Category Archives: Identity & Access

Are Passwords Killing Your Customer Experience? Try Passwordless Authentication

Creating a seamless, secure experience for your legitimate users is a challenge. Most users are good and deserve a frictionless experience, but the less than 0.1 percent of users that are suspected to be rogue actors, according to IBM Trusteer research, spoil the party for everyone. These are the users who commit online fraud, steal data, bypass formal application programming interfaces (APIs) and skew site analytics. The rest of us can thank them for the frustration associated with tedious login rituals.

We’re drowning customers in a sea of passwords and expecting them to stay afloat. Passwords are not only a pain, but incredibly easy to hack. So how is the industry combating these issues related to passwords and the pains of usability? Shockingly, many organizations are still relying only on passwords as a form of authentication, and we know they’re failing. According to a Javelin Strategy & Research survey, 1 in 5 customers fails to authenticate. This could be due to multiple factors, one of which is forgetting their own password.

How Can Companies Go Passwordless?

Let’s take a step back and think about it: As a consumer yourself, how many online accounts do you have, and how many different passwords do you need to create to outsmart fraudsters? All these credentials are nearly impossible to manage.

If we know a large percentage of our users are legitimate, then let’s deliver the seamless but secure experience they expect and, in the end, help drive digital sales. So what does going passwordless really mean, and how is it possible?

The passwordless experience is based on identifying unauthorized access to web and mobile applications and sensitive operations. Organizations can identify these issues by using risk-based authentication and continuous trust validation technologies, which provide services such as behavioral analysis, device identification and authenticity, phone number and email intelligence, identity linkages, and session and network attributes to build this trust. These forces are what make passwordless authentication possible because they identify positive users and question the high risk users.

Examples of a Passwordless Customer Experience

How does this work in practice? Below are some examples of how passwordless authentication can transform and improve your customer experience.

  • A new customer registers on a site or application by confirming his or her email or phone. For subsequent logins, the customer is auto-enrolled as a trusted user.
  • A registered user accesses a site seamlessly after the system detects no threats or compromises on the trusted device.
  • A user accesses a service from a new device by confirming the email or phone number associated with the account and entering his or her credentials. After the device is labeled as trusted, it is auto-enrolled for seamless entry.
  • A user accesses a service seamlessly and browses with continuous authentication in the background until he or she reaches sensitive information. At this point, the user is prompted to enter his or her two-factor authentication (2FA) information before accessing this data.

If you go passwordless, you’re guaranteed to improve your customer experience. A system free of clunky passwords helps streamline customers’ buying journeys and distinguish between legitimate users and fraudsters. Most importantly, it enables your users to enjoy a seamless experience on any digital platform. So what are you waiting for? Now is the time to give your customers the experience they deserve and the security they demand with passwordless authentication.

Register for the Feb. 27 webinar to learn more

The post Are Passwords Killing Your Customer Experience? Try Passwordless Authentication appeared first on Security Intelligence.

Design Your IAM Program With Your Users in Mind

Co-authored by Kevin Pratt

Identity and access management (IAM) should be a seamless part of employees’ day-to-day activities and your organization’s overall security posture. An IAM program controls and administers the access users have to an array of critical systems and data. If your users have difficulty accessing systems and applications with an IAM solution in place, your security posture can suffer. For example, employees may go around established security policies and leverage shadow IT applications to get their jobs done faster.

Many identity programs struggle to gain user acceptance because IAM is a particularly challenging field within security. If you don’t start by following IAM best practices and understanding the business’ goals and users’ needs and requirements, you may find it difficult to gain the levels of user adoption necessary to make an IAM program successful in the long term.

Infuse Empathy Into Your IAM Program Using the Enterprise Design Thinking Framework

Kevin Pratt, senior managing consultant in identity and access management at IBM, has heard countless stories from clients who tried to deploy an IAM tool without first considering users’ needs and their related pain points. I found his advice to be particularly insightful, so I asked him to sit down for an interview to talk about some critical considerations for designing a world-class IAM program.

Question: How would you explain Enterprise Design Thinking to a first-time client?

Pratt: Enterprise Design Thinking is an approach that helps us align IAM projects to the business by focusing on user outcomes. This approach helps us achieve better user experiences, delivers programs at scale and does this in a faster time frame.

