New Streamlined Ways of Authenticating People Quickly Proving Their Value

Access & Authentication    | May 8, 2020

There is no one-size-fits-all approach to authenticating an individual’s identity. Today, the user is driving what authentication solutions should look like. 

How do you confirm that people requesting access to your system and files are who they say they are? One way is to ask them to confirm their identity multiple times before granting access. Chastised in the past for awkward or clunky user experiences, new streamlined ways of authenticating people are quickly proving their value.

Bad password habits pose vulnerabilities

As the saying goes: A chain is only as strong as its weakest link. The same mantra may be applied to a cybersecurity program, where a single weak lock can pose a critical vulnerability to an entire company’s network. In the case of authentication, internal employee slipups can render even the strongest digital locks obsolete. Passwords were responsible for 80 per cent of breaches in 2020.

From weak or easy-to-guess passwords, like ‘p@ssword,’ to password reuse repeatedly across multiple accounts, people cannot be trusted to create keys granting access to digital assets. But if multiple digital locks are created, each requiring a unique authenticating factor to grant access, it is theoretically harder to force access.

Address inherent vulnerabilities: authenticate beyond username and password

Using multiple methods to authenticate (MFA) helps mitigate the vulnerabilities presented by weak password habits by requiring additional authenticating ‘factors’ before granting access. These factors can vary in terms of complexity but are usually something unique or known only to the individual. This ensures that if a single factor is compromised, guessed or lost, like a password or PIN, other factors, maybe a birth date, remain to accurately verify the identity of who or what is trying to gain access.

“Imagine somebody is trying to hack an account and they correctly guess a user’s password,” says Chris Peel, VP Customer Engineering at Echoworx. “With MFA, they may try to log in, but the owner of the account gets a pop-up on their mobile device notifying them that someone is attempting to login. Access can then be denied by the person – using this second factor of authentication.”

Advocate for user friendly authentication

There is no one-size-fits-all approach to authenticating an individual’s identity. The term is loose and can be applied to a variety of methods – from so-called ‘Strong Authentication,’ a variant of Two-Factor Authentication now a requirement for transactions over €30 in Europe, to hard-token authentication, where a physical token is required to gain access. These systems vary in the amount of security they provide – with some even deliberately hindering user experience to emphasize the importance of the access they provide.

“People won’t accept more security than they think they need.” – Google’s Mark Risher

The use of user names/password logins were created at a point in time when the experience of the user was not a prime concern. Today, the user is driving what authentication solutions should look like. New digital variants help make authentication a relatively frictionless experience – with little to no impact on user experience. A bank portal, for example, might ask a banking customer for a password as one factor, or way, of authenticating their identity. But, if more stringent access controls are required, the bank may also demand a Time-Based One-Time Password (TOTP) – a single-use and time-stamped random code – issued from an app installed on the customer’s mobile phone. This additional verification is completed by the customer without leaving their mobile phone. The key, you must keep it simple. Mark Risher, who manages Google’s identity systems says, “People won’t accept more security than they think they need.”

Authentication is an integral part of digital business

If digital trust is the new currency of customer experience, authentication is one of the locks holding everything in-place. The average user assesses the safety of an email in just 20 seconds before replying with personal information, says Echoworx in a survey they conducted.  Yet, three quarters of the same people will leave a company who mishandles their data. If people cannot be trusted to safeguard access to their own data, organizations need to ensure a single digital slip-up doesn’t enable fraudulent access.

To make sure that right people enter and access the right information, strong authentication assures organizations that their entire network won’t be compromised by a single person – helping prevent breaches and compliance violations.