Strong Authentication

We have the concept of strong authentication. A strong authentication involves the use of at least two-factor authentication, so multi-factor authentication in combination with that one-time password. So do bear in mind, two-factor authentication does not necessitate a one-time password. Commonly, you see the one-time password used as part of a multi-factor authentication process, but it’s not mandated. The Fast Identity Online organization formed in 2013, and it has now 260 members. And this includes companies like Google, Microsoft, RSA, very big companies. They work to standardize strong authentication.

And they describe it as a procedure based on two or more of the three authentication factors, and that the factors must be used mutually, independent, and at least one of those factors must be non-reusable and non-replicable. So that last point there, non-reusable and non-replicable, refers to a one-time password. So this group is trying to standardize that use of a one-time password and the multi-factor authentication. And they’ve generated a standard specification for their clients that can be built into operating systems and also for apps as well.

Much newer as an approach is adaptive authentication. It’s new, but it’s spreading very, very quickly. And you may see this in use within some of the accounts, with some of the identities that you have yourselves. So this is a new and developing approach. Adaptive authentication adapts to the risk level relating to the individual authentication process. So this presents the appropriate level of authentication for the given level of risk. Adaptive authentication adapts to that risk level, and it presents the appropriate level of authentication for the given level of risk.

So unlike a standard one-size-fits-all authentication process, it avoids producing overly onerous low risk activity authentication processes but makes sure that for some of those higher risk activities, that those authentication processes are in place. So the high risk activities are made deliberately more difficult or have a more stringent authentication process. But for the lower risk activities, it’s a much easier process for the end user. This reduces the likelihood of people working around processes. It’s more likely to generate support from stakeholders for our processes because the workflows for staff or for citizens or customers isn’t too onerous. It’s not going to act as a detractor for somebody within that process. So this isn’t a one-size-fits-all approach.

This is tailored, which is a very strong approach.

We can look to the type of policies that we require. In fact, we must look at the type of policies we require as part of this adaptive process and the risk levels that we face. So this kind of implies we need to understand the risk we’re facing before we can shape the policies. Where we see this in practice is with companies like Visa, with their 3D Secure platform.

And this uses different types of authentication depending on a number of factors, depending on the value of the transaction, whether or not the transaction is for a new retailer or for a retailer that you’ve had existing transactions with, whether the delivery address is the registered address or a different one, and also the time and the geography of the transaction, where the transaction is being raised from and the time of the transaction. So all these different factors are used to generate a risk profile. And if the risk profile is deemed to be high, the Visa 3D Secure process can use something like an SMS type form of additional factor.

Typically, though, for low value transactions, transactions for retailers that you’ve used before, you’ll see the process just requiring your credit card details, the CVV code from the back of your bank card, and it will be processed in a normal fashion. So this is becoming very popular, because it helps to manage risk appropriately. But again, we see that word risk mentioned, this risk-based approach to security. Very important, therefore, that we are able to understand the risk environment, the level of risk that we face, in order to tailor adaptive authentication. If we don’t understand the risk that we face, how can we adapt authentication appropriately to that risk environment?