Denver based identity security specialist Ping Identity has identified a key trend around rapidly increasing adoption of Zero Login, a type of end-use authentication using a combination of trusted devices, biometrics, and behavioural and contextual signals.
According to Ping Identity APAC CTO Mark Perry, the data used in Zero Login – where users swipe and type on their smartphones – will increasingly be processed by Machine Learning platforms which will determine how risky each login attempt is.
“[This data] will feed back into existing access control systems to trigger actions beyond the current allow/deny/ask for additional authentication,” Perry told Telecom Times. “For example, a medium level risk score could place a limit on the amount the user could purchase in the current online session without further authentication.”
“A very high-risk score could push the user, likely to be an attacker who hijacked the identity in question, into a “honeypot” environment which would allow the Machine Learning platform to gather further behavioural data without letting the attacker do any further harm,” Perry added.
Considering whether for most organizations there is a sweet spot within sometimes opposing or conflicting challenges around security, cloud and compliance, Perry noted significant tension in many enterprises based on cloud initiatives, and the challenges around security and compliance.
“These companies are having to contend with “shadow IT”, where departments or work groups sign up for cloud services without going through the usual security and compliance checks of their corporate procurement policy,” he said.
“However, there are a well-defined set of patterns that can be used to mitigate risks in this area, allowing all sides of the equation to be satisfied,” Perry added. Some recommendations, he said, included:
- Use cloud services that do not store passwords in the cloud. Single Sign On using identity federation protocols allows organisations to retain control of cloud accounts and data when users leave the organisation and allows for easier auditing of access.
- Enable Two-Factor Authentication. This step helps prevent phishing attacks and used in conjunction with a contextual policy engine, can actually improve user experience rather than hinder it. And moving to smartphone-based services, instead of defaulting to one-time codes delivered via SMS, will also improve security.
- Make security controls more granular and user-friendly, such as allowing Bring Your Own Device for some employees, as long as they have a fingerprint reader and enable device locking. For other employees like the C-suite and system administrators, company-supplied devices with Mobile Device Management might be mandated for access into sensitive systems and data.