ncidents of call center fraud are on the rise according to various call center fraud reports. This is partly due to the migration of scammers from online channels, where breaches are becoming more difficult to commit, to the largely unprotected and vulnerable environment of call centers.
The evolution of authentication has been somewhat slow across organizations when compared to the fast changing technology and cybersecurity threat landscape.
The increasing complexity of systems is leading to a need for more secure authentication methods. Although passwords are a ubiquitous form of verification, allowing users to access applications and perform actions within a system, there have always been problems with this method. Creating secure passwords and managing them properly is difficult when users have dozens of different accounts and log in from multiple locations throughout the day.
An answer to the problem may be found in password-less authentication methods. According to a survey by Wakefield Research, 69 percent of organizations are considering phasing passwords out in the next five years, opting instead to take advantage of passwordless models to increase security and make logins easier for both employees and customers.
Basics of Passwordless Authentication
The idea of a passwordless authentication model is straightforward. Instead of entering credentials consisting of a username or email address and a password, users verify their identities with an alternative method. The change is meant to address the problem of passwords standing in the way of reliable security, workflow efficiency and even customer retention.
Options for password-less authentication include:
- Biometrics – Already in use in smartphones and other devices, biometric logins consist of a unique biological identifier, such as a fingerprint. However, until biometric technology improves, this may not be the most secure choice unless combined with other options.
- Email – Upon entering his or her email address, an existing user is sent an email with a verification link. Clicking the link completes authentication and allows access.
- Token or one-time code – Instead of a link, users receive a token or code they then enter into the website or application. This code is attached to every action taken during a session and decrypted as users interact in real time before being destroyed when the session is terminated.
These new authentication options eliminate the need for passwords and the potential security risks associated with poor password management.
Passwordless Authentication Benefits
Getting rid of a familiar form of identification to increase security may seem counterintuitive, but passwordless authentication has the potential to increase security for both your customers and the users within your organization. Making the switch addresses common problems with password security:
- Weak passwords
- Poor password management
- Accidental use of default settings
- Using the same password for multiple accounts
- Not changing passwords regularly
Many of these issues result from “password fatigue,” which is experienced by users asked to create passwords for every website and application they use and enter these passwords numerous times throughout the day. This often leads to apathy in password creation and can threaten system security.
Passwordless authentication is also more convenient. Customers don’t like juggling logins for dozens of sites and tend to abandon those requesting the creation of yet another account. Employees required to log into multiple applications during the course of standard workflows are less efficient, and tasks slow down even more if a password is forgotten and needs to be reset. When no passwords are required, all users enjoy a more seamless experience.
Passwords Elimination in the Evolution of Authentication
Password fatigue explains the phenomenon of passwords becoming weaker as a user is asked to create more accounts. After a while, users no longer care if the password is secure and will use anything just to be able to gain access. This can create a serious security problem in your system. Weak passwords, use of default login options and stolen credentials account for 63 percent of breaches (Verizon). If even one customer’s account is hacked, all the data stored by your company is at risk. The same is true for employee accounts across critical business applications.
Customer retention rates are also affected by password fatigue. Seventy-five percent of customers stop using a service or website if they need to perform a password reset, and 30 percent abandon their hopping carts if checking out requires account creation. This is of particular concern when it comes to first-time or one-time customers. You could lose out on lucrative sales during popular shopping seasons or drive away customers who may otherwise have become loyal shoppers if you don’t have an alternative way for them to log in.
In addition to these considerations, your organization could benefit from passwordless authentication if:
- Employee password management is poor
- Workflows continue to hit bottlenecks due to excessive login requirements
- Your system network is expanding to include more applications
- A significant number of customers are abandoning carts at checkout
- Password security problems have led to breaches in the past
There may be some situations in which it makes sense to retain the use of passwords or use a method like multi-factor authentication instead. Base your decision on your company’s needs and the unique security requirements of your network.
Passwordless Model in the Evolution of Authentication
If you decide to make passwordless authentication part of your security protocol and authentication evolution, the first step is to research the options to find a reliable provider. Request demos from vendors to see how the authentication process works, and get all the details you can about the security of the process.
Implementation details are specific to providers, but your chosen vendor should work with you to help you set up your passwordless login system. Let all users, both employees and customers, know you’ll be making the switch, and provide clear instructions for use of the new system.
Once passwordless authentication is in place, monitor performance to determine if it delivers the desired results. You should see a drop in shopping cart abandonment on the customer end and an increase in workflow efficiency for your employees.
The rise of passwordless authentication may usher in a time when no system or application requires a password for access in the evolution of authentication. Companies looking to streamline workflows, update security and offer an alternative to customers experiencing password fatigue can benefit from switching to passwordless options. Since changes in technology inevitably bring new security concerns, it’s time for organizations to start adopting alternatives to outdated authentication methods and bring identity management strategies up to date.
