It is widely accepted that relying on passwords as the primary mechanism for authentication is no longer fit for purpose. With individuals interacting with so many online services it’s inevitable that the same password will be used in a variety of places regardless of the sensitivity of what it is protecting. But what are the alternatives? In the corporate world, two-factor authentication (2FA) via tokens and other mediums is commonplace, following the maxim of something you know and something you have.
But, how is this model rolled out to an extended enterprise where your users are more likely to be business partners and customers rather than someone on the payroll? The logistics of ensuring these types of users have physical tokens is significant both in time and expense. In reality there only a few organizations that can sustain such an overhead, in short: the banks.
This physical dependency has been broken with the ubiquity of smartphones as these are well suited to playing the role of a physical token, albeit with their own shortcomings. What still remains, however, is the necessity for a user to manage the 2FA process each time they want to log in. Is this actually absolutely necessary and what does it bring to the user experience (UX) agenda? Security trumps UX, but does it have to be one or the other?
Where we want to get to is a place where the security model reflects the sensitivity of the activities taking place and ensures that the user experience has as little friction as possible. How do we achieve this? Firstly, we can implement ‘step up’ authentication. As a user’s transactions and activities become higher value we can enforce a step up in authentication to reflect that. That means that more simple methods of authentication are required initially, only when there is a risk is the user fairly requested to further validate their identity. That constitutes a win for both security and UX.
What else can we adopt to strike the balance between these two conflicting agendas? This is where big data and your digital footprint have roles to play. Your online behaviour is likely to be more routine than you may think – whether it’s the device you use most frequently, from what region you access the web, and what time do you typically access social media sites, amongst other metrics.
By building up a pattern of online behaviour we can make very accurate judgement calls to validate who someone says they are. As a background process, we are providing increased security with no overhead to the end user. If anomalies appear we can react, asking individuals to step up their authentication or limiting their ability to conduct certain transactions. These types of methods allow us to deliver great user experiences, with less friction, without compromising on security.
Returning to the maxim of something you know, something you have and something you are. This also needs to be extended to something you do.