Current Filter: Security>>>>>>

   

One of the key trends in the two-factor authentication market in the last year has been the emergence of risk-based authentication. But what exactly is it and do we need it?

Historically, two-factor authentication has been very clear cut, and the logic has been to allow access only to people we know and trust, and to block access to anyone we do not know. That logic is sound enough, but, with the proliferation of mobile devices, there is a new dimension to consider.

Now we may be dealing with a trusted user, who employs multiple devices to gain access to corporate resources.

Two-factor authentication typically works on the basis of 'something you have', such as a token that can generate an OTP, and 'something you know', such as a PIN. So, if the user you trust wants to use their smart phone to generate an OTP, but they also want to use that same device to access the network, there is a risk. In effect, if the device is lost or stolen, there is a greater risk that it can be used to gain unauthorised network access.

In years past, the message was clear: only use an 'out of band' method for issuing and receiving an OTP - ie, send the OTP via a separate channel to the one you are using to access the network.

From a security perspective, this logic is reasonable, but modern computing methods have become so consumer friendly that organisations now need to consider what is an acceptable level of risk and adapt accordingly.

RISK-BASED APPROACH
This year, the analysts have softened their stance on the application of two-factor authentication in the real world and are openly promoting the use of a risk-based approach. In effect, the advice is to deploy common sense to first determine the level of confidentiality of the various resources that are being access remotely. Once this has been determined, then an appropriate access policy can be drafted.

For instance, an employee who only logs on to view email from a corporate mobile device may well be seen as sufficiently low risk that, in this case, the OTP generation could be carried out on the same device. However, when a user is granted access to the full set of network resources, it would be prudent to enforce true out-of-band authentication and limit access only from a specific corporate device, such as a laptop.

Risk-based access is something I have dealt with from an access gateway perspective for many years and, with the right profiling and effective policy management, it can be extremely effective. I do not believe that organisations should simply give in to the new consumerised approach to corporate working, but, on the other hand, imposing restrictive access policies can stifle productivity and creativity. Considering a risk-based approach to authentication is certainly something we should all look at to ensure we get the balance right.

In his next Masterclass, Tim Ager will consider the top authentication trends to look out for in 2014.