While contemplating the user access management struggle between easier access and more security my mind goes back to the Tastes Great / Less Filling Miller Lite commercials of my childhood. Miller Lite claimed to be the solution to both great tasting and less filling beer. In access management, users want easier to use applications with easier access. IT security teams need to make things more secure. So how do we get the easy access AND more secure "Miller Lite" solution for access management?
Single sign-on (SSO) solutions primarily provide "easy access". They simplify life by allowing users to remember one password instead of 15 for access to all their applications.
Step-up authentication systems are built for more security. Passwords aren't good enough, so we introduce additional sign-in steps to allow application access. Many single sign-on systems have some basic form of step-up authentication. But what happened to ease of use?
Let's explore how we can have security and convenience. We'll start with the ideal solution. As an end user, you start working on your computer and you don't do anything to authenticate. You have access to everything you need and nothing you shouldn't. IT has visibility to your access and is very confident it's you. It's not single sign-in, it's zero sign-in, with security controls totally out of the view of the end user. The trick is getting that high level of confidence. We need systems that can get to that level of confidence, or at least, compared with today, a level of confidence better than a password.
How close are we to this zero sign-in utopia? Today, we primarily live in a world of usernames, and most often passwords. Today's SSO solutions allow users to use 1 username for accessing corporate assets. Not utopia, but pretty good. Now that I have a username, many attributes about me can be tied to this username. There are also attributes about my session like what device am I coming from, where am I, what time of day is it, and am I acting "normally". Because I know these things about the user, their context and behavior, the administrator and the user can share in determining what's both secure enough and easy to use.
The administrator in this case needs to determine 2 primary things. What is the sensitivity of the data being accessed and how confident am I that this user is who they claim to be? The answers to those 2 questions determine if more assurance is needed to allow the user to access the requested data. If there is already enough assurance for the data being requested, don't ask the user for anything else. If more assurance is needed, step-up methods can be introduced into the flow. If the information looks extremely risky, user access can be blocked and reported.
Step-up authentication is where the user choice comes into focus. The admin should decide how much identity assurance is needed, but the user can choose how they provide that assurance. If an administrator can decide that a FIDO (Fast Identity Online) token and an iPhone fingerprint are of equal identity assurance, let the user decide which is most convenient.
In this world where the most common corporate data breaches originate from stolen credentials, we know passwords aren't providing the security needed. What we can do is give the user the flexibility to keep things as simple as possible. At least until we reach totally seamless identity assurance...and that day will come. It's up to us in the identity technology space to make sure it arrives soon.
By the way, for the Miller Lite tastes great/less filling question; I'll take an Ellie's Brown from Avery Brewing and stay out of that debate.
Author: Jason Oeltjen
Category: RSA Fundamentals, Blog Post
Keywords: Identity Assurance