Surprisingly, a majority of enterprises still use IDs and passwords as their only standard authentication criteria. This is true among many industries and companies of all sizes. Unfortunately, there are many reasons why this is no longer adequate in an enterprise environment.
Many enterprises, recognising the limitations of today's ID/password solution, have implemented "strong password" rules as a quick and cost-effective attempt to solve the issue. These measures, however, don't really strengthen authentication or security -- since most people are unlikely to remember them permanently, they write them down or save them on soft media. Instead of improving security, what this does is promote bad password management practices; so-called "strong passwords" impose hurdles by requiring people to remember complex passwords.
What is also true, but rarely addressed, is the fact that individuals often maintain the same passwords for multiple accounts. Such scenarios can lead to fraudsters gaining access to user IDs and passwords through stolen devices and other means.
A user ID and password-based authentication solution takes just a single factor into consideration when granting access to an individual. For example, let's say I successfully logged into my enterprise application using my user ID and password from my home office around 5pm. Later that day, say 8pm, there is an attempt to log in to my account using my credentials, only the request is this time coming from a location in Asia. Most systems do not take into account the impossibility for a non-astronaut to reach Asia in less than three hours to log in from the Asian IP location. Yet, systems that rely only on user ID and password grant access anyway.
Simply stated, authentication solutions must become intelligent, so they can validate the user, not just the machine. To do this, they must assess multiple identity factors to authenticate a user, and take into account the likes of keystroke dynamics, cognitive science, system parameters and geospatial parameters. This can enable the system to better understand the profile of users requesting access to a network or application and grant or deny access accordingly.
How should an enterprise deploy intelligent authentication? First, several key capabilities IT should be taken into consideration. The intelligent authentication platform must be easy to use and should require no end user training. That is paramount, because one of the biggest challenges -- and time drains -- IT departments face is managing myriad help desk requests. The authentication solution must be easy to integrate with the existing IT infrastructure, and cost must be top of mind. Enterprises must look for solutions that fit within their budgets and are easily configured, deployed and managed.
The switch from a user ID and password authentication solution to an intelligent one will not happen overnight. But with the right amount of planning and strategy, enterprises can be well on their way to having a solution in place that reduces fraud, helps ensure regulatory compliance, and prevents identity theft before it happens. In the meantime, do you know where your user IDs and passwords are?
Bharat Nai is the vice-president of Delfigo Security.