October 10, 2013

Practical Methods for Improving Authentication


Organizations need better methods of authentication for their users to access corporate applications, systems and data sources during the normal course of their work, according to a June 2013 Osterman Research report.  This paper provides key takeaways from the research by providing a review of current measures already in place, and making recommendations on how to improve security through risk-based authentication.

  • Download Paper
  • More resources from SecureKey


  • 4 Comments

    What does BYOC (Bring Your Own Credentials) mean in the context of this paper? Are you essentially offering a secure alternative to "Sign in via FaceBook"? (I never use this because of concerns about FB credentials being relatively weak, imho.

    Similar to the BYOD term, but rather the concept of bringing your own identity or credential. Examples could be, your bank account, drivers license, national ID, or a variety of social credentials. One example of this is what we (SecureKey) are doing with the Canadian government, specially how citizens can interact with government services. Canadians can now use their bank credentials to access a variety of government resources, rather than use a username and password that they tend to forget (http://securekeyconcierge.com). All while maintaining their privacy.

    Are you essentially offering a secure alternative to "Sign in via FaceBook"? (I never use this because of concerns about FB credentials being relatively weak, imho.

    It all comes down to trust, and therefore assurance levels. Social accounts typically have a low level of assurance. Other credentials such as your drivers license, passport, or credit card typically have higher assurance levels when compared to social networks (e.g. Facebook). Specifically, the higher assurance credential providers have done some sort of identity proofing or vetting to determine the validity of your identity. Think about what was required to get your passport, or drivers license. Now, compare that to the process of creating a new Facebook account. Big difference, right? So, it is to no surprise then that many organizations trust physical passports more, than Facebook accounts.

    As an FYI, here is a list of the levels of assurance (LOA):
    - Level of Assurance (LOA) 1: Little or no confidence in the asserted identity’s validity.
    - Level of Assurance (LOA) 2: Some confidence in the asserted identity’s validity.
    - Level of Assurance (LOA) 3: High confidence in the asserted identity’s validity.
    - Level of Assurance (LOA) 4: Very high confidence in the asserted identity’s validity

    (source: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf)

    Ultimately, it all depends on what you are doing online. If you are dealing with high value transactions, then your best bet is to use a higher level of assurance. For other applications, LOA1 is perfectly fine. The main point being, that with a huge plethora of identities and credentials, why not let users choose what identity to bring? Rather than force a new one on them.

    Thanks for your question!

    Search Webtorials

    Get E-News and Notices via Email


      

     



      

    I accept Webtorials' Terms and Conditions.

    Trending Discussions

    Featured Sponsor Microsites






















    Archives

    Notices

    Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

    Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.