The identity and access management (IAM) market continues to grow significantly, with research bodies predicting an annual growth rate somewhere between 13 per cent and 26 per cent.
It has never been more important for IT leaders from organisations of all shapes and sizes to protect the data they hold and yet many employees are still able to access secure data with a password.
As the data that companies hold grows exponentially, along with the places we work from and devices we as employees use, it is critical that organisations have the solutions in place to ensure that the right people have access to the right data.
But we use passwords for everything. We’re protected, right?
Passwords, even one-time passwords (OTPs) are weak methods of authentication and are not secure. Cybercriminals and nation state hackers have numerous phishing scams, social engineering and brute force means to steal data from organisations using weak employee authentication.
As an organisation, we champion strong authentication as standard. But many are still convinced that strong authentication is reserved for big business and big budgets.
That is not the case, and we are working to raise awareness that strong authentication is achievable for organisations of all sizes.
You can think of digital identity and access management hierarchies rather like a pyramid – though more like Maslow’s hierarchy of needs, than Khufu and Giza.
This pyramid provides a simple way of visualising how the authentication slice of the IAM landscape breaks down and categorises the technologies that are currently available on the market.
There are countless multi-factor authentication vendors out there but knowing where they all fit and the advantages and disadvantages of their technology is no mean feat.
At the base of the pyramid sits the low security method of authentication; passwords, the cause of more than 80 per cent of data breaches, inherently insecure, a pain for end users and equally frustrating for IT teams.
Next up we have One-time passwords (OTPs). OTPs do offer better protection than passwords alone but they are still vulnerable in comparison to other, stronger methods of authentication. An OTP by SMS for example, generated by a server and sent to a mobile device, requires an end user to enter a short code received via SMS to verify their identity with the authentication server. The weakness here stems from the fact that SMS is not a secure channel of communication; rogue apps can intercept and forward an SMS to a hacker, there is no direct binding of credential to user identity and the user experience is poor. OTP tokens are more robust, often relying on symmetric cryptography, however this typically relies on a shared secret key which can be compromised.
Progressing further up the pyramid we have biometrics. There is a perception that if only I can access this data with my thumbprint, it’s got to be secure, right? Not quite.
Whilst biometrics are supported across a huge range of devices and provide a good user experience, centralised biometrics can be compromised. There is a risk of false matches, depending on the hardware and software used and a biometric is still a single factor of authentication. For IT policies demanding high security environments, the platform security of a biometric device is often not to the required strength.
Push notifications offer a higher level of authentication security – unlike SMS the push mechanism is typically encrypted and so resistant to attack. This does require some investment – typically in an authentication server and it is important to consider the security of the trigger for the authentication mechanism. Whilst the push notification is secure, the authentication mechanism triggered by it may be less secure.
Faster Identity Online, better known as FIDO, is almost at the top of the authentication pyramid. Standards based and using private/public key cryptography this is a growing method of authentication. PIN, fingerprint and face ID is all supported by FIDO and so the user experience is good. The limitations of FIDO are that it is secure digital identity but not person-bound digital identity. As the public key is not directly bound to user identity, it is difficult to prove non-repudiation. This means that the authentication element is limited to login – a user cannot securely sign or encrypt without additional solutions. Investment in an authentication server is also required for FIDO.
At the very top of the authentication pyramid sits public key infrastructure (PKI). PKI combines a private key with a public key and certificate issued by a trusted authority. Cryptographic based, using asymmetric cryptography, once a user is enrolled, a certificate binds a key to that individual’s device(s) from which they authenticate using multi-factor authentication - something they have (the credentialed device (s) plus something they know (a PIN) and/or something they are (biometric).
This method of Multi-factor Authentication (MFA) is driven by an organisation’s own security policies and so PKI supports PIN, fingerprint and face ID. PKI binds a key to a user identity and so enables non-repudiation, enabling authentication and authorisation via digital signature and users to encrypt. In addition, transactions can be verified by any system, as the public key is contained in the certificate and PKI easily integrates into Microsoft environments using built-in Windows security features.
Whilst PKI presents optimum security, its perception amongst IT leaders has long been that it is a complex solution. As a result, enterprises will often tend to look further down the pyramid and opt for less secure, but easier to implement solutions. Through improved end user technologies, such as smart phones and USB tokens like the YubiKey, and pre-installed tech like Microsoft’s Windows Hello for Business, crypto-level protection has become far more accessible for organisations of all sizes.
Organisations like Intercede are front and centre in the crypto revolution, and have responded by developing a credential management software platform to enable more businesses to adopt strong authentication security.
By combining the Microsoft Active Directory and Certificate Services technology that many organisations already have embedded within their IT infrastructure with predefined business processes based on best practice, we have developed credential management that is simple and affordable for a whole new range of businesses to reach the top of the authentication pyramid.
Without credential management software, managing smart cards and USB tokens at volumes of anything above 500 employees becomes complex and hugely time consuming for IT teams.
However, this new ability to remove the complexities of managing PKI credentials makes the strongest form of user authentication so much more accessible for enterprises who don’t want to compromise on data security.
With solutions integrating into their IT infrastructure, organisations are able to start issuing certificates to employee smart cards from a variety of manufacturers and USB tokens, such as the YubiKey. They can also centrally control lifecycle management of employee credentials for re-issuance, revocation, unlocking, renewing, removing and updating.
Whether it’s to provide secure Windows and network logon, VPN and remote access, signing and encrypting emails or protecting access to cloud resources, these newly available solutions make it easy for enterprises of any size and structure to step up to the most secure method of two-factor authentication across their workforce.
As a result, the market is seeing a significant growth in demand from organisations that want a better way to protect the data they’re responsible for. This is an encouraging sign – not just for cybersecurity solutions vendors, but for employees, citizens, consumers and wider society.
Allen Storey is Chief Product Officer, Intercede