With Enterprise Design Thinking for IAM, we first seek to understand what problem we are solving, the different stakeholders that are interacting with and impacted by IAM programs, then identify user needs, pain points and wants. These insights help us to work collaboratively with our clients to identify the right problem to solve, and secondly, correctly design and align user needs to the business. Understanding this convergence of needs across all three dimensions is key to designing a successful IAM program.

Give an example of a time a client used Enterprise Design Thinking to understand what users really want. What was the result, and how did it compare to clients that didn’t focus on IAM best practices?

IAM projects usually fail due to lack of user acceptance. IAM user acceptance can be especially challenging when balancing project and security requirements with the user experience.

So, if you take time, in the beginning, to align IAM work with the needs of your users and the business, you give your users a sense of ownership of the IAM work and build a foundation for a true partnership between the users, the business and IAM practices. As mentioned, these are key to building and executing a successful IAM program.

One client example that comes to mind is a health care organization that was adopting single sign-on (SSO) and wanted to leverage biometrics by using fingerprints. However, many users, like doctors and nurses, have to wear gloves at all times when working with patients and can’t always authenticate their identity with fingerprints.

We quickly identified in a design thinking session that these users needed a different way to authenticate, like a face or iris scan. Rather than deliver an authentication solution that met security requirements but did not meet critical end user requirements, we immediately identified that the end users’ needs did not align. These insights were leveraged to build a set of requirements which would result in seamless user adoption.

Tell me about a time when an organization didn’t obtain stakeholder buy-in.

We hear these stories over and over …

One example in particular comes to mind: A client was building an IAM product that would onboard and offboard users — essentially a robust identity governance and administration solution. A month before the go-live date, a human resources executive went to the C-suite and said that the IAM group forgot to include them at the right level in the conversations around the project requirements. In this situation, HR was particularly concerned about employee transfers, leaves of absence and other temporary leaves because of the access retained by the employees, which puts the business at unacceptable risk. These user requirements weren’t incorporated at the level that HR wanted.

As a result, the project was stopped by the business right before the go-live date, and the project hasn’t moved forward a year later.

Many times, IAM projects do not correctly involve the right stakeholders at the right level. Therefore, it becomes imperative that the right stakeholders are included from the beginning. As an IAM practitioner, it’s your responsibility to walk through the user life cycle process with line-of-business (LOB) executives and other key stakeholders.

All too often, IAM specialists are laser-focused on security requirements and user onboarding. Of course, IAM needs that particular information. However, where you encounter trouble is when IAM experts are not paying attention to what the lines of business are doing with the data.

If you’re only concerned with security, you’re missing an essential component. An Enterprise Design Thinking for IAM session takes you out of the security silo and immerses you, your IAM stakeholders and collaboration teams into the lives and personas of the users that will interact with the new IAM technology. Too many times it is missed during a deployment.

What’s one of your favorite Enterprise Design Thinking exercises? Discuss the approach and why it’s helpful for clients.

One of the most helpful exercises I’ve seen is the empathy map. It enables you and your business to gain a better understanding of the user and their specific needs. It starts with identifying the user that will interact with systems and asks a series of questions.

Ideally, impacted users, or what are referred to as “sponsor users,” are invited to the design thinking sessions, interviewed in advance or the design thinking work is “played back” to them on a regular basis. This results in the user’s voice being present throughout the collaboration process, and the insights which surface as a result of their involvement are continually infused into planning in an iterative manner.

These questions are not just about IAM. The questions get into the user’s life. Sample questions might be:

  • Do employees work remotely?
  • Do employees spend time traveling?
  • Do employees spend time at the office?
  • What is the office environment like?
  • What is your sponsor user thinking, feeling, saying and doing in the context of the problem you’re solving for?

The goal is to develop a robust frame of reference which accurately represents the user.

Then, you put your answers into a grid and identify what your users say, think, feel and do. In the middle of this, we have a picture of this person or user (see image below). The goal is to immerse ourselves into the lives of users.

Empathy Map showcasing what a user thinks, says, does, and feels

Design an IAM program optimized for your business

More often, it’s fairly easy to fill in the “says” section because we know what they said. But we have to take it further and understand what the users are thinking. This requires getting into the mind of the users and including them as a part of the exercise so that the entire team can understand and verbalize what the users are thinking.

Then you move into how they feel. Users often feel frustrated about security solutions, but nobody on the security side usually explores those frustrations. Lastly, what does the user do? If this solution causes a problem, what will the user actually do? This often includes users finding creative ways to bypass our security controls. You need to understand what the negative consequences are for an IAM program failure. You may be able to identify those risks and stop them before they happen.