The identity and access management (IAM) landscape is always changing, and staying on top of the latest news can help you protect yourself and your business from vulnerabilities. From major market expansion to the latest attack on Facebook, here’s what you should know about IAM this month.
$14.82 Billion IAM Market Share Predicted
By 2021, the global market share for IAM is expected to exceed $14.5 billion in U.S. dollars, representing a compound annual growth rate of 12 percent. This significant jump reflects growing security concerns as companies adopt more cloud-based applications and continue to invest in SaaS solutions. An increasing awareness of compliance requirements is also driving the market as regulations are updated.
Facebook Breach Blamed on Access Token Error
Facebook’s latest breach affected an estimated 30 million users, but it was neither complex nor sophisticated. Personal information, including check-ins, searches, contact information and profile details, was stolen from 14 million accounts, and contact information from an additional 15 million accounts was also compromised.
Hackers gained access to data through a simple flaw involving video previews. When users chose to view a birthday video using Facebook’s “View As” option before posting it to their profiles, right-clicking to obtain the source code for the page revealed an access token for the user from whose perspective they were previewing. Hackers were able to scrape access tokens for millions of users by exploiting this vulnerability,
Facebook says the problem was fixed as of September 27, but as with any breach, users should continue to exercise caution.
Malware Remains Most Popular Attack Method
According to research by Positive Technologies, the frequency of malware attacks dropped from 63 percent to 49 percent between Q1 and Q2 this year. However, attacks involving compromised credentials increased from seven to 19 percent.
Malware is still the most popular form of cyberattack and can be used to steal credentials for use in more sophisticated or extensive breaches. Targeted attacks executed for the purpose of extorting money from companies or stealing valuable data are still common, meaning you need to be diligent across departments in your company. A single phishing email, compromised file or infected employee device can provide an open door for hackers to undermine your IAM framework.
Federated Identities May Give Way to Consolidated Identities
The current trend in using federated identities may need a makeover to keep up with the complex security concerns and requirements of modern businesses. A federated identity allows a user to log into multiple services with one set of credentials, such as when you access a third-party website using your Facebook or Google account. A federated identity supplies a single key for cross-domain interactions and interactions between software platforms from different companies, allowing users to access a variety of services without the need for all providers of these services to use the same kind of authentication technology.
Consolidated identity is being proposed as the next wave of IAM within enterprises. Currently, employees using multiple tools to do their jobs likely have to log into each platform with a separate identity. Doing so creates a distraction, slows down workflows and makes it difficult to work efficiently. A consolidated identity combines access rules and authentication protocols to allow access across siloed services based on a user’s needs and security level. This aggregation of access rights can greatly improve time management and increase productivity.
Google Introduces New IAM Tools
Identity management and security is an increasing concern as the adaptation of cloud platforms becomes more widespread and companies are beginning to rely on a greater number of cloud-based applications for daily business tasks. Google recognizes the complex issues involved in enterprise IAM and has been working on new tools to improve cloud security.
“How do we rethink identity in a cloud-based world?” was the question posed by Karthik Lakshminarayanan, Google’s director of product management. The company is answering the question with:
- Cloud Identity for Customers and Partners (CICP), a tool to add IAM to apps for better security
- Secure LDAP to allow for seamless access to access both new and legacy applications
- Cloud Identity-Aware Proxy (IAP) for context-aware access, making it possible to control data and application access based not only on credentials but also the context of a request
- Location restrictions for the Google Cloud Platform to prevent the unauthorized creation of resources in specific offsite locations
Some tools are still in development, and others are being finalized to help make IAM easier for businesses working with sensitive data in the cloud.
Continue to monitor the latest IAM news and read new articles to stay on top of industry changes and get alerts regarding security concerns. New product and service releases and innovations from big players in the industry can transform your approach to IAM and ensure better security for the future. And, don’t forget to get certified.
Companies failing to follow proper employee offboarding measures are at risk for data loss, cyberattacks and other malicious activities. Regardless of the reason for an employee’s exit, offboarding is an essential part of the transition process. Protect your system and all sensitive data with these six critical identity management procedures.
Collect All Company-Owned Devices
Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.
Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.
Terminate Personal Device Access
If your business has a BYOD policy, employee-owned devices may retain information, applications and other company assets. Removing data and programs pertaining to company activities is a key part of offboarding. Even if no ill will is intended, employees can easily walk away with proprietary data on their personal smartphones, tablets, laptops and external storage devices. If passwords were stored using tools on any of these devices, hackers could gain access to your system with stolen credentials long after an employee has left the company.
