For enterprises that haven't revisited their authentication strategies in several years, it may be time to take a fresh look. According to Gartner Inc., a confluence of technology trends affecting enterprises – mobility, social media, cloud computing and big data – are having an effect on virtually every area of IT, including the market for enterprise authentication technology.
In this video interview at the 2012 Gartner Security & Risk Management Summit, Ant Allan, research vice president with Stamford, Conn.-based Gartner, discusses trends in secure authentication, including "cool" next-generation authentication technology, the emergence of cloud biometrics, why password-based authentication may simply be too great of a risk, and much more.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Eric: Hi, I'm Eric Parizo. It's great to have you with us. Joining me today is Ant Allen. Ant is a research vice-president with Gartner Inc. Ant, thank you so much for joining us today.
Ant: My pleasure.
Eric: Let's talk about next generation authentication for a few minutes. We'll hit several topics. First off, I know Gartner often likes to update its list of cool vendors or cool technologies. What are you seeing that is cool in the authentication market right now?
Ant: Well, I think that there's a lot of cool stuff going on in the authentication market. I think over the past several years, we've just seen an explosion in the choice of secure authentication methods that are available to organizations. And that's a great thing because organizations are really trying to find, not the strongest authentication method, but the one that provides the best trade-offs in terms of strength, cost and user experience. So this choice makes it more likely that that ideal solution exists. It also makes it harder to find.
I think some of the next generation authentication things that you see that are regarded as particularly cool are around new kinds of biometric authentication methods. Now biometrics has had an uneven track record. People's experience with fingerprint readers on PCs and so on has been patchy. Some people like it, others say, "No, it doesn't work well. It's hard to manage." We have users who can't use it. But now we're seeing quite a few vendors who are coming to market with solutions that are using more passive biometrics, and in particular, which are based on the kind of CAPTCHA devices that exists on mobile phones. They are using mobile phones as a platform for capturing the biometric information, whether that's through the mic or through the user-facing camera. You could have voice recognition, face recognition, maybe the iris. Some vendors can do typing, whether that's on a mobile phone or a PC.
But using the handset or the CAPTCHA device or biometrics allows you to use these techniques which can often be fairly transparent to the user. There's not a high degree of interactivity required. If you're using a mobile to access an online system, when you're looking at the phone, the phone is looking at you so that face recognition could be happening in the background without you even being aware of it. We see quite a bit of interest both from vendors who are coming to market with this kind of solution, but it's not entirely being pushed by them. We are seeing real interest in these solutions from end user organizations, because traditional approaches don't move to mobile very well. People using tokens or smart cards, they just have so many problems using those with mobile devices as well.
I think the other cool thing is the approach that we've seen being used in banking where we have a number of vendors with online fraud detection tools, which are evaluating contextual information about the user to get some measure of confidence of their claimed identity, even if they are authenticating relatively weakly in the first place. And this approach, we see, could grow to become far more significant as you look at a greater breadth of contextual information, and maybe also leveraging increasing use of phones where the phone is a source of more and more information about the individual. And being able to correlate all these pieces of contextual information could give you a higher degree of confidence in their claim of identity. And maybe in the longer term, that in itself could be enough that you don't have to prompt people to authenticate in a traditional way so it can become very transparent.
More on next generation authentication solutions
Learn more about the benefits of multifactor authentication in the enterprise
11 questions to ask before buying an MFA product
Why security experts believe multifactor authentication is critical to cloud security
This is a very 2001-ish thing, you know, HAL recognizing the astronauts on the ship. Okay, so we're 10 years later. At least it's going to be another 5 years maybe before this is mainstream, but it does have an intriguing possibility that a claim of identity is no longer needed, that computer can just recognize individuals with a high level of confidence.
Eric: Now when it comes to biometrics, it seems there may be a confluence of trends there talking about mobile as well as the cloud perhaps making biometrics a much more viable option than it's been in the past. Is that something you see? What do you see going forward?
Ant: I think it's certainly part of the movement. It's a theme that we're looking at in Gartner Research. Generally we're talking about the nexus of forces, combination of mobile, cloud, social, and information, big data. And we can see elements of all of this in the changes in the user authentication market. We're seeing the emergence of these new biometric methods. We're seeing that the vendors are delivering those as cloud-based services. We're seeing that they're leveraging mobile technologies. That aggregation of contextual information is aggregating big data to provide information that gives us confidence about the individual.
Eric: Now passwords have been much maligned in recent years, but are still in many cases the single authentication factor for access to very important systems in many enterprises. Have we reached, or are we reaching a tipping-point where the risk of password-based systems as a single authentication factor is just too risky?