Once we have these identified, we then start to cluster, remix and group the needs and pains on the empathy map. By grouping like needs and pain points for numerous personas representing users, you begin to see common issues across different users by what they’re saying, thinking, feeling and doing. This exercise allows you to first identify themes in common, then prioritize the problems and determine which ones to solve first. It helps you answer the question that most often comes up: “How do we best address this?”

In summary, an empathy map is a fantastic way to get a deeper understanding of these users that will interact with your IAM processes and technologies.

After you’ve completed this exercise, one thing that can happen is you can have information overload. There may be so many needs and pains that an organization doesn’t know where to start. That’s where the prioritization grid can come into play.

Essentially, you take all the information gathered from the empathy map and put it into a grid that measures the impact on the user. You want to understand the feasibility of each issue. Only having the information from the empathy map isn’t enough — it is only one piece to ensuring user understanding. You need to be able to prioritize the needs and pains, identify what are the real impacts and what the feasibility is for fixing these.

It is important to note that prioritization grids are not limited to use after an empathy map exercise. They can be leveraged as a next step in many other stages of Design Thinking iteration, such as for prioritizing ideas, identifying and managing risk, and developing initial road maps and action plans.

These two exercises are very effective as part of a wider Enterprise Design Thinking approach that drives the engagements from beginning to end. It’s important to realize that Design Thinking isn’t just a workshop and an exercise or two; rather, it’s a completely different way of working with clients.

Why do you think Enterprise Design Thinking helps to build a more successful IAM program?

Enterprise Design Thinking focuses on user outcomes instead of just security outcomes. IAM tools do not exist in a userless vacuum. So, it’s vital for IAM practitioners to include users in their IAM discussions and programs. There’s not a good track record of this happening to date — we can do better for our clients by leveraging the Design Thinking framework and beginning to practice first with our own teams. Try an empathy map in practice to get a start.

At the 2018 Gartner IAM Summit in Las Vegas, we had a workshop where attendees chose a user (CISO, IAM admin, incident response analyst or customer) framed by a design prompt or common problem experienced by those stakeholders to focus on while putting together an empathy map. We had mostly security practitioners in the room.

Unsurprisingly, the user that was chosen by the least number of attendees was the customer. It can be difficult for IAM practitioners to relate to our customers and users. This we are hoping to change by virtue of exposing our IAM practitioners to the framework and how best to leverage it.

With Enterprise Design Thinking, we don’t have to guess what each user wants. We take the time to get to know the users, and this allows us to identify the right problem to solve, correctly align with the users and business, and identify a solution that meets the security requirements, addresses user needs and the needs of the business.

Design an IAM program optimized for your business

The post Design Your IAM Program With Your Users in Mind appeared first on Security Intelligence.

How ‘Mini CEO’ Laurene Hummer Engineers Better Identity and Access Management

There’s a common expectation that the higher you go in any business, the less you see of your customers. But Laurene Hummer, senior offering manager for identity and access management (IAM) services at IBM Security, makes a point of taking every opportunity offered to speak with end users.

Laurene works by a motto she learned during a course called Pragmatic Marketing: The answer to your questions are not in the building.

“Any time a seller pulls me in or a consultant invites me to a call, any opportunity to have a direct conversation with the customer, I take it,” she said. “And if you’re talking to only existing customers, you’re missing the input from all of the people who aren’t your customers yet, but could be — so it’s also important to talk to users outside of your current base to understand why they’re not your customers yet.”

Setting the Direction

Describing herself as the “mini CEO” for her specific line of business, Laurene said her day-to-day involves looking at the governance and performance of the IAM services business, evaluating the value provided to customers, understanding the market and closely examining how competitors go to market. Then, she develops new offerings to address client pain points and guides their go-to-market and delivery execution. She must consider how to enable all the various IBM functions to effectively deliver those services to clients and help them address their challenges. That’s quite a responsibility.

It’s all about setting the direction for the IBM Security IAM services business as a whole.

“Being an offering manager is making an impact through influence,” said Laurene. “We need to be able to articulate the mission and get people to agree to work together towards a common goal. It’s a lot of relationship building.”

Being at the helm of even a small part of IBM Security might mean lots of meetings, and lots of meetings also mean lots of internal conversations — and you can easily get lost talking to internal stakeholders and making sure you’re aligned, said Laurene.

