This isnt necessarily a bad thing, so long as you dont wait too long to act. For starters, if youve yet to move away from user names and passwords, you have the advantage of studying various multifactor solutions and seeing how well the work in the real world. However, a cursory look at new authentication techniques is often misleading. While consumer-facing authentication gets a lot of ink in the trade press, the real improvement in security happens behind the scenes.
Financial institutions rely on back-end authentication and fraud detection techniques as stronger security layers beyond the point of entry. Secure cookies and IP geo-location help further authenticate you, while things like in-session monitoring and transaction-level fraud detection offer protection even if a crook gets in.
This is all part of what is being dubbed risk-based authentication. If youre simply checking balances and paying the bills you pay at the same time each month, youll be left alone. If you try to shuffle funds overseas, youll be asked for much more stringent forms of authentication and, if you cant provide it, your account will be locked down.
Risk-based Authentication for the
Lets apply risk-based authentication to a typical office setting, where most workers are in house, with a few on the road or working from home, along with some contractors and partners needing access to organizational networks.
For employees who come into the office, they should encounter fewer layers of authentication. After all, their very presence, especially if they have to show ID to get into the building, is a pretty strong form of authentication. For mobile workers, the bar will be higher with, say, secure cookies adding an extra layer. For contractors and partners, the authentication bar should be higher still.
What happens after this, though? Can you trust employees once theyre inside? What about that disgruntled worker passed over for a promotion? What about employees leaving the company? What about contractors who may work for a competitor in the future?
The most important lesson emerging from the financial sector is this: authentication works best when it works with behind-the-scenes complements like transaction monitoring.
Fraud detection today is targeted at banks, but as this sort of security matures, smart enterprises will adopt it too. Theyll seek out solutions that allow them to benchmark their employees online behaviors and then warn them when something is amiss. Were already seeing things like data-leak prevention addressing this concern. Its too soon to tell, but perhaps that technology will turn out to be the fraud detection of the larger enterprise space.
Jeff Vance has been writing about technology trends for more than 10 years. After editing two high-tech insider investment newsletters, Mobile Internet Times and E-Infrastructure Times, Vance founded Sandstorm Media in August 2003.