Legacy identity and authentication systems are not equipped to handle modern needs. Zero-trust security, compliance, privacy, and ease of access all require a new approach: frictionless, identity-based authentication.
Identity is today's most-valued digital currency. Once verified, it gives you access to almost everything. Historically, identity has been validated by a birth certificate, government-issued ID, and passwords, and more recently by mobile devices and biometrics.
Amid constant attacks from cybercriminals, we're seeing a shift in how we define identity and ensure proper authentication. Legacy security methods assume the person logging in is who they say they are, but modern security standards (such as NIST 800-63-3 and FIDO2) imperatively focus on identity assertion and move away from legacy passwords.
This shift in security must incorporate user needs as well. With several accounts and passwords to remember, security is a cumbersome process that still puts users at a substantial risk of credential compromises.
Here are four ways we need to think differently about identity and authentication.
- Identity and Authentication Should Be Consolidated
Typically, security focuses on either identity proofing or passwordless solutions. This separation causes friction for organizations and customers when implementing two potentially incompatible, yet necessary, systems.
There are two major issues with keeping identity information and means of authentication separate, especially when dealing with both employees and customers. First, authentication will never be "frictionless" for your user. They'll be dealing with multiple passwords and usernames, which is a vulnerability. Second, if your employee uses your platform for personal reasons as a customer (think: bank employees also having checking accounts with you), you're not able to prove it's the same person, only that the person has the right customer credentials.
We don't need usernames and passwords anymore to authenticate individuals. Biometrics, mobile devices, and multifactor authentication are strong tools. Combining these methods with definitive ID proofing at the start reduces user friction and improves overall security.
- Users Must Control Their Identities
Individuals are at risk whenever they give out a piece of identifying information. Thus, users want more control over the who, what, and when of giving that information out. Today, there are several ways to put authentication back into users' hands:
- Smartphones validating biometric data
- Availability of one-time password (OTP) apps and devices
- Use of trusted platform module (TPM) chips in computers and mobile devices to store encryption keys and other data
- Use of blockchain to store identifiable information
- Requiring consent from users to provide validating details
Given these options, user control of identity and authentication must be a requirement. It's the obligation of all businesses users interact with to reduce their own risk and that of their employees and customers.
- Authentication Should Correspond to Risk
Despite the promise of the technologies listed above, most businesses do not utilize them. Rather, they continue to invest in archaic forms of authentication that do not correspond to the increasing sophistication of risk. While two-factor authentication helps, this is not a one-size-fits-all solution. Every user has varying degrees of risk, and their authentication must match accordingly.
Authentication should support multiple methods, but it can include corporate account verification, email address access, and biometrics — in addition to SMS and OTP, as previously mentioned.
Organizations don't need to implement all factors available to them but should identify their uses on a case-by-case basis according to the risk of their organization and users. Factoring back in users wanting to control their own identity, to maintain a positive experience, it's also important to realize the need to potentially allow them to decide when to adopt newer authentication methods.
- Both Should Be Manageable to Implement
Transitioning to new solutions is a delicate process. Moving too quickly without identifying the complex needs of your business or preparing your workforce and customers is a set up for failure. Focus first on how best to consolidate identity and authentication and build from there. This framework will provide your employees and customers with reliable, user-friendly authentication.
The concept of identity has been around for decades, yet authentication has not caught up to its advanced threats — until now. It's time to stop hoping for the best with legacy systems and embrace new means of authentication and storing information. This will create better authentication efficacy, user experience, and organizational security.