Published/updated: January 2015
By Tony Lock
We all know that trying to authenticate our users when they access the companyís IT systems faces one major challenge that has so far outstripped the ability of nearly all security technologies. Thatís user acceptance. More accurately it is the refusal of most workers to Ďput up withí any security solution they see as getting in their way. This applies no matter how important the system is to your business or how sensitive the data it holds.
If your user thinks the authentication mechanism is clumsy, takes too long or involves them having to do more than type a six-letter password that they donít have to change more than once a month, they complain. Even worse, they look for ways to get around it. This is why, for example, the use of multifactor authentication solutions has not been as rapid as most of us would have liked.
To tackle this problem over the years IT vendors have looked at many different approaches to make signing into systems more secure without raising the hackles of your user community.
Biometrics have been around for some time and, to be fair, the take up of fingerprint authentication has been growing quite quickly in the consumer space, but for a number of reasons it hasnít really set the business world on fire. So what other options are there?
Well a few vendors have started to look at the problem a little differently, using identity verification techniques based on looking at user behaviour. An approach that has been developing rapidly in recent years is based on capturing a pattern of how users, or indeed customers, interact with the devices they use. This could include the way they type, the speed they type at, words they typically mistype, how they navigate their desktop, which shortcuts they employ, and so on. The idea is that if an imposter gets past the traditional login process (e.g. with stolen credentials), a pattern mismatch will be detected extremely quickly and appropriate action taken Ė lock out, admin alerts, etc.
A company I recently met with, BehavioSec, has extended this approach to work not just on traditional PCs with keyboards, but to also to take in how a user works on tablets and smartphones where touch technologies are in play. It claims that its solutions have now matured to the degree where you can achieve very, very high rates of authentication accuracy, with remarkably low Ďfalse-negativesí. More importantly, the users are unaware of the added security being employed when they work normally, thus overcoming the user resistance challenge.
BehavioSec tells me that it typically requires monitoring 6 to 10 sessions of a user working with an application to get a good pattern match. This is clearly a non-trivial requirement compared to the traditional creation of an account and password, but the benefits thereafter, in terms of both enhanced security and user satisfaction, could well be valuable enough to justify the up-front time and effort.
The password isnít dead yet, alas, but itís encouraging to see new approaches and solutions emerging to help you strike the right balance between security and usability.
By Tony Lock
A recent global survey of 1279 IT and business professionals highlighted that rapidly changing business and regulatory demands are driving a need to modify how security is managed in their software development processes. ...more
By Dale Vile
In the drive towards ever faster and more granular software delivery cycles, itís important to ensure that speed and responsiveness donít come at the expense of quality. Insights from 327 IT professionals in a recent survey shed light on the issues and practicalities. ...more
By Richard Edwards
By Dale Vile
By Bryan Betts and Dale Vile
Yesterdays software delivery processes are not up to dealing with todayís demands, but modernising you approach is not just about implementing Agile, even creating a DevOps culture. You need to focus on some specific, hard-core principles. ...more
By Dale Vile & Jack Vile
Cloud services are increasingly becoming part of the IT delivery mix, but a recent study of 378 senior IT professionals suggests a parallel commitment to ongoing investment in the datacentre. This in turn shines a light on the key role of modern application platforms. ...more