The strong authentication market has been growing fast for several years now, and all the experts agree that this growth looks set to continue over the coming years. Authentication methods of all kinds are being developed all the time: mobile authentication, multi-factor authentication, etc. Authentication is no longer a complex technology reserved solely for technophiles. Today, it is widely used, and not just in the business world. Authentication now has a place in households… As consumers, for instance, we have all used our smartphones to confirm our identity, approve a payment, or log in to our customer account.
Why is the market enjoying such sustained growth? What are the different authentication methods available today? What about the much-vaunted passwordless authentication? This article attempts to answer all these questions.
Why is authentication experiencing such a boom?
The current buoyancy of the strong authentication market can be explained by a combination of several factors: security, compliance and digital transformation.
Companies’ IT departments are coming under unprecedented pressure from cyberattacks and have had to make major changes to their information systems in recent years to strengthen security and, in particular to protect remote access. One issue is the spread of remote working, which has exacerbated threats and created a risky situation to which companies have had to adapt in quick time. It is easy to understand the renewed interest in strong, two-factor or multi-factor authentication technology, which offers immediate security guarantees.
Reinforcing user access to the IS is a key point of regulatory compliance in many business sectors where data is sensitive. One example is the banking sector, which this year saw the PSD 2 Directive enter into force. This Directive makes two-factor authentication mandatory to secure online payments. The strong authentication market has thrived as a result, with a proliferation of market players offering new authentication technology to meet stringent compliance requirements.
The Covid crisis has accelerated the digital transformation of businesses. Conscious of the sizeable benefits of digital technology for their business, organisations have striven to offer their employees and customers new online services and applications. The key requirement? To provide fluid, simple navigation for users without sacrificing their company’s security. This is where authentication technology comes in. It offers users secure and seamless access paths perfectly suited to their various usage practices.
Overview of authentication methods
There are so many software vendors and manufacturers offering authentication solutions that it is difficult to know where to start!
It is worth remembering that authentication must be based on:
- Something the user knows;
- Something the user has;
- Something the user is.
The various authentication methods all work using:
- The knowledge factor: password, PIN, etc.
- The possession factor: contact or contactless chip cards, USB security keys (Yubico, Fido, Neowave, etc.), smartphones, OTP, TOTP, etc.
- The inherence factor: biometric technology (fingerprint or retinal scan, facial or voice recognition, behavioural biometrics, etc.).
In order for strong authentication to take place, two of the three above-mentioned authentication factors must be combined. The more factors used, the more secure the access, with the risk of identity theft reduced considerably.
For a full explanation of authentication (primary authentication, MFA, etc.), I recommend you read our special report #BackToBasics: from identification to strong, multi-factor and adaptive authentication.
Things to bear in mind when choosing your authentication technology
- There is no way of achieving universal authentication within an organisation. Before equipping your users, you need to take various parameters into account: their working environment, their job, the sensitivity of applications, the context in which they are used, the desired level of user-friendliness, etc. Take the time to consult the various target audiences within your organisation, gauge their needs and identify the various IS access scenarios (mobile, badge, USB security key, biometrics, etc.).
- Remember to consider all the possible fail-safes: what happens, for instance, when a user loses or forgets their identification token or when internet access is not available?
- Opt for open authentication methods, based on standards.
- Make sure you choose methods that are compliant with the legislation in force in your geographical area.
- Do not force your users to use a method that is not suited to their needs, or they may seek to circumvent it! When it comes to authentication, it is all about striking a balance between security and user experience. The aim is to improve users’ everyday experience while ensuring conformity with the organisation’s security policies.
- Use an authentication “hub”, such as our Sign&go Global SSO solution, which will allow you to centrally manage and deploy all the authentication methods available within your organisation. You will then have a 360° view of access to your information system.
Are we heading for a passwordless world?
“Passwordless” authentication has been big news in the IT world for some time now. The issues stemming from passwords are prompting companies to seek other solutions to bolster security. According to the Verizon 2020 Data Breach Investigations Report (DBIR), more than 80% of data breaches through hacking involve the use of lost or stolen login details, or “brute force”, where hackers try different combinations of login details until one of them works.
Passwordless authentication aims to move away from passwords, pass phrases and other secret authentication details, which are the easiest to steal. It is based on the FIDO2 standard, the latest specification of the FIDO Alliance (Fast Identity Online). This non-profit alliance aims to develop global standards for secure authentication. The FIDO2 standard, promoted by authentication players such as the GAFAs and digital protection providers, facilitates the transition to Passwordless authentication.
It is important to understand, however, that Passwordless authentication is not necessarily multi-factor authentication. The mere fact that no password has been used does not necessarily mean the authentication factor used in its place is any stronger. It should be remembered that each type of authentication has its strengths and weaknesses.
With over 300 clients, we at Ilex International have observed that companies’ maturity levels in access management and authentication vary greatly. Some sectors are more dynamic than others when it comes to technological innovation, not least the banking and fintechs sector. Whether it be Natixis, Crédit Agricole or CASDEN Banque Populaire (webinar in French), banks and fintechs have rolled out ambitious access control and advanced authentication projects.
However, it must be acknowledged that few organisations have reached a sufficient level of maturity to move towards 100% Passwordless authentication. We will see how things develop in the years ahead, but for the moment, the password is in no danger of disappearing completely… However, there are solutions to avoid some of the constraints password use entails, offer users frictionless navigation and strengthen IT security: SSO, or Single Sign-On. For further details, I recommend the article Expanding your vision of an SSO project: objectives and good practices to maximise the benefits.
Focus on our technology partnerships
In order to offer an extensive catalogue of native authentication methods compatible with our Ilex Access Management range, we work hand in hand with many tech partners.
Whether it be authentication methods based on behavioural biometrics, facial or voice recognition, ultrasound or mobile apps, we regularly try out new technology and are always on the lookout for the latest market innovations.
By allying our know-how with that of our partners, we are able to offer secure solutions perfectly suited to the varied operational needs of our clients.