“The most important thing, our North Star, really is the customer and what the market needs,” she said. “We need to let that guide us and be the reason why we’re having all these internal conversations, and not the other way around. You must keep in mind the true reason you’re doing it, which is solving customer problems.”

Answering the Big Questions

But Laurene is not only part business leader, part politician and part diplomat. She’s also part chemical engineer: After earning a Bachelor of Science in Chemical Engineering, Laurene spent time working in the oil and gas industry, and later in alternative energy, which is all quite far removed from cybersecurity at first glance.

The thing about physical engineering is that everything is quite straightforward — you apply well-established laws of physics and are constrained by them. Laurene looked at the business world and decided that was where she could find more freedom to be creative.

“Of course engineering can be very complex,” she said, “but the cool thing about business is there is more uncertainty, there’s really no right answer to things. I thought it was just a different way to have an impact.”

A guest speaker in one of her business classes introduced her to the world of cybersecurity, and Laurene was sold; it sounded like “a very pressing, important problem” for society.

“I started in energy, and energy is the foundation of our society, so that was a really big, important problem to work on, and I saw cybersecurity as something very similar,” she said. “As our digital lives are growing in importance and interfacing more closely with our physical lives, cybersecurity is starting to become integral to the fabric of society.”

IBMer Laurene Hummer

The Consumerization of IT

So, having made the transition from physical engineering, Laurene now leads the strategy and offering development for identity and access management (IAM) services, the part of IBM that helps organizations tackle their toughest IAM challenges. Most people’s experience with IAM is the interaction with the login screens they see when accessing, say, their work email or apps. But it also emcompasses all the stuff behind that login screen that allows each individual to have access to the right resources at the right time. The IBM services organizations help companies deal with consumers’ increasing expectation for things to be easily accessible from anywhere.

Laurene calls it the “consumerization of IT” — those changing expectations that how we log in to our work applications should mirror our personal applications — and businesses can struggle to deal with the change.

“A lot of the time, identity and access management can get in the way of employee productivity,” she said. “A lot of organizations’ security teams will say, ‘No, you can’t access this application from your mobile phone,’ or, ‘You can’t access it when you’re on the road or from your personal device because it’s not secure.’

“Having the right identity and access management policies in place can allow an organization to let their employees have much more flexible access to their assets in order to improve their productivity and make it a better experience. And that’s becoming more and more important as consumers have their own personal experiences with IT.”

Resilience and Strength From Two Cultures

Perhaps Laurene’s drive to answer society’s big questions and to make lives easier comes from her adolescence, when she was uprooted from her native France and brought to the U.S. at the age of 13. She believes her two worlds have helped her to be open to other cultures and to understand things are done differently all over the world — but it’s also made her very resilient, she said.

“When I was in France, I was a pretty bright kid and things came easily, so I didn’t have to work too hard, and I could goof around,” she admitted. “Then I moved to the States and I didn’t speak the language, so I had to work three times as hard to achieve the same outcome.

“That was a really hard adjustment. I had to show I may not speak the language, but I was very capable. That gave me the motivation to work hard, and I think that’s really carried through even today.”

Laurene ensures she speaks French at home to her two boys, aged four and two, to instill some of that multicultural open-mindedness. She then logs in to her work laptop using the very systems she helps clients implement at IBM Security, and goes to work making our digital lives a bit easier and more seamless.

Meet Machine learning researcher Irina Nicolae

The post How ‘Mini CEO’ Laurene Hummer Engineers Better Identity and Access Management appeared first on Security Intelligence.

Intelligent Access Certification Improves Decision-Making Around Compliance, Identity Governance and More

Co-authored by Fabrizio Petriconi.

In the ever-expanding digital ecosystem, having secure and efficient access to resources is critical to both using and delivering services. But if you’re a gatekeeper managing a large number of identities and resources, your primary concern is who has access and how that access is being used.

Identity governance is the intelligent management of user identities to support enterprise IT and regulatory compliance. By collecting and analyzing identity data, you can improve visibility into access, prioritize compliance actions with insights based on risks and make better decisions with clear, actionable intelligence.

Certify Access to Reduce Risk

If you use a business-activity-based approach to risk modeling, you’ll make life a bit easier for your auditors, risk compliance managers and, ultimately, yourself. The core aspects of identity management include automatic and manual provisioning, tracking user roles and life cycles, and understanding business workflow.

