Published/updated: January 2015
By Tony Lock
We all know that trying to authenticate our users when they access the companyís IT systems faces one major challenge that has so far outstripped the ability of nearly all security technologies. Thatís user acceptance. More accurately it is the refusal of most workers to Ďput up withí any security solution they see as getting in their way. This applies no matter how important the system is to your business or how sensitive the data it holds.
If your user thinks the authentication mechanism is clumsy, takes too long or involves them having to do more than type a six-letter password that they donít have to change more than once a month, they complain. Even worse, they look for ways to get around it. This is why, for example, the use of multifactor authentication solutions has not been as rapid as most of us would have liked.
To tackle this problem over the years IT vendors have looked at many different approaches to make signing into systems more secure without raising the hackles of your user community.
Biometrics have been around for some time and, to be fair, the take up of fingerprint authentication has been growing quite quickly in the consumer space, but for a number of reasons it hasnít really set the business world on fire. So what other options are there?
Well a few vendors have started to look at the problem a little differently, using identity verification techniques based on looking at user behaviour. An approach that has been developing rapidly in recent years is based on capturing a pattern of how users, or indeed customers, interact with the devices they use. This could include the way they type, the speed they type at, words they typically mistype, how they navigate their desktop, which shortcuts they employ, and so on. The idea is that if an imposter gets past the traditional login process (e.g. with stolen credentials), a pattern mismatch will be detected extremely quickly and appropriate action taken Ė lock out, admin alerts, etc.
A company I recently met with, BehavioSec, has extended this approach to work not just on traditional PCs with keyboards, but to also to take in how a user works on tablets and smartphones where touch technologies are in play. It claims that its solutions have now matured to the degree where you can achieve very, very high rates of authentication accuracy, with remarkably low Ďfalse-negativesí. More importantly, the users are unaware of the added security being employed when they work normally, thus overcoming the user resistance challenge.
BehavioSec tells me that it typically requires monitoring 6 to 10 sessions of a user working with an application to get a good pattern match. This is clearly a non-trivial requirement compared to the traditional creation of an account and password, but the benefits thereafter, in terms of both enhanced security and user satisfaction, could well be valuable enough to justify the up-front time and effort.
The password isnít dead yet, alas, but itís encouraging to see new approaches and solutions emerging to help you strike the right balance between security and usability.
By Richard Edwards
By Dale Vile
By Bryan Betts and Dale Vile
Yesterdays software delivery processes are not up to dealing with todayís demands, but modernising you approach is not just about implementing Agile, even creating a DevOps culture. You need to focus on some specific, hard-core principles. ...more
By Dale Vile & Jack Vile
Cloud services are increasingly becoming part of the IT delivery mix, but a recent study of 378 senior IT professionals suggests a parallel commitment to ongoing investment in the datacentre. This in turn shines a light on the key role of modern application platforms. ...more
By Tony Lock & Dale Vile
Despite the advent to cloud computing the datacentre remains central to corporate IT. But with demands continuing to escalate, how do you ensure your infrastructure is powered robustly and efficiently? ...more
By Bryan Betts
Many are exploiting cloud computing to drive business advantage, while others are enjoying the flexibility and efficiency of DevOps. But what happens if you use both together in a coordinated manner? The answer is a significant amplification of the benefits of each. ...more