The task of protecting your company’s data from a breach comes with one very important challenge. Users. If cybersecurity were merely an internal process, it would be easy. But data is useless unless the people who need it are able to access it, and that makes identity access management a human problem.
The Problem With Passwords
For years, most applications have gone with a simple identity access management solution — the password. Back when people only needed password-protected accounts for a few things, this was a somewhat effective solution, although people were still forgetting passwords regularly. In the past ten years, however, the number of login accounts that the average person needs has quadrupled. Furthermore, most users forget a password at least once a month and people rarely change their password unless prompted to.
The result is that systems have become much easier to hack. People reuse the same passwords on multiple sites, if not all their logins, which means uncovering just one password can give a hacker access to countless data streams. They are more likely to choose simpler passwords that are easy to remember and may leave clues to those passwords in places that are easy for hackers to access.
The Problem With People
What all this shows is that the problem in identity access management is not so much with the password system as it is with the people who are using those passwords. You need better ways to manage IAM that are more people-proof.
Social Sign In
One of the types of authentication that people have found extremely useful among single sign-on (SSO) solutions is social sign-in. Social sign-in allows you to link different accounts to a social network like Facebook, allowing you to subsequently log in to those accounts through the social network, eliminating the need to remember more passwords and usernames.
Unfortunately, social sign-in systems are hackable. If a hacker can acquire a user’s email address that has not already been used to sign up with a particular social networking site, they can set up an account for the sole purpose of breaching social sign-in sites.
Federated Identity
A better SSO solution for businesses is Federated single sign-on. The idea of Federated SSO is that you create a system where employees can use their password to access their company’s account but can also access accounts they may have with other companies that your company works with. You can reduce the number of passwords your employees need and eliminate the hassles of constant reauthentication but do it within a closed system that makes breaches less likely.
For this to work, each company within the system needs to be following IAM best practices. The old cliché holds. A chain is only as strong as its weakest link, and every company that subscribes to a federated identity SSO has an obligation to maintain strong security.
Enterprise federated identity systems are based on Secure Assertion Markup Language (SAML), an open-standard data format that allows an easy exchange of authorization and authentication information between user and service provider. A user logs in once and is free to go anywhere within the system they should have access to across domains.
This system separates identity from access and trusts everyone in the system to manage their own house. This results in a great many benefits to all the companies involved, including seamless, faster access to resources, a better user experience, greater productivity and lower costs.
Multi-Factor Authentication
Another process that is at the top of current IAM best practices is Multi-Factor Authentication (MFA). There are three accepted factors that one can use for identification. A system can allow access based on:
- Something you know, like a password
- Something you have, like an access card or a specific phone
- Something biologically distinct to you, like a fingerprint, retinal pattern or voiceprint
Many systems now require that a user attempting to gain access have two of these factors at their disposal before allowing access, rather than just one, like a password. This approach can exponentially increase security, although it is also hackable. For example, unless the data is converted into some other structure for storage, stored fingerprints can be stolen just as easily as passwords.
Modern Methods of Authentication
Those looking for even more secure methods of authentication may want to consider TOTP, or time-based one-time password systems. These systems work by delivering a randomly generated password to a user via a text based on a timestamp and a secret key. Because the password is constantly changing, it cannot be easily hacked, similar to the way rolling codes for garage door openers work. The downside to this approach is that it can be expensive to maintain and difficult to integrate with existing systems.
Another effective IAM method that is becoming extremely popular is push authentication. In push authentication, access is not granted until the user verifies the request on their mobile device.
MFA as a Service
Because multi-factor authentication systems need to be extremely flexible in order to integrate with the cloud, existing networks and other applications, and because they can be complex to maintain internally, many companies are choosing MFA as a service. This allows a third-party with infrastructure already in place to apply their solutions to your company, helping to mitigate the human risk factor and bolster cybersecurity.
Optimal IdM can help you with a suite of award-winning identity and access management products that can function as part of your physical system or via the cloud. Our state-of-the-art solutions are affordable and include such products as authentication as a service and federation and identity services. We have helped enhance the cybersecurity of some of the biggest companies in the world, including Fortune 1000 companies and government agencies.
To see how Optimal IdM can help you overcome the human problem in identification and access management, have a look at our software in action. Contact us today for a demo or a free trial of our software.