Most importantly, establishing accurate access certification at the start — and then continuously reviewing it — can help with your risk modeling efforts. You’ll want to prevent users from accumulating unnecessary privileges, so even if you have had an identity management solution in place for years, it’s a good idea to use certification campaigns as a cleaning tool to ensure everyone is only accessing what they need to do their jobs.

How to Avoid Common Access Certification Issues

It takes a certain amount of diligence for access certification to be useful. Approvers are often overwhelmed by too many certification requests, or those certifications are complex and difficult to parse out. It’s easy to see why an approver might simply “select all,” click “approve,” and conclude his or her activity.

Obviously, this approach should be avoided, and in some countries, it is not compliant with regulations. Let’s look at some recommendations for both static, or predefined, cadences and dynamic events, which occur in response to specific activities such as hiring, job shifts and similar user changes.

Recommendations for Static Events

  • Once a year, conduct a complete certification in which each manager certifies all the rights of the members of their team.

  • Group or divide access for certain applications or business areas to simplify and focus the reviewer’s attention.

  • Do not validate access assigned by automatic and/or default policies.

  • Delegate campaigns with a very technical and complicated access to skilled reviewers with subject-matter expertise.

  • Activate specific campaigns that include only different and nonhomogeneous users (for example, based on the same duties or departmental membership).

Recommendations for Dynamic Events

  • On a quarterly basis, delta certifications are available where managers only certify changes in authorizations from the last quarter.

  • Activate continuous campaigns to control access to specific events, such as moving a user from one department to another or changing business functions.

Improve the Content of Your Access Certification Campaigns

As noted, when a certification tool does not offer simple language descriptions that clearly explain the business relevance of roles, users, access permissions and resources involved in the process, approvers may not know what they are certifying.

To create quality descriptions, you should:

  • Rely on system owners, since they are the ones who have a thorough understanding of their resources.

  • Use definitions of rules with an explicit name. For example, if a role is assigned to a manager of engineering, use the definition “manager_of_engineering” and not simply “mgr” or “L3mgr.” This can be done manually or using role-mining techniques — that is, the tool itself proposes a name based on the attributes of the identity, department location or similar information.

  • Highlight the business activities to which users are contributing.

Get It Right

In any case, even after taking all the necessary precautions, access certification can be complex and time-consuming. It’s probably clear by now that to be effective in activating certification campaigns, you need to not only activate the technical solution, but also establish a compliance-oriented culture. Educating approvers on the importance of access certification is also critical to maintain regulatory compliance.

When you consider the commitment of stakeholders and adopt and enforce industry best practices, intelligent identity governance enables you to streamline full provisioning and self-service requests, eliminate manual audits, quickly identify compliance violations and risky behavior, and automate the myriad labor-intensive processes associated with managing user identities. With the digital ecosystem expanding every day, business and security leaders need this level of visibility and control to make better decisions about who can access what data and systems on enterprise networks.

Download the 2018 Gartner Magic Quadrant for Identity Governance and Administration


The post Intelligent Access Certification Improves Decision-Making Around Compliance, Identity Governance and More appeared first on Security Intelligence.

AWS Provides Secure Access to Internal Assets With Amazon WorkLink

Amazon Web Services (AWS) on Wednesday announced the launch of Amazon WorkLink, a service that enables organizations to provide employees easy and secure access to internal websites and applications from their mobile devices without the need for a VPN or custom browser.

read more

How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career

There’s no doubt that a cybersecurity breach can blow up a business, but it’s still surprising to hear Shaked Vax, worldwide technical sales leader at IBM Security, compare some aspects of his cybersecurity career to his time with the Israeli Army’s bomb disposal unit.

“One of the key things you are taught when approaching an improvised explosive device (IED) to dismantle it is to avoid coming from the obvious direction — the direction the attacker assumed you will come from,” Shaked explained. “Come from the back, from the side, from the top — however you can approach that is unpredictable.”

The same advice applies to cybersecurity, especially when it comes to the ways in which attackers target the users in their sights. The best way to identify them or launch a counterattack is by using the most innovative tools and approaching from the most unpredictable angle. According to Shaked, that’s how we can use attackers’ own methodologies against them.

Walking on Wires — and Cutting Them

Another link between Shaked’s two lives is caution. He believes, and has learned from experience, that being afraid actually helps to protect you because it makes you more alert. When you are bold and overconfident, that’s when mistakes may happen — whether that means using the wrong approach to dismantle a bomb, or being complacent with your company’s cybersecurity protocols.

