The Trend Skeptic: Regulations Have Fixed Authentication

This isn’t necessarily a bad thing, so long as you don’t wait too long to act. For starters, if you’ve yet to move away from user names and passwords, you have the advantage of studying various multifactor solutions and seeing how well the work in the real world. However, a cursory look at new authentication techniques is often misleading. While consumer-facing authentication gets a lot of ink in the trade press, the real improvement in security happens behind the scenes.

Financial institutions rely on back-end authentication and fraud detection techniques as stronger security layers beyond the point of entry. Secure cookies and IP geo-location help further authenticate you, while things like in-session monitoring and transaction-level fraud detection offer protection even if a crook gets in.

This is all part of what is being dubbed “risk-based authentication.” If you’re simply checking balances and paying the bills you pay at the same time each month, you’ll be left alone. If you try to shuffle funds overseas, you’ll be asked for much more stringent forms of authentication and, if you can’t provide it, your account will be locked down.

Risk-based Authentication for the Enterprise

Let’s apply risk-based authentication to a typical office setting, where most workers are in house, with a few on the road or working from home, along with some contractors and partners needing access to organizational networks.

For employees who come into the office, they should encounter fewer layers of authentication. After all, their very presence, especially if they have to show ID to get into the building, is a pretty strong form of authentication. For mobile workers, the bar will be higher with, say, secure cookies adding an extra layer. For contractors and partners, the authentication bar should be higher still.

What happens after this, though? Can you trust employees once they’re inside? What about that disgruntled worker passed over for a promotion? What about employees leaving the company? What about contractors who may work for a competitor in the future?

The most important lesson emerging from the financial sector is this: authentication works best when it works with behind-the-scenes complements like transaction monitoring.

Fraud detection today is targeted at banks, but as this sort of security matures, smart enterprises will adopt it too. They’ll seek out solutions that allow them to benchmark their employees’ online behaviors and then warn them when something is amiss. We’re already seeing things like data-leak prevention addressing this concern. It’s too soon to tell, but perhaps that technology will turn out to be the fraud detection of the larger enterprise space.

Jeff Vance has been writing about technology trends for more than 10 years.After editing twohigh-tech insider investment newsletters, Mobile Internet Times and E-Infrastructure Times, Vance founded SandstormMedia in August 2003.