For years, finding the right balance between security and usability has been one of the biggest challenges for identity and access management (IAM) solution architects and designers. There are ongoing efforts in the industry to replace password-based authentication with something more secure, more convenient, and with minimum investment; such proposed methods seem to fall into one of three categories:
- Secure, but less convenient, such as two-factor and multi-factor authentication (requiring two or more out of three types of factors: "something you know", "something you have", or "something you are")
- Convenient, but less secure, any single factor-based authentication methods, such as user-selected simple passwords, PINs, graphical patterns and biometric methods. This becomes a higher risk especially when used for single-sign-on (SSO) in federated environments where a long-lived token provides access to multiple applications
- Secure, convenient, but less affordable, such as PIN-protected smartcards and biometric-protected hardware authenticators, FIDO and one-time-password tokens included.
The widespread proliferation of connected devices provides promising opportunities to find that balance between convenience and security, with minimum investment. We are surrounded at every moment of our daily lives with a wide variety of network-connected devices, some of which we carry or wear, and some that may be stationary in the premises of our homes and offices. Connected devices can provide rich contextual data that help assert the identity of users in a frictionless and pervasive fashion.
For example, the presence of a known set of mobile devices, wearables, or any other type of sensors and connected devices in proximity to the user's primary device can provide improved assurance about the identity of the user, in other words, a better sense that the user is indeed who he/she claims to be. Consider a user trying to access a service from their laptop. From network-connected devices, one could validate the user's location, estimate the distance of the user from their laptop, determine whether the user is walking up to or walking away from the laptop, and even determine if the user walking up to the laptop is the same user that has been seen before - all based on gait information, the devices they wear or carry with them, and the devices that are located in their various environments.
The possibilities are enormous, and when contextual data is aggregated and combined with more deterministic methods, such as PIN codes or biometric gestures, such information can provide a much higher level of assurance about the user's identity, while significantly reducing the friction associated with authenticating the user. The presence of those known devices in proximity to the user provides continuous authentication of that user, and allows for more secure yet convenient access to multiple applications and resources in federated environments.
Device platform vendors are now embedding these concepts at the operating system-level when users need to unlock their device. Here are a couple of examples:
- In Android Lollipop, Google added functionality to allow users to enable Smart Lock for when the device is on-body, within a certain geo-location, connected to trusted networks, or in proximity of trusted devices. By using such options, users can bypass the device-lock screen.
- Apple recently rolled out macOS Sierra, which includes an auto-unlock feature, in conjunction with using the Apple Watch. Users can pair their Apple Watch with their Mac computer to unlock it, instead of entering passwords.
- Microsoft has taken a more open approach with Windows Hello Companion Device Framework (CDF) for Windows 10, which now allows any compatible IoT device to be used as an authenticator for screen unlock. This can be accomplished using a mobile application running on a Bluetooth-paired smartphone, a USB key fob, a fitness band, or a Near-Field Communication (NFC) tag.
To facilitate the movement towards convenient, continuous authentication, combined with contextual, risk-aware access management, we, at RSA, are exploring using these newly-available tools and frameworks to extend our RSA SecurID® Access identity assurance service offering for SaaS and on-premises application protection to help organizations protect access to corporate and managed devices.
Working with Microsoft, the RSA SecurID Suite team is assessing and developing new user experiences for Windows 10 device unlock, taking into account the device security posture and contextual data. The goal is to make the device unlock experience much more seamless, fast, and secure.
At Microsoft Ignite 2016, our RSA SecurID Access product engineering team, in collaboration with Microsoft team, demonstrated a proof-of-concept for the capability to unlock a Windows 10 machine, by using a mobile device in proximity, with or without user gestures, depending on the collected contextual data, such as the location of the user's mobile or wearable device at the time of the unlock, the distance of the device from the user's Windows 10 machine, and the period of time the machine had been locked. You can see this in action in the most recent RSA SecurID® Access product pre-release preview demos.
Proximity-based authentication helps reduce the need for repeatedly using complex passwords, especially when combined with biometrics or used for continuous authentication. When implemented properly, such a solution can eliminate the need for using passwords altogether. This, in part, minimizes the risk of compromised passwords being a consequential threat. And that's a good thing for both users and organizations.
Many thanks to my colleague Kayvan Alikhani for helping on this article.