Consider user experience as well as cost and security levels when designing user authentication systems for online applications.
That was the message of a presentation by Ant Allan of Gartner at the Gartner Security and Risk Management Summit 2015, today in London.
One delegate SC spoke to, an anti-fraud systems architect for an international banking group, said she welcomed Allan's recommendations on the use of push notifications as the most effective way of performing two-factor authentication.
Methods for user authentication range widely, depending on the system owner's risk appetite and budget. They may include two-factor authentication or not, and cover a range of solutions.
When it comes to passwords, Allan said that memorable and unique was more important than complexity, and with that in mind he recommended the use of random collections of words rather than a jumble of upper- and lower-case letters, numbers and symbols.
According to his research, the randomness – or level of entropy – in random groups of words can be as high or higher than traditional passwords. The extra length, he said, makes them particularly effective against rainbow table attacks.
He also urged application designers not to camouflage passwords behind dots or asterisks.
Allan is a big fan of social media-linked logins, where you leverage a user's existing social media credentials to authenticate logins on your own site. He conceded that they weren't appropriate for every application, such as banking and other high-security applications, but for lower level sites and sites that users log into on an infrequent basis, they are a suitable solution. “We put more trust in passwords we manage ourselves than we should,” he said. “Social media is not inherently riskier and it leads to a big increase in user experience.”
He mentioned graphical logins in passing but noted that despite being around for some time and proving popular with users, they had failed to gain traction with application designers.
Mobile phones as a security token are widely used, easily understood by users and inexpensive for application designers to implement and run, but he noted that they are vulnerable to man in the middle attacks especially where tokens are sent via SMS and voice which are open channels.
With the growing popularity of smartphones, a new authentication method is growing in popularity – push notifications. Not dependent on over the air communications, the app is secure and also easy to use. Communicating over data channels means it's less expensive than SMS and voice notifications, and he described it as his favoured solution for secure authentication.
He mentioned biometric solutions, but noted that despite the wide range of biometric systems introduced and mooted over the years, the technology has not really taken off with users or application designers.
One biometric that has come into play recently is the wearable token. One such device measures the electrical signal coming from your heart to identify you and then provides authentication to an application via Bluetooth. Several banks around the world have trialled this including the Halifax in the UK.
The next part of his presentation focused on the use of adaptive security, tailoring security to the risk indicators and the threat level.
Risk indicators can include location information – is the user trying to login from a different geographical location (as indicated by his IP address) than any that he's used before – and the use of unfamiliar devices.
The threat level is indicated by what the user is trying to gain access to. Accessing low risk information from a familiar location would necessitate the lowest level of identity verification but as the user accesses increasingly sensitive information such as payment history and credentials, the security checks would become more strict.
“If we had enough contextual data, we could allow log in without a password,” Allan said. “If the systems were good enough, you could get to the stage where you would never require two-factor authentication at all – but add friction to the system when you don't have the contextual information you were looking for.”
His closing recommendations: consider the user experience as well as trust and cost when selecting new authentication methods, choose the method that maximises user experience wherever possible, and use adaptive approaches to minimise friction.