Revoke Network Access
The identity and access management (IAM) solution your company uses should have tools for managing the entire employee
lifecycle, including offboarding. When the time comes to remove a user from the system, take advantage of these tools to completely eliminate the employee’s unique
identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.
Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.
IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.
Remove Employee Data from Systems
Once access has been revoked, make sure the names of employees who no longer work for your company don’t show up on contact lists, in meeting rosters or as the primary contacts for projects. Forward all communications from terminated employee accounts to a manager or supervisor, and communicate clearly with other employees to ensure everyone is aware who has been offboarded and who is responsible for picking up their tasks until a new hire is made.
Follow a Set Procedure Every Time
Go through the same steps with each employee you offboard. Adhering to a plan ensures you don’t miss any critical actions and greatly reduces the risk of disgruntled employees wreaking havoc once they’ve left. Employees in good standing are saved the potential embarrassment of and backlash from accidental data leaks. Create a checklist of best practices, and follow it to the letter to keep your company and your employees safe.
Keep Records
Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.
If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.
Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.
In the ever-changing IoT landscape, things now have identities. With the number of connected IoT devices set to reach 75 billion by 2025, having a strong identity and access management (IAM) policy is more important than ever. IoT technology is now an integral part of the business world and may represent as much as 6 percent of the global economy in the near future. Such rapid expansion in the network of devices connected to the systems within your business requires a new approach to access and security.
Identity and Access Management in an IoT World
What once involved keeping track of one identity per user within a network has evolved into a complex web of monitoring and managing the interactions occurring between users and devices both onsite and in remote locations. Further complications can arise from transient access, in which devices connect to the network only part of the time and may or may not be running in privacy mode when they do. Each device is associated with its user’s unique identity, but the device itself is able to communicate with other devices, and perform actions such as access and transfer data.
This pivotal shift comes at a time when companies are still trying to get a handle on IoT technology and implement identity management protocols capable of handling the unique combination of corporate, employee-owned and remote devices connecting to their networks every day. Each new device creates additional points of vulnerability, and the more complex the web of connectivity, the more robust the related security measures need to be.
Whereas IAM used to require only associating a user with a device, it now must also bridge the gap between devices and networks or systems. This necessitates a fresh approach to identity management to prevent a situation in which device use gets out of control and creates security gaps your current protocols can’t handle.
Say Hello to the Identity of Things
A new concept known as the identity of things (IDoT) has arisen to describe the relationship between IAM and IoT. As the nature of connectivity changes, IDoT offers solutions for handling new types of digital interactions by proposing unique identities for the devices themselves. This essential evolution of IAM makes it possible for your company to handle not only the employee lifecycle but also the lifecycle of every device requiring access to your network.
To properly control access for both users and devices, a modern IAM protocol must take into account the kinds of data each device will access, handle or store as it interacts with other devices and programs in a network. Each device needs to be integrated into the network to facilitate seamless communication regardless of device type, manufacturer or operating system. Requiring device registration and creating specific protocols for transient devices helps to prevent unauthorized data access and makes it possible to monitor for unusual behaviors across the network. When sensitive or proprietary data is involved, you also need to consider what data manufacturers collect when monitoring device performance and put in place to protect against accidental access to confidential information.
The Future of the Internet of Identities
The expanding network of connected “things” with their own identities is creating a new landscape for IAM in which users control devices with collections of attributes and the ability to carry out multiple functions within a network. Dubbed the internet of identities (IoI), this matrix of connectivity presents fresh security challenges requiring:
- Employee training and background checks to ensure device security;
- Detailed protocols dictating when and how data can be accessed by specific devices;
- Privacy and security rules to govern inter-device communications and connections;
- Updated security protocols and standards;
- Use of behavioral analytics to detect unauthorized access attempts; and
- Centralized IAM and security procedures to prevent bottlenecks and preserve open communications.
With these changes, identity management will increasingly focus on securing the relationships between connected devices to allow businesses the freedom to take advantage of IoT technology without falling victim to the vulnerabilities inherent in such a system.
As IoT connectivity continues to evolve, businesses without a robust approach to IAM and device security will become more vulnerable to cyber-attacks. Prevention is the best approach, which requires getting a handle on the current state of device use within your company and preparing for a steady increase in the use of IoT technology over time.
Getting ready for changes in IDoT and IoI today will make it easier to comply with new protocols and standards as they’re developed and released. IoT is set to have a $3.9 trillion impact globally by 2025, so implementing smart identity management strategies now has the potential for big payoffs in the future. An updated security policy and a solid training plan for employees prepares your company to step into the future of IAM with the lowest possible level of risk.
SUBSCRIBE TO IMI NEWSLETTER
Identity Management Journal (IMJ) is a FREE newsletter which delivers dynamic, integrated, and innovative content for identity risk management.
