The demands on enterprise IT and security departments have never been more precariously balanced. Employees and employers today want increased mobility, enhanced productivity and foolproof security all at the same time. But for IT and security, providing all three is a perilous task, with one factor often undermining the other.
But it’s an unavoidable discomfort. This yearning for greater productivity and mobility comes from the highest levels of the business, and brings with it an inherent need for improved security of the enterprises’ data – a need which if disregarded will significantly undermine the entire premise of enterprise mobility as we know it today.
The issue is that the need for security is made all the more difficult by the traditional solution - authentication methods which are so obstructive that they no longer marry with the ethos of productivity.
It is too often the case that users’ productivity is prohibited by their mobile devices’ security processes. They are typically cumbersome and degrade ease of use, upsetting the balance between usability and security. Moreover, as end-users become increasingly frustrated due to a need to move faster than the device will allow, workarounds will be sought as a way to minimize this ongoing friction, such as simpler but insecure passwords. As a result, enterprises’ data is left more vulnerable.
But this growing trend of undermining of security falls in perfect parallel with the growth of enterprise mobility. As such, enterprise IT and security teams must realize the importance of fixing the former to realize the success of the latter. Ensuring device security is of primary importance for enterprises especially in a time where concerns around data breaches are increasing.
While the traditional security response to these concerns has been to strengthen the authentication process by implementing more and more factors into the security process, this only leads to further friction for the end-user, reduced productivity and ultimately, mobility uptake. Moreover, as each factor becomes increasingly permeable, it becomes evident that a single, unobstructive, secure authentication step is better than five, unsecure, unproductive steps.
Machine learning and authentication
Rather than adding more layers to authentication, the solution lies in contextual analytics. Contextual authentication works by recording the way in which an individual interacts with a device – usage patterns, locations, times of day, most frequently used apps, wifi networks connected to, proximity to other mobile devices etc. From this, a personal pattern is built, as unique as the user’s fingerprint.
Organizations are then able to compare current activity against the usage profile and create a risk profile. If the usage is within the bounds of user’s usage pattern, then a single factor authentication is sufficient. If not, then the device simply requests a secondary input, such as a password or biometric, just to recognize the unusual usage and verify the user’s identity. Importantly, the algorithm that sits behind the analysis will then learn the user’s new behaviors and incorporate them into the usage pattern.
By using contextual authentication to replace the manual input of various factors, end-user friction can be significantly reduced. While multi-factor authentication is still part of the identification process, its use will become a reassurance rather than an annoyance as it is requested only when a threat or risk has been detected.
Aside from seriously decreasing user friction, contextual authentication actually improves security. The granularity of the usage patterns that are analyzed allows for as much or as little tolerance for deviation as the enterprise’s own security policies require. Such an approach also removes the threat of oversimplified, shared and lost passwords and entrusts security to the dispassionate and mathematical algorithm. Additionally, because the machine learning algorithm will constantly learn and feed back to the respective organization, enterprises are actually able to discover new threats as they emerge, and rather than watch them penetrate the network, they will be identified as anomalies and trigger human intervention.
The future: analytics for security
Authentication has been little more than a necessary evil for some time. There’s no argument over whether data security is required, but users also don’t want to feel burdened by the identification processes imposed on them. As end-users, we don’t want to have to remember 10-character, multi-format passwords, along with two security questions and then use our fingerprint to log into our device. We simply want in, quickly and intuitively.
The reality is that authentication measures have had to become understandably more robust. The fault has been in the way in which this has been achieved. We have gone from single-factor to multi-factor very quickly, layering more and more verification input requirements on top, and unsurprisingly, we have seen a significant increase in user friction.
An impasse has now been reached. Traditional authentication methods no longer fit our move towards enterprise mobility and improving productivity.
The only solution to this challenge: contextual authentication. Analytics and machine learning technologies are increasingly dominating more industries. It’s only a matter of time until it takes over security, too.