Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The More Authentication Methods, the Merrier

An Increasingly Diverse, Dynamic Workforce Is Driving Dramatic Change in How Users Authenticate

An Increasingly Diverse, Dynamic Workforce Is Driving Dramatic Change in How Users Authenticate

Remember when being part of an organization’s workforce meant being an employee of that organization, and being “at work” meant sitting in an office at a desktop? In today’s digital age, the latter hasn’t been the case for many people for quite a long time, and in the growing gig economy, the former is becoming less and less common. The workforce is growing more distributed, diverse and dynamic every day, which is driving dramatic change in who’s working, where they’re working, and how they’re connecting with the resources they need to do their work. And if you’re in the business of enabling those connections, it’s driving dramatic change for you. 

There are not only more users, but also more kinds of users working in more places, all needing to authenticate in a way that keeps resources secure without making access unduly difficult or time-consuming. And there’s the rub: There’s no one way to achieve that. You need an authentication solution that allows you to authenticate users in multiple ways, both to meet different users’ needs for convenient access and to make multi-factor authentication possible for security purposes. I touched on this in an earlier column about how to evaluate and choose authentication methods; now, let’s take a closer look at some examples of diverse users and their needs, and at what an authentication solution must deliver to meet those needs. 

Meet Greg, the Fast-Moving Sales Exec Who’s Never in One Place for Long

We all know this type of user, who is constantly on the go and relies almost entirely on a mobile phone or tablet for access. To make that access easy for him, and secure for the organization, authentication methods that are made for mobility make the most sense. After all, if he has a device in his hand all the time, why not take advantage of it for authentication purposes? Phone-based biometrics, like fingerprint or face recognition, make it easy for this kind of user to quickly authenticate and connect. And on the rare occasions when he needs access through an office workstation or laptop, all he has to is walk up to it for the device to unlock; as long as he has his authenticating mobile device at hand, proximity authentication does the rest. 

Then There’s Judy, Who’s Only in One Place… and Can’t Use a Mobile Device There

Mobile authentication may work perfectly for Greg, but it’s not an option for Judy, a helpdesk representative who works in a call center where mobile devices are prohibited. In this scenario, a physical authenticator like an employer-issued USB security key may be ideal. Hardware-based one-time passcode (OTP) keys may also be great options. There’s also a place for risk-based authentication that takes location into account. Since Judy works in the same building and at the same workstation every day, as long as she logs in from that workstation, she can be quickly authenticated using location services that confirm where she is. This makes authenticating quick and simple, yet secure for the organization. If there’s ever an attempt to log in from a different location using Judy’s credentials, an additional layer of authentication could be required to prove the person attempting to log in is really her. Or the organization could elect to have access automatically denied when a request comes from a different location – which would be reasonable in this case, since Judy only works from one location, without exception.   

And Let’s Not Forget the Contractor Who Relies Entirely on Devices You Don’t Control

Advertisement. Scroll to continue reading.

What about contractors or gig workers who aren’t traditional employees? How do you provide them with the access they require, absent direct control of the devices they’re using to access your organization’s resources? This is a perfect use case for a hardware or software token. A hardware token-based one-time passcode, or a software app that generates passcodes on a mobile phone, will make it possible for non-employees to prove they are who they say they are, no matter what devices they use for access. 

Hardware- and software-based OTP solutions also work well for all types of users in environments with no network or internet connectivity. They’re ideal replacements for desktop passwords when the work environment provides no easy way for laptop, desktop or infrastructure components to connect to remote authentication services. In fact, I’m writing this on a flight that has limited Wi-Fi capabilities, and I was able to use my trusty software OTP on my iPhone (in airplane mode) to securely log into my laptop. This is especially important at a time when a lot of attention is paid to protecting connections to web-based applications or cloud-based SaaS applications. We all need to remember the critical nature of information that exists on people’s devices, including laptops, and the need to protect that information. 

As the examples above illustrate, diversity in the workforce drives the need for diversity in authentication. As the workforce continues to evolve, a one-size-fits-all approach won’t work for different identity and access management needs across organizations. Managing access in ways that keep diverse users productive and engaged while also keeping your organization’s information secure will continue to be a challenge. Meeting that challenge depends on identity teams understanding the needs of different users and choosing a solution that provides a unified platform for secure enrollment, flexible choices for authentication and identity assurance, and features to reduce the burden on the IT help desk when users lose their credentials or obtain new mobile devices. Keep in mind, too, that adding a layer of risk-based authentication to augment all the options for authentication can further increase security and also reduce user friction.

In my next column, I’ll share ways risk-based authentication can make access experiences better for all the users I’ve described here. As always, awareness is the first step, and I hope the information provided is helpful to you in your journey.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...