Part one: More than passwords
By François Amigorena, CEO, IS Decisions
It’s a fact… passwords are part of our lives. Most of us use them multiple times a day to access our emails and computers both at home and at work. But over time, there has been a need for passwords to become more complex in order to counter growing security issues. While overly complex passwords coupled with frequent prompts to re-enter them can be frustrating, they play an all important part when it comes to security. But nowadays, merely having secure passwords is not enough, especially if they fall into the wrong hands.
One way of adding a further security layer is multi-factor authentication (MFA) which combines something users have, like a token, with something they know, as in a password. However, as well as adding to overcomplicated procedures MFA can also still not be secure enough. For example, the National Institute of Standards and Technology (NIST) recently stated that organisations should not use SMS for MFA if they are to remain FISMA compliant, because SMS messages can be too easily “intercepted and redirected”.
This could be one of the main reasons why organisations are turning to context-aware security — where authorisation is given once the user has been successfully authenticated – offering the security benefits of MFA but without the drawbacks. Context-aware security uses supplemental information when someone attempts to connect to decide whether access is genuine or not. This supplemental information includes what device the user is logging in on, what geographical location they’re logging in from, what the time of day is, and many other factors that build up a profile of the person logging in. So if an outsider somehow gets a hold of an employee’s login details and tries to login at an unusual time from an unauthorised device – they would simply be denied access.
Ultimately, it does not matter when or how credentials were compromised and you may never find out. Context-aware monitoring identifies user behaviour that goes against the rules mentioned above and will automatically protect the network. Additionally, real-time monitoring will raise red flags if there are suspicious activities, that could be seen as potential security risks, creating an opportunity for you to act quickly. It is the simple answer to creating a more secure environment that does not have a negative impact on users.
In our recent guide UX versus User Security, we found that there are a number of organisations both in the US and UK that guard against compromised credentials by using additional methods like real-time monitoring of accounts, setting up alerts for abnormal logon activity and contextual access restrictions. This ultimately strikes the right balance between user experience and user behaviour because the security is there – but it does not impede the user.
Learn more about Customising your security by implementing and managing transparent access controls to not impede user productivity.