Imagining frictionless authentication

Passwords are lame. After all, the username/password combination became the industry standard for online user identification more than two decades ago, but it has now become the weakest link in protecting our information.

Stronger authentication? Sure, most people agree that we need it, given the scope of cyber security threats today. The constant threat of compromised credentials and brute force attacks that can lead to devastating security breaches for organizations.

Effectiveness is all about balance

For IT and security decision makers, authentication is always a balancing act. On the one hand, they need to ensure that a given user is really who he says he is before granting access to a network or a system. On the other, they want to reduce friction so that authentication doesn’t negatively impact the user’s experience.

In response, we hear a lot of talk about two-factor authentication (2FA) as a potential solution. This method of confirming a user’s claimed identity uses two different components to increase confidence in the identity of a user. Two-factor authentication technology has provided a useful means of managing network and application access for years, and has its benefits for certain applications.

But 2FA is by no means perfect—from either a security or user experience standpoint. It doesn’t provide enterprises or users with a level of authentication flexibility that they want and need, and anyone who thinks traditional 2FA is a great user experience is kidding themselves.

So where do we go from here? I always say, “The moment you begin to imagine something, it begins to exist.” So, let’s re-imagine authentication.

Advances in authentication technology are enabling the market to move beyond 2FA. This includes the availability of dynamic multifactor authentication (MFA) solutions that enhance security, are risk aware, and at the same time deliver a frictionless customer experience to trusted customers.

Mobile provides an inflection point

A March 2017 report by global research and advisory firm the Aite Group, “Moving Beyond the Password: Consumers’ Views on Authentication,” points out that the increasing prevalence of smartphones and tablets “provides new opportunities to deploy stronger authentication mechanisms in a customer-friendly manner. In addition, inputting usernames and passwords in a mobile device is a clunky user experience, so many consumers willingly embrace biometrics and other technologies that are both easier and more secure.”

This is good news in advancing the state of the art for multi-factor authentication. After all, the username/password combination became the industry standard for online user identification more than two decades ago, but it has now become the weakest link in protecting our information.

Modern authentication solutions are emerging, and they provide the balanced approach we’ve been looking for – robust and context-aware security strong enough to protect a business and its customers, while also delivering an authentication experience that people will actually want to use.

One of the key benefits of these newer authentication approaches is flexibility when it comes to authentication methods used. For example, users of dynamic multi-factor authentication can be authenticated by some combination of fingerprint scanning; graphical combination lock; proximity of a secondary, known device; geolocation; or a personal identification number (PIN). This allows a lot of flexibility and can accommodate “mass market” variety in a user population.

As technology becomes more mainstream, a multi-factor approach can adapt to support new methods. Retinal scanning, facial recognition, heart rate scans, or even ambient noise can be used to authenticate a user.

Free to be yourself

Another interesting thing about this approach is the freedom it provides for users. Imagine a world where individual users can choose the authentication methods they’re most comfortable with without requiring additional hardware or a drastic change in their habits.

This kind of user choice might sound like it abdicates and enterprise’s control over authentication. Not the way I imagine it – in my world, organization can still deploy varying methods of authentication based on perceived levels of risk.

A large banking institution may want to require different levels of multi-factor authentication methods based on the risk of the activity being performed. For example, access to non-sensitive data might require nothing more than a single factor of authentication, or a combination of passive factors.

The cool thing about this dynamic approach to authentication is just that – it’s dynamic! The rigor of authentication needed could be based largely on context, not “one size fits all,” and can automatically adjust based on recognition of the device being used, as well as on available analytical data about past fraudulent or inappropriate behavior.

Are you ready for the future?

Dynamic, end-to-end authentication is the way of the future. Rather than rigid, constrained experiences, this approach provides more freedom.

Organizations will have the ability to easily and automatically adapt to changing threat and risk conditions and provide authentication that achieves the appropriate level of assurance, based on real-time circumstances.

End users will have a say in what’s appropriate, and will feel like they don’t have to jump through hoops to get what they want. This is how we get to that “it just works” feeling for authentication.

Imagine this better world with me. The future is closer than you think, and the future of authentication is frictionless.