“Newsflash: Stuff can hurt you, and you should be super alert when handling it,” the former bomb disposal expert advised. “Being cautious, on your toes and thinking of it as a rivalry allows you to be more in tune, and that’s something I took forward to in my role in cybersecurity. It’s how I operate and think now. It becomes ingrained in your veins and it really gets to be part of you.”

Shining a Light on Cybersecurity

Despite these strong threads between his past and present lives, a career in cybersecurity was not always in Shaked’s vision. He studied theater design at university and later went on to design lighting for rock concerts, operas, theater productions and TV studios.

While studying for his master’s degree, Shaked was offered a job working in an Israeli technology company that created lighting control boards — similar to the soundboards you see at concerts, but used to control the light show.

It was a great springboard for the budding lighting designer because he was hands-on in quality assurance and involved in new features and designs. A chance promotion saw him move into product and marketing management at the company, where he got even more engaged and started leading new offerings and feature designs.

“It was exciting because going to visit a customer meant I was going to meet lighting designers and lighting operators in a rock concert or an opera house or a disco club, which was awesome,” he recalled. “It was a great way to do market research.”

This area of theater design is “very, very technological,” Shaked explained. “You can imagine how much computing power is required to manage hundreds of lights that move and morph in real time, and how many innovative UI concepts need to go into a system to allow the operator to really interact with the show.”

So while he was working with his first love, he was developing another — technology — and becoming fascinated with how it interacts with our world. The dot-com bubble and the rise of the Israeli startup scene in the 2000s excited Shaked, and he wanted to push his technology career further, outside of lighting design. Colleagues recommended him for a role at cybersecurity firm Check Point, and thus his passion for lighting became just a passion again; his career was now cybersecurity.

Shaked moved up the ladder again at Check Point, where he worked in research and development and helped to innovate new security information and event management (SIEM) and Secure Sockets Layer virtual private network (SSL VPN) products, and later jumped around the tech scene as a product manager. He arrived at Trusteer just a few months before it was acquired by IBM Security in 2013.

“Trusteer got acquired by IBM, which gave me a great career path,” he said. “I got to expand in offering management, learning a lot about how a big business manages products and portfolios, and many more business perspectives.”

Shaked Vax approached his cybersecurity career from an unexpected angle

A Positive Spin on Fraud Prevention

As a product manager, Shaked had always been focused on the technology, the customers and the sellers. At IBM, he got to learn the business perspective of what he was doing.

He moved from Israel to Boston with his family three years ago to take on a strategic role, looking to expand the Trusteer business to new markets and solve new problems with the advanced fraud prevention technology. Although it was traditionally focused on banking and financial fraud, Trusteer’s technology is branching out.

“We call it trusted digital identity instead of fraud prevention,” said Shaked. “We’re looking more positively at how we enable businesses to do digital transformation and engage better with their customers over digital channels.”

Shifting focus from the negative implications of fraud and into more positive trust-based messaging is a market evolution, Shaked explained. Many technologies previously used for fraud detection are becoming increasingly intertwined with identity and access management (IAM) tools because identity fraud prevention centers on transparently ensuring that users are who they say they are.

Taking Identity Trust to New Places

“At the end of the day, authentication solutions were designed to correlate and prove digital identities,” said Shaked. “However, what was initially created as fraud solutions does that transparently. It does this without asking you anything, which is where everyone wants to be — passwordless, frictionless.”

Shaked now leads Trusteer’s technical sellers across the world as part of his mission to take the identity fraud prevention technology to new places. Although it’s a relatively new role, he is building the team and driving improvements in how it operates, ensuring that sellers have the tools and knowledge they need across the entire portfolio.

And if you’re wondering, yes, Shaked still occasionally has his hands in lighting design. The bomb disposal work, though, has stayed firmly in the past. These days, he’s focused on keeping businesses from blowing up.

Visit the Subway System of Cybercrime With Francisco Galian

The post How Former Bomb Disposal Expert and Lighting Designer Shaked Vax Pivoted Toward a Cybersecurity Career appeared first on Security Intelligence.

DHS Warns Federal Agencies of DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) on Tuesday issued an emergency directive instructing federal agencies to prevent and respond to DNS hijacking attacks.

read more

Multifactor Authentication Delivers the Convenience and Security Online Shoppers Demand

Another holiday shopping season has ended, and for exhausted online consumers, this alone is good news. The National Retail Federation (NRF), the world’s largest retail trade association, reported that the number of online transactions surpassed that of in-store purchases during Thanksgiving weekend in the U.S. Online shopping is a growing, global trend that is boosted by big retailers and financial institutions.

