The confluence of new technologies is set to help businesses move away from password-based authentication towards a more-secure, less-invasive approach that relies heavily on behavioural monitoring and a range of inputs from smartphones and other devices.
So-called out-of-band (OOB) authentication abstracts the authentication process away from conventional, hardcoded password-based authentication; instead, OOB authentication processes – a core part of, for example, IBM’s Trusteer portfolio of cognitive fraud detection tools – rely on dedicated apps that integrate a range of inputs to make authentication decisions on a regular basis.
Rather than being a one-off challenge-response process, authentication becomes a continuous process of multi-factor authentication (MFA), which uses a range of factors to establish and reconfirm identity, sometimes without the direct involvement of the user.
The platforms consolidate known biometrics, like fingerprint scans from smartphone scanners, with metrics derived from monitoring of mouse movements, details of the operational computing environment, voiceprint analysis, and other distinctive user characteristics.
“If we can start to integrate how a user behaves, we’re getting greater confidence that it is them and not an abnormality,” IBM master inventor and executive IT specialist Chris Hockings told CSO Australia, noting that the technology is designed to support the shift towards a “frictionless experience”.
“Consumers don’t want to have to authenticate all the time, and continuously,” he explained. “They want something that runs seamlessly along while protecting our privacy. This is just a case of, in the short term, enriching those three mechanisms – something you know, something you are, and something you have. Ideally we would want the system to feel its way along like we are – without interrupting the user experience.”
IBM’s efforts to reinvent enterprise authentication draw heavily on R&D work being done by the company’s Australian development teams, which have been contributing to the company’s global efforts around authentication as well as technologies such as machine learning (ML).
ML technology will play a growing role in redefining authentication platforms by facilitating the analysis and matching of user activity based on authenticators that are far from binary. Ongoing analysis of subtle indicators of user behaviour will support the creation and maintenance of models that will be used with increasing accuracy within new authentication platforms.
Last month, IBM took a step towards empowering this shift by launching Watson for Cyber Security, a hosted security-analysis tool that has been trained with massive volumes of security data and will be progressively refined to support a range of security tools. Watson will also play a role in areas like mobile device management and Internet of Things (IoT) security.
The use of these platforms will progressively be broadened over time, both through Watson and comparable offerings from other providers: Unisys, for its part, this month launched a Machine Learning as a Service (MLaaS) offering designed as a general-use platform for intelligent data analytics.
Increasing leveraging of machine learning reflects a growing flexibility in enterprise authentication that could ultimately help reduce companies’ reliance on passwords – or, despite predictions that the number of passwords in use will grow to around 100 billion by 2020 – eliminate them completely.
That day can’t come too soon for Duo Labs senior security researcher Mark Loveless, who told the audience at this week’s CSO Perspectives Road Show 2017 that passwords are “the stupidest things ever”.
“I’m hoping that advances in MFA will kill the password,” Loveless said. “The only reason we have 2-factor authentication is that the first factor [passwords] is a security problem.”
“They are the thing that most users complain about, because they have to remember so many different passwords and add uppercase and lowercase, and symbols. They shouldn’t have to do that – but this is like a solution that some engineer came up with ages ago and we’re still doing it.”
Like Hockings, Loveless sees a strong future in agentless monitoring of user behaviour. “Instead of having 35 things loaded on your computer that have to do with security,” he explained, “we’re approaching the day where you can do this without agents. We’re getting tonnes of data, and you are able to reduce that down with the help of AI – correlating things from different sources and saying ‘this paints a picture’.”
Generating those myriad data streams remains a key focus for IBM as its pushes a hybrid approach that leans heavily on the myriad sensors built into smartphones. This OOB approach allows the addition of new biometric and behavioural identifiers using commonly-available technology rather than proprietary readers as in the past.
Cloud-hosted machine learning platforms will not only facilitate the analysis and correlation of massive volumes of authentication data, but will make these capabilities available to smaller companies that couldn’t normally deploy their own such systems.
Thanks to evolving sets of APIs, companies “can establish identity context in ways that we haven’t been able to do before,” Hockings said.
“Integration of these systems used to be a complex project, but it is now becoming something that you can drop into your environment and enable. I hope something like this will start to be realised in general usage, and we absolutely are investing to try to get that happening.”