Jeff Carpenter – Vertical Market Director, Crossmatch
More and more valuable information becomes digitally warehoused, and at the same time an increasing number of corporations and individuals are being allowed access to systems that contain that valuable information. In other words, a target is painted on that information.
Ease of access – and the size of the potential reward – makes it highly probable that the brightest and best criminal minds and nation states in the world will engage in cybercrime. These “bad actors” are prepared to spend exorbitant sums of money attempting to break into the systems of digital organisations. The value of the bounty available makes it too enticing not to do so.
Consequently, as financial services and corporations drive to implement digital innovation, ramp up data collection, improve analytics processes and offer omnichannel products to clients, it is critically important that cybersecurity figures prominently in those endeavours.
And as so much access is now afforded to digital organisations through connected, open, and accessible systems, cybersecurity needs to be more resilient and cover a wider range of systems entry points than ever before.
Traditional authentication is a flawed model
For all the progress in technology development in the area of cybersecurity, there still remains one inescapable flaw in the system: The element of required human input. The potential anonymity of the digital universe can wreak havoc on a digital system; therefore the ability to accurately ascertain who is attempting to access that system at any point in time is of critical importance.
Traditionally, a password system has been the principle method of confirming the identity of an individual attempting to gain permission to access a system. However, it has been years since this single proof of authentication has been accepted as being of adequate industry standard. An imposter pretending to be a person they are not is virtually impossible to detect with this system. The ease with which passwords can be stolen or shared is obvious.
Conventional wisdom regarding digital authentication in the past few years has extended first to two- factor and subsequently multi-factor authentication, which is currently the industry norm. However these steps, albeit in the right direction, have not moved the authentication far enough away from the legacy password-only model to be truly considered a reliable process.
Even in a “What you know” (password), “What you have” (physical hardware/key), “Who you are” (biometric identification) multi-factor authentication system, passwords are still at the heart of the process and there is no scrutiny of the activity or reasoning behind an access request.
The improvements in the authentication process can be described as incremental at best. Even the least experienced cybercriminals can foresee a method of gaining access to system fraudulently – even without envisioning an all-too-common scenario whereby a disgruntled employee abets a fraudulent authentication.
Human nature – the insurmountable obstacle
Whenever any security system has an overreliance on human participation there is an easily identifiable weak point in the system, and it is always the weakest point in the system that will be subject to the greatest scrutiny from unwanted actors. Removing the authentication dependency from humans in-part (or entirely) will vastly improve the integrity of the system.
Disgruntled employees or those granted access who have malicious intent wield excessive amounts of power in current authentication systems. Honest employees are also a potential weak point in the system, by casually sharing their authentication data they may provide access to identifiable unauthorised individuals.
But this is only one facet of human nature that compromises an authentication system reliant on human interaction. Others include:
- Confusion over what the security policies actually are
- Failure to navigate the authentication process correctly
- Failure to recall passwords designed to be complicated to remember
- Subsequent lockouts from guesswork
Improving the authentication system
Current multi-factor authentication can be expanded upon to create a system that does provide optimal protection of an open system. Adding further authentication data points broadens not only the accuracy, and therefore integrity, of the authentication system, but also expands its reach.
It encompasses users from a greater number of stakeholder groups and across the increased number of digital applications that are connected to modern data systems.
To improve the traditional authentication process, additional factors to mitigate the risks created by operating an increasingly open digital system need to be implemented. This is the cornerstone of composite authentication.
Composite authentication closes the gaps left by traditional multi-factor authentication on an open platform.
In addition to “What you know”, “Who you are”, and “What you have” factors, a further positive action authentication factor, “What you do”, adds yet another layer of process that instantly increases the overall integrity of the system. This action, which could be recorded via mouse-tracking or keystrokes on desktop, or device orientation or swipe patterns on mobile applications, is complementary to existing multi-factor authentication.
Two further passive authentication factors, taking a layer of the authentication process out of the hands of humans, directly combats the expansive and open nature of modern digital systems.
“When you act” authentication tracks access to specific times which can be individually or collectively determined. This authentication gate can therefore open and close when necessary, restricting access at times when the system is less well protected. Adding a time-sensitive authentication requirement will not prevent those with access from using the system appropriately, but may prevent those with access from abusing their access rights in addition to preventing foreign agents from impersonating users during hours they are expected to be away from the system.
“Where you act” authentication offers similar benefits. User access is restricted to particular geolocations and/or IP addresses to ensure that the system is not being inappropriately accessed from rogue locations via fraudulent authentication requests.
The combination of “Where you act/When you act” authentication pinpoints an exact system user in a manner than cannot be done using any other mechanism. This method of controlling where users can access the system from and when they can do so is more critical now than it has ever been previously – as digital systems are now almost uniformly open and accessible 24 hours a day and from locations globally.
Not restricting authorised user accessibility to the system creates a huge target to defend from cybercriminals. A digital system needs to be protected against every environment and the paring down of the contexts in which authentication is accepted is the only way in which to do this safely.
“When you act” and “where you act” authentication factors are particularly pertinent for company employees with access to sensitive or valuable data that is of interest to cybercriminals. Anomalies in accepted log-in time and geolocation/IP when accessing this data simply will not be accepted, making it extremely difficult for cybercriminals to gain access to a corporation’s system. Any attempted bypass to the system via express assistance from an authenticated user is trackable.
Corporations need to take further control over their open digital systems as they become even more critical components of their businesses. Managing user authentication is a key aspect of this. A composite authentication model is the only legitimate method of protecting system integrity.