So far, we've discussed the first five keys to a successful identity assurance: business context, anomaly detection, machine learning, broader ecosystem, and consistent experience. Let's close the series with an important topic for both end users and administrators: flexible authentication.
When we think of providing flexibility for administrators, we focus on the authentication methods available based on data sensitivity and user context and associated risk, as discussed in earlier blogs. The question administrators should be asking is: "what authentication methods should I make available?" The considerations would include both the specifics of the security requirements and the user population.
- Security requirements: Let's start with the basic concept of an authentication method being something you know, something you have, or something you are. In determining what methods to make available for a user, first decide if you want at least two of those (possession of a registered phone, plus a fingerprint) or is one enough (possession of a registered device, i.e., a phone or token). There are other topics to be considered related to the relative security of each method. Is an SMS one-time password (OTP) sent to a user's cell phone less secure than a push notification using a mobile app? The industry has differing opinions on these types of questions, but identifying where your organization stands on these issues is an important consideration. The US National Institute of Standards and Technology (NIST) has a broad set of identity guidelines that make for a good reference.
- User population: For your IT administrators, they might have hardware tokens and you want them to continue to have that option, while at the same time, adding a biometric method option for some. For users who have been authenticating with only passwords until now, you may not want to deliver hardware tokens. You may want something mobile friendly or potentially more universally available, such as a voice or an SMS-delivered OTP.
An administrator should strive to give users choice, but provide the guard rails of what methods provide the required security based on context, risk, and the user population.
End User Authentication Choice
When the administrator does their part by offering the user a range of secure authentication options, flexibility for end users becomes a reality. Is an SMS delivered token better for you, or would you prefer a simple push to approve using a mobile authentication app like RSA SecurID Authenticate? By giving users a choice, you can also adapt to the specifics of their situation. Let's take the example of a user who typically uses a push notification that also needs a biometric, e.g., fingerprint or eyeprint. What if they are accessing resources from an airplane? Their laptop may be connected to the internet, but the phone may not be connected. The user should be able to select a method, like OTP protected by a fingerprint that will work in this environment.
There are 4 things to consider when considering flexibility for end users.
- Give the user a choice in what method(s) are most convenient
- Offer methods that cover situations where an option may not be available (consider no cell phone service, for example)
- Remember the favorite method to reduce required user steps for their most common scenarios
- Create usability consistency, when possible, across methods (for example, push notifications and OTPs delivered from the same mobile application)
Putting It All Together
Administrators need flexibility in deploying methods and users need flexibility in utilizing them. By ensuring both of these, you will keep both groups happy with high levels of security and usability of our identity assurance system. Through this series of blogs, we have unpacked a lot to consider when thinking about your identity assurance strategy. If you consider business context, anomaly detection, machine learning, your broader ecosystem, a consistent experience and flexible authentication when developing an identity assurance strategy, you are well on your way to making it successful. Watch this demo to see how RSA delivers flexible mobile authentication options that have identity assurance capabilities built in.