FINAL WORD
Just because you’ve complied
with standards doesn’t mean
you’ve chosen the most secure or
appropriate mix of authentication
factors for your organisation.
1.
1. Strong authentication
Strong authentication is one of those
industry terms that’s been overused in so
many contexts, that its significance has
been blurred.
Many people consider strong
authentication to be the same as multi-
factor authentication (MFA) or two-factor
authentication (2FA), but if you examine
the European Central Bank’s standards for
strong customer authentication, there are a
few more hoops to jump through than just
having more than one factor:
There have to be at least two methods
used to authenticate. These two
methods should come from these three
categories: something only the user
knows, something only the user has or
something only the user is.
The methods used have to be
independent of one another, meaning
if one is breached, the others aren’t
automatically compromised. One also
has to be non-replicable (unable to be
duplicated), unable to be stolen through
online means and not reusable.
INTELLIGENT TECH CHANNELS
INTELLIGENT
TECH CHANNELS
Issue 27
Here’s a caveat, though: this term,
like any term based (however loosely) on
codified standards, can be a double-edged
sword. Just because you’ve complied with
standards doesn’t mean you’ve chosen
the most secure or appropriate mix of
authentication factors for your organisation.
Compliance matters but strategy and
thoughtful implementation matter too.
2. Authorisation Creep
To understand the problem posed by
authorisation creep you first need to
understand the difference between
authentication and authorisation.
Authentication is when a system
determines that you are who you say you
are. Authorisation is when the system
determines what you have the right to do
within the given network or application,
given your authenticated identity. That’s
where things can get tricky.
The problem with authorisation creep,
also called privilege creep, is that the threat
it poses to your organisation will typically
have nothing to do with the strength of your
authentication, but instead is all about your
policies, oversight and the ease of managing
your system. The fanciest, most high-tech
authentication protocols won’t mean a thing
if legitimate users are over-authorised.
Pretty creepy, right?
3. Biometrics
In the authentication framework, biometrics
are a factor linked to something you are,
and they can be incredibly difficult to steal,
spoof or lose. That’s what’s so strong about
them. Typically, people think of biometrics
as things linked to physical characteristics
– like eyes and fingers. They’re something
you’re born with, right? Not necessarily.
Yes, physical characteristics that you’re
born with still account for the largest
portion of biometric use cases. But there’s
another category: behavioural biometrics.
Your voice, gait, your way of typing and a
whole host of other unique characteristics
are all a part of this group. These ‘life
measurements’ are acquired over a lifetime
and may change subtly, all while remaining
as unique as a fingerprint.
65