However, according to a Javelin Strategy & Research study, many consumers remain skeptical about the security of online shopping and mobile banking systems. While 70 percent of those surveyed said they feel secure purchasing items from a physical store, the confidence level dropped to 56 percent for online purchases and 50 percent for mobile banking. How can retailers increase customer trust toward online transactions?

Security Versus Convenience: The Search for Equilibrium Continues

When we register for online services, we implicitly balance security and convenience. When we’re banking and shopping online, the need for security is greater. We are willing to spend more time to complete a transaction — for example, by entering a one-time password (OTP) received via SMS — in exchange for a safer experience. On the other hand, convenience becomes paramount when logging into social networks, often at the expense of security.

App or account types respondents cared most to protect

(Source: IBM Future of Identity Study 2018)

A growing number of users are finding the right balance between convenience and security in biometric authentication capabilities such as fingerprint scanning and facial recognition. Passwords have done the job so far, but they are destined for an inexorable decline due to the insecurity of traditional authentication systems.

According to the “IBM Future of Identity Study 2018,” a fingerprint scan is perceived as the most secure authentication method, while alphanumeric passwords and digital personal identification numbers (PINs) are decidedly inferior. However, even biometrics have their faults; there is already a number of documented break-ins, data breaches, viable attack schemes and limitations. For instance, how would facial recognition behave in front of twins?

The Future of Identity Verification and Multifactor Authentication

Multifactor authentication (MFA) represents a promising alternative. MFA combines multiple authentication factors so that if one is compromised, the overall system can remain secure. The familiar system already in use for many online services — based on the combination of a password and an SMS code to authorize a login or transaction — is a simple example of two-factor authentication (2FA).

Authentication factors that are not visible, such as device fingerprinting, geolocation, IP reputation, device reputation and mobile network operator (MNO) data, can contribute substantially to identity verification. Some threat intelligence platforms can already provide most of this information to third-party applications and solutions. These elements add context to the user and device used for the online transaction and assist in quantifying the risk level of each operation.

The new available features open the way to context-based access, which conditions access to the dynamic assessment of the risk associated with a single transaction, modulating additional verification actions when the risk level becomes too great.

Existing technologies for context-based access allow security teams to:

  • Register the user’s device, silently or subject to consent, and promptly identify any device substitution or attempt to impersonate the legitimate device;
  • Associate biometric credentials to registered devices, thus binding the legitimate device, user and online application;
  • Spot known users accessing data from unregistered devices and require additional authentication steps;
  • Move to passwordless login, based on scanning a time-based QR code without typing a password;
  • Verify the user presence, limiting the effectiveness of reply attacks and other automated attacks;
  • Use an authenticator app to access online services with 2FA that leverages the biometric device on the smartphone, such as the fingerprint reader, and stores biometric data only on the user’s device;
  • Use advanced authentication mechanisms, such as FIDO2, which standardizes the use of authentication devices for access to online services in mobile and desktop environments; and
  • Calculate the risk value for a transaction based on the user’s behavioral patterns.

Combining all these elements, context-based access solutions conduct a dynamic risk assessment of each transaction. The transaction risk score, compared against predefined policies, can allow or block an operation or request additional authentication elements.

Get Your Customers Excited About Security

The aforementioned “IBM Future of Identity Study 2018” revealed clear demographic, geographic and cultural differences regarding the acceptance of authentication methods. It is therefore necessary to favor the adoption of next-generation authentication mechanisms and other emerging alternatives to traditional passwords.

Imposing a particular method of identity verification in the name of improved security can lead to user frustration, missed opportunities and even loss of customers. Instead, you should present new authentication mechanisms as more practical and convenient — that way, your customers will perceive it as a step toward innovation and progress rather than an impediment. If your authentication method feels “cool,” your users will be more excited to show it to colleagues and friends and less frustrated with a clunky login experience. You may even want to consider offering a wide range of authentication options and letting your users choose which they prefer.

Multifactor authentication is here to stay as traditional passwords lose favor with both security professionals and increasingly privacy-aware customers. If retailers can frame these new techniques in a way that gets users excited about security, the future of identity verification in the industry looks bright.

The post Multifactor Authentication Delivers the Convenience and Security Online Shoppers Demand appeared first on Security Intelligence.