Security Experts:

The More Authentication Methods, the Merrier

An Increasingly Diverse, Dynamic Workforce Is Driving Dramatic Change in How Users Authenticate

Remember when being part of an organization’s workforce meant being an employee of that organization, and being “at work” meant sitting in an office at a desktop? In today’s digital age, the latter hasn’t been the case for many people for quite a long time, and in the growing gig economy, the former is becoming less and less common. The workforce is growing more distributed, diverse and dynamic every day, which is driving dramatic change in who’s working, where they’re working, and how they’re connecting with the resources they need to do their work. And if you’re in the business of enabling those connections, it’s driving dramatic change for you. 

There are not only more users, but also more kinds of users working in more places, all needing to authenticate in a way that keeps resources secure without making access unduly difficult or time-consuming. And there’s the rub: There’s no one way to achieve that. You need an authentication solution that allows you to authenticate users in multiple ways, both to meet different users’ needs for convenient access and to make multi-factor authentication possible for security purposes. I touched on this in an earlier column about how to evaluate and choose authentication methods; now, let’s take a closer look at some examples of diverse users and their needs, and at what an authentication solution must deliver to meet those needs. 

Meet Greg, the Fast-Moving Sales Exec Who’s Never in One Place for Long

We all know this type of user, who is constantly on the go and relies almost entirely on a mobile phone or tablet for access. To make that access easy for him, and secure for the organization, authentication methods that are made for mobility make the most sense. After all, if he has a device in his hand all the time, why not take advantage of it for authentication purposes? Phone-based biometrics, like fingerprint or face recognition, make it easy for this kind of user to quickly authenticate and connect. And on the rare occasions when he needs access through an office workstation or laptop, all he has to is walk up to it for the device to unlock; as long as he has his authenticating mobile device at hand, proximity authentication does the rest. 

Then There’s Judy, Who’s Only in One Place… and Can’t Use a Mobile Device There

Mobile authentication may work perfectly for Greg, but it’s not an option for Judy, a helpdesk representative who works in a call center where mobile devices are prohibited. In this scenario, a physical authenticator like an employer-issued USB security key may be ideal. Hardware-based one-time passcode (OTP) keys may also be great options. There’s also a place for risk-based authentication that takes location into account. Since Judy works in the same building and at the same workstation every day, as long as she logs in from that workstation, she can be quickly authenticated using location services that confirm where she is. This makes authenticating quick and simple, yet secure for the organization. If there’s ever an attempt to log in from a different location using Judy’s credentials, an additional layer of authentication could be required to prove the person attempting to log in is really her. Or the organization could elect to have access automatically denied when a request comes from a different location – which would be reasonable in this case, since Judy only works from one location, without exception.   

And Let’s Not Forget the Contractor Who Relies Entirely on Devices You Don’t Control

What about contractors or gig workers who aren’t traditional employees? How do you provide them with the access they require, absent direct control of the devices they’re using to access your organization’s resources? This is a perfect use case for a hardware or software token. A hardware token-based one-time passcode, or a software app that generates passcodes on a mobile phone, will make it possible for non-employees to prove they are who they say they are, no matter what devices they use for access. 

Hardware- and software-based OTP solutions also work well for all types of users in environments with no network or internet connectivity. They’re ideal replacements for desktop passwords when the work environment provides no easy way for laptop, desktop or infrastructure components to connect to remote authentication services. In fact, I’m writing this on a flight that has limited Wi-Fi capabilities, and I was able to use my trusty software OTP on my iPhone (in airplane mode) to securely log into my laptop. This is especially important at a time when a lot of attention is paid to protecting connections to web-based applications or cloud-based SaaS applications. We all need to remember the critical nature of information that exists on people’s devices, including laptops, and the need to protect that information. 

As the examples above illustrate, diversity in the workforce drives the need for diversity in authentication. As the workforce continues to evolve, a one-size-fits-all approach won’t work for different identity and access management needs across organizations. Managing access in ways that keep diverse users productive and engaged while also keeping your organization’s information secure will continue to be a challenge. Meeting that challenge depends on identity teams understanding the needs of different users and choosing a solution that provides a unified platform for secure enrollment, flexible choices for authentication and identity assurance, and features to reduce the burden on the IT help desk when users lose their credentials or obtain new mobile devices. Keep in mind, too, that adding a layer of risk-based authentication to augment all the options for authentication can further increase security and also reduce user friction.

In my next column, I’ll share ways risk-based authentication can make access experiences better for all the users I’ve described here. As always, awareness is the first step, and I hope the information provided is helpful to you in your journey.

view counter
Jim Ducharme is Vice President of Identity Products at RSA. He is responsible for product strategy and leads the associated product management and engineering teams. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.