Association is the New Authentication

The efforts to increase security and eliminate fraud via stronger, more obtuse and higher friction user-based authentication has not left us more secure – it has just irritated the user. The solution is out there, and that solution is association.

The focus for user security for the last 20 years has been to come up with new forms of:

  • Knowledge: Something user knows (password)
  • Possession: Something user has (tokens)
  • Inherence: Something user is (biometrics) “>

There are big problems with this approach – namely, every new service needs to start from scratch as if this user has never been online before. That is to say, the B2C (Business-to-consumer) application attempts to create a new identity, with as little as just an OAUTH (federated token) for trust.

This process of creating new identities for every app is expensive for the enterprise and a time consuming deterrent for the users, and we haven’t even started on the authentication flaws. Your standard authentication is susceptible to the credentials (passwords, tokens, biometrics) being stolen or replayed.

The last flaw of the standard authentication story – which is the most unacceptable flaw in a world as interconnected as we are today – is that the authentication process itself is “static”.

That is, the authentication is a binary yes/no (usually based on static information the enterprise holds), which leaves NO room for confirmation and status of the identity (stolen, misused – who knows?). Lastly, there is no room for an analogue system of trust of the authentication… are we 100% sure of the user, or just 75% or 30%? (Shouldn’t we adjust the information/resources offered to this user if we are only 50% confident that this is the user?)

The Solution is: Community Authentication

A key “truism” of modern identity is this: the IDENTITY (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Garret Grajek. Read the original post at: Cylance Blog