Ant: I think we probably have passed that tipping point. I think most organizations that are relying on passwords for anything but the minimal risk systems are leaving themselves open. One of the challenges being that traditional, strong authentication solutions have been too high a price point. One of the changes that we're seeing over the past few years is this growth of secure authentication methods. So there's now more a range of authentication methods where people can find the right point at which they get authentication strength, but I think there's a lot of inertia in the market. Not all of these solutions are proven. Integrating them into corporate environments still remains a challenge.
Eric: The technical integration could be the real barrier. Yes, we can find something which is better than passwords, but how do we put that in place in our corporate systems where we've got to integrate it with our Windows PC network, log in with various applications, and so on and so forth?
So I think the barrier is still too big for most organizations, but they do need to do other things to mitigate risk. Now that might not always be putting stronger authentication in place. If you say, "Well, I recognize that passwords do leave me with a significant residual risk, what else can I do to mitigate that?" so we'd say, "A greater emphasis on active monitoring of user activity. Using techniques to try to identify fraud and other kind of misuse would be an appropriate response." So you don't always have to put the strength at the front end. If you have the right corrective controls, you could still use passwords but mitigate risks a different way.
Eric: It's been over a year now since the SecurID token IP theft. Have there been any lasting effects on token-based authentication in terms of the integrity as an authentication factor?
Ant: There has been some concern and it's been about RSA in particular and about tokens generally. But I think the consensus still is that they are broadly reliable. We understand that none of these methods are fool-proof, that there are ways of bypassing authentication. That's something we've seen very much in the online banking market. We've seen a shift from phishing kind of attacks where strong authentication would mitigate that to session hijacking attacks, manning the browser kind of attacks where it doesn't matter how strongly you authenticate in the first place. That kind of attack can still succeed. And again the monitoring approach is the right way of mitigating the risks.
But generally in the market, tokens, in principle, are still seen as a viable secure authentication method. Although the trend has been away from the purpose-built devices, one of the things that we've seen as a major shift over the past few years is a movement from those hardware tokens to phone as a token authentication methods. Either a one-time password app on a mobile phone, or an out-of-band authentication method that uses SMS, or voice telephony to exchange authentication information, a one-time password or something else, perhaps.
And in new and refreshed deployments, we see those are the preferred solutions. Still got a huge install-base of tokens, but the majority of organizations that are putting something in place for the first time or are migrating away from an existing token deployment are choosing these phone-based methods.
Eric: Because that's essentially cheaper and easier to manage, isn't it?
Ant: It is and there is some penalty in security. These are not as secure because you're not using a cryptographically secure device using a general purpose computer. But that's marginal compared to the place you are compared to passwords alone. They do offer cost advantages. They're lower cost in the first place. The provisioning cost is lower. One of the things we find with a lot of organizations using tokens is that when they're distributing those to their users, the cost of distribution is more in the cost of the tokens themselves. So if you have things on software where people can download them from an app store and initialize them through some internal process, that gives good cost advantages. People tend to look after their phones better than tokens, so you have fewer problems with lost tokens where you need to provide some other means of access. And users like them because they don't have to carry this additional token, they're not caught out when they forget their token. They've typically always got their phone with them.
Eric: Finally, when you have conversations with Gartner clients about what to consider regarding secure authentication technology, especially for organizations that are perhaps revisiting their authentication programs and haven't done so in a few years. What are the key considerations that you cover in those discussions?
Ant: I think the first thing to understand is you have a variety of needs. And for most organizations you will not find a single authentication solution that meets all of your needs. The constraints of supporting remote access for your work force, internal access to the network, customer access, all of those are going to have different demands, different levels of risk, different user factors that you have to take into consideration.
So, the second thing is, given that, how do we assess the needs of each of those user cases? So you need to look at, what is the level of risk? What do you do to mitigate that? How strong a solution do you need? What is the cost going to be? Clearly if you are supporting a few hundred remote access users, cost is a consideration. But when you start looking at tens, hundreds of thousands of external customers, suddenly price becomes very, very sensitive. You also need to think about user experience. And that's important internally, because poor user experience means people try to make things easier for themselves, and that usually undermines security.
But it's interesting. In the consumer facing side, the user experience is critically important. We found in a survey a few years ago that when the banks had introduced new measures following their FFIC guidelines that 12% of the banking customers we surveyed had considered changing their banks because they found the new log-in process too complex. And 3% actually had changed their banks. So as you are introducing new secure authentication methods to mitigate risk to reduce fraud, are you creating a business risk where you lose customers?
Eric: Ant, research Vice-president with Gartner, thank you so much for joining us today.
Ant: Thank you, Eric. Pleasure talking to you.
Eric: And thank you as well. Remember, for more information security videos you can always visit searchsecurity.com/video. For now, I am Eric Parizo. Stay safe out there.
About the Speaker
Ant Allan, Ph.D., is a Research Vice President in Gartner Research. He is a core member of the identity and access management (IAM) research community and specializes in identity assurance technologies, processes, policies and best practices.