for your organization and your users.

What Authentication Methods Should You Make Available?

When choosing authentication methods, it helps to consider both the security requirements of the organization and the circumstances of the users.

  • Security Requirements: Start with the basic concept of an authentication method being something you know, something you have or something you are. First, decide if one of those will suffice (possession of a registered device, for example) or if you’d prefer at least two (such as possession of a registered device, plus a fingerprint). Then consider their relative security. For example, is sending an SMS one-time password (OTP) to a user’s phone less secure than a push notification using a mobile app? The answer may be different for different organizations, but identifying where your organization stands on this type of consideration is important.
  • User Population: Recognize that not all users will benefit from the same options. If IT administrators are already using hardware tokens, for example, do you want them to continue? Do you want to add a second method, such as a type of biometrics, for some? On the other hand, if there are some users who have been authenticating only with passwords, you may want something more mobile-friendly or universally available than a hardware token.

It’s good to provide choices, but it’s also important to have a sense of which methods will provide the right security based on context, risk and the makeup of the user population.

How Can You Maximize Flexibility for Users?

When you give users choices, you also have the opportunity to adapt to the specifics of their situations. Take a user who typically uses a push notification plus a biometric like a fingerprint or eyeprint. What happens when they’re accessing resources from an airplane that has an internet connection for the laptop but no cell phone connection? The user should be able to select a method that will work in that environment, such as OTP protected by a fingerprint.

Think about these four things when considering flexibility for users:

1.       Give the user a choice in what methods will be convenient.

2.       Offer methods that cover situations where one of the choices may not be available.

3.       Remember the favorite method to reduce required user steps for the most common scenarios.

4.       Create consistency across methods (for example, push notifications and OTPs delivered from the same mobile application).

Administrators need flexibility in deploying methods, and users need flexibility in utilizing them. By ensuring both, you will keep both groups happy with high levels of security and usability. Watch this demo to see how RSA SecurID® Access delivers flexible mobile authentication options that have identity assurance capabilities built in.

New! Download the State of Cybercrime 2017 report