Everyone hates passwords. In today’s world of digital transformation, users are demanding more seamless experiences. But how can you make the digital experience more user centric without sacrificing security? The answer lies in building digital trust between the organization and the user. Rather than relying on passwords, which are both inefficient and ineffective, modern authentication strategies must rely on an analysis of the holistic context behind the user, their device, and their network.
Getty Images
Yet, too many security leaders are equating passwordless authentication with older risk-based authentication (RBA) strategies. RBA typically builds a risk profile of a user based on context including IP address, geolocation, etc. This profile or score can then become the basis for static rules around access to an account or to data. The thought being, if you are low-risk, you are likely to be who you claim to be.
It is in this capacity that you can use RBA to power a passwordless authentication strategy. (If a user is low risk, why ask them for a password?) But, in this era of digital trust, passwordless solutions give organizations the opportunity to enhance their authentication, delivering an adaptive access experience that is both more secure and more user-centric. Here are four proven tips for optimizing your passwordless strategy:
Tip #1: Make authentication silent
In the not-too-distant future, the idea of stopping to authenticate will be a relic of the past. The best passwordless authentication strategies work silently in the background, analyzing factors like behavioral biometrics, which don’t create friction for the user. This type of analysis can be put to work looking for more than just risk-factors. It can move towards analyzing positive identifying factors as well.
As users become recognizable to the organization, there becomes less of a need for a login at all. Organizations can use mobile threat defense (MTD), identity and access management (IAM) and user trust scoring together to build a secure and frictionless experience for trusted users. Listen to this podcast from Forrester and IBM to learn more.
Tip #2: Don’t stop authenticating after login
The fraud landscape is constantly changing and many of today’s attacks may not be apparent at login. Consider a social engineering case where the malicious actor is on the phone with the victim, coaching them into taking action. There is nothing anomalous about the login – it’s the right device, the right geolocation, even the right keystrokes or mouse movements. It isn’t until the user starts navigating the site that anything appears amiss. Other attacks, including remote overlays and session hijacking, can similarly pass login authentication.
When authentication can happen silently in the background, it no longer needs to be tied to that one moment of login. Rather, organizations can use continuous authentication to bring the power and security of passwordless to the entire digital experience. When authentication happens in real-time, all the time, you are enabled to find the more sophisticated attacks that outdated RBA strategies would otherwise miss.
Tip #3: Start predicting the future
Older risk-based authentication policies rely on static rules to determine the level of access a user can have, or whether to rely on step-up authentication. But modern passwordless authentication strategies can rely on advanced AI and machine learning to draw inferences from relevant data to build more dynamic access rules. Intelligent risk simulation technology, when built into a passwordless authentication solution can make predictive access decisions, assessing whether current rules are effective and suggesting new rules as needed.
Tip #4: Build out your authentication ecosystem
Finally, make your passwordless authentication strategy part of a larger connected ecosystem of data and user insights. Using API integrations, organizations can overcome information silos, to build a complete picture of their users, the level of risk, and the level of digital identity trust that should be afforded to each.
When it comes to understanding your users, whether they are customers or employees, context is key. Today’s users demand a seamless and secure experience, and by providing them that with passwordless authentication, organizations can actually optimize that user experience while also increasing security. That’s a win-win for the business.
For more tips on passwordless authentication, read this Guide to Passwordless Authentication from IBM Security Trusteer.
