The X-factor in identity assurance
A rise in mobile working and the cloudification of enterprise is driving the resurgence of 2FA
Jim Ducharme is a man who knows about identity assurance; he has spent the last seven-and-a-half years carrying out the role of Vice President of Identity and Fraud & Risk Intelligence Products at RSA Security, having previously worked in various high-level identity jobs at Netegrity, Computer Associates and Aveksa.
All of which means Ducharme is well placed to reflect on the trends that have shaped the identity industry. So, when in the midst of a wide-ranging interview with Digital Bulletin, he says that in his two decades working in the sector he has never seen such a resurgence of a product area than he is currently seeing with two factor authentication (2FA), it comes as something of a surprise.
2FA is not a new or especially complex technology, so what exactly is driving such strong interest? Ducharme says that there is a combination of changes taking place within the enterprise that are fueling this growth.
“What we are increasingly seeing is workloads moving from on-premise data centres that had all these layers of protection to the cloud, while at the same time the workforce is becoming more diverse. We’re seeing a shift from just from individual workers at desks or on-site, to a more diverse workforce that is increasingly mobile, which is supplemented by third-party workers,” he comments.
“That’s really increased the number of personal devices that are being used, which has a lot of advantages, but means that enterprise cannot count on them from a security perspective, because the corporate controls aren’t going to be there. What it means is that the way we used to do things with 2FA really needs to evolve.”
What has certainly evolved is the sophistication of cyber attackers; whereas previously the weapons of choice have been Trojans or malware, criminals have pivoted to a simpler strategy, one which Ducharme captures as “walking through the front door”.
“For years as an industry, we have trained enterprise users to use the same password everywhere. We’ve invested in a technology from single sign-on solutions where you have one password to rule them all. You type in one password and it takes you to any corporate asset, and it reminds you to change it every 60 days.” he says.
“The problem with that is people are also likely to use those passwords on their personal or social accounts, so if I’m an attacker and I can grab your credentials from Instagram, where there are fewer security controls, then there’s every chance I have your enterprise information as well. So, what customers now want is a modern approach to make sure people are who they claim to be.”
Central to that effort is mobile, with many in the enterprise having more than one in their possession, with substantial effort and investment being made to leverage the technology we carry around in our pockets to help us prove we are who we say we are.
Key to that has been the leading mobile manufacturers such as Apple and Samsung spending hundreds of millions of pounds to develop integrated authentication solutions such as Touch ID and Face ID.
“These biometrics are giving us some great entropy and proof that somebody is who they claim to be, which is a really important piece of the puzzle,” says Ducharme. “The other piece is that there are new standards that are evolving with things like FIDO, which stands for fast identity online, which is a new open protocol to help with the integration of identity solutions with backend services.
“Yubico is a great example of a company that created new FIDO-based authenticators. It has a hardware device that you can plug into a laptop or phone that helps prove you are who say they are. Companies like RSA are invested on the backend of FIDO, where we can actually be on the backend to integrate that authentication attempt.
“These new protocols are making the integration of this new spectrum of authentication options easier to integrate into the backend solutions.”
“For years as an industry, we have trained enterprise users to use the same password everywhere”
As somebody with a background in fraud detection and risk intelligence, Ducharme has seen how the financial services market has used artificial intelligence (AI) and machine learning (ML) techniques to pinpoint fraudulent credit card transactions.
Fraud departments have long been sold on the capabilities of AI and ML, says Ducharme, but the identity enterprise market has traditionally not been so sure. That is beginning to change.
“One of the things the market is allured to right now is something called conditional access,” he reveals. “If I’m standing here in my office in Bedford, Mass, when I access something, it’s very likely to be Jim Ducharme. If it looks like Jim’s in St. Petersburg, Russia, that’s a little more suspect. In the same way, if I’m using a corporate-owned device then I’m probably okay, but If I’m logging in from a kiosk in Florida then that rings alarm bells.
“Over time we’ll see that maturity evolve to letting the machines detect patterns, but customers still want to know why we allow some users through and not others. We used to deal with these questions over a decade ago in the financial market, about why some transactions were flagged, but others weren’t.
“So, what we have to do is unlock some of the mystery, to provide some visualisation, some insights out of there to help people understand how the black box works, how that AI, ML-based machine is making decisions as well as helping our customers understand how they can improve it.”
Ducharme breaks off mid-stream — “…it’s always great to use a real-life example, right? I always use this example of travel, and this is absolutely a true story,” he says.
“Biometrics are giving us some great entropy and proof that somebody is who they claim to be, which is a really important piece of the puzzle”
“I’m not usually in Chicago, neither is he, which means there is doubt. I said: ‘Zuli, is that you?’ and obviously he said ‘yes!’ But then he looks and me and says ‘Jim?’ So, he’s equally confused. There was a piece of data — the location — that lowered our confidence. Us asking each other raises the confidence.
“AI and ML works the same way. It’s looking at input and the more it has the more it can be sure of what is right. In the airport, I first did a facial recognition of the CTO, then looked at his clothes, his walk and as the more input it takes in, the more can make sense of it if this input is right. My brain had all that information, but that location meant there was some doubt, which is why I had to get more information.”
In the world of identity assurance, great efforts are being made to move towards a passwordless world. Indeed, the addition of face and fingerprint recognition technology to high-end smartphones has been used to suggest we are already living in a post-password world. But while Ducharme says “great advancements” are being made, he says this is not yet the case.
“These techniques are all still rooted in a password, what they are doing is providing a facade over your existing password. For example, when you lose an iPhone you can recover your identity with a simple username and password. So, there’s no reason why, if I knew your Apple ID and password, I couldn’t use my face to establish me as your identity.
“The last mile here that we need to make sure that we’re cognisant of is that these new biometric capabilities, these new authentication schemes, while they provide a passwordless experience, they do not actually get rid of the password yet.
“We’ve got to now focus our attention on all those other ways from credential enrolment and credential recovery to really get rid of the password in all aspects and create a passwordless world.”