No such thing as a universal authentication method?

For a variety of reasons including regulations, security and ease of use, IT managers face a complex challenge: protecting access to their information system while at the same time delivering a quality user experience.

Strong authentication or multi-factor authentication (MFA) is an excellent solution to this problem, as it reconciles issues of ease of use, security and compliance with various regulations. It is therefore proving to be an increasingly essential way of authenticating users in an information system, regardless of their job role or working practices, or the services they access.

It is no coincidence that the authentication market has been very dynamic for the last few years – and will probably remain so for a few more yet. There are a host of solutions offering an alternative to the age-old username / password combinations, which have been the bane of many of our lives as users: complicated to remember when we have a large number to manage, fairly easy to hack, not always very user-friendly or well-suited to the mobile world, etc.

But make no mistake: although many vendors and manufacturers offer authentication technologies, each more innovative than the next, based on physical resources (card, USB token, etc.), biometrics (facial, iris, fingerprints, voice, etc.), or a one-time code sent via smartphone notification, it is fanciful and unrealistic to suppose that any one single means of authentication could be suited to the needs of all users within the same organisation!

After all, access to the information system is a complex subject involving different user groups, a wide and varied range of connection situations, a vast pool of applications, etc.

As many working environments as there are business practices?

Let’s first consider a user’s work environment and the initial authentication performed by that user to access it. Apart from the traditional PC, the environment in question may also include a web browser, a mobile device or a thin client.

In all these cases, it may either be devoted to one user, or shared between several users. It may be controlled by the company, or alternatively – in the case of a personal mobile device or computer – unknown to the IT department.

There are therefore many possible scenarios, and although use cases vary from one organisation to another, they can also differ from one business unit to another within the same organisation. Let’s take a look at a few business practices that are representative of certain industries:

#Health

In a healthcare establishment, users of the hospital’s information system or administrative services generally have a dedicated workstation, while others access their applications from shared equipment, including mobile workstations on trolleys, or devices “at the patient’s feet”. In terms of authentication, French healthcare professionals use a smart card specific to their profession – the “CPS” card – to access medical applications and data. Non-medical personnel do not carry the CPS card, and use other methods to access their applications.

#Finance

For many financial organisations, biometric authentication is often used by traders to open a session simultaneously on several workstations – this is generally referred to as a “cluster” configuration – and this allows them very quick access to their multiple working environments. For other non-trading users, this use case does not apply, and they use other means of authentication.

#Public administration

City councils and local authorities are increasingly required to open their information systems to external partners, such as companies managing public services for the local community, or service providers who manage some of the authority’s applications on an outsourced basis via third-party applications maintenance contracts.
Although they can require their partners to use strong authentication to access their information system, they are not able to impose a specific solution on them, unless they provide and finance it themselves. This means that it will then have to integrate several different technologies.

#Distribution

In the distribution indutry, practices vary significantly between users working at the company’s head office and users working in stores. The latter work increasingly in shared environments and are increasingly mobile. They therefore require an authentication method suited to this way of working.
The same is true for organisations with a large number of branches as a result of a B2C economic model: telecommunications operators, banks, luxury and clothing brands, etc.

These examples make it clear that you will most likely be having to deal with several different authentication methods within your organisation.

Assessing the sensitivity of applications

Next, in addition to logging into their working environment, users need to log into a large number of applications every day. However, these applications are not all equally sensitive, and as a result, do not all require the same level of authentication. In theory, the more critical an application is in terms of corporate security, the higher its level of authentication needs to be.

This must also be combined with an essential parameter: the context of use. Are we on a trusted network within a controlled environment? Or is this area considered to be higher-risk, in an uncontrolled environment?

Consequently, for a given application, and depending on the circumstances under which it is accessed, it may be necessary to tailor the level of authentication, which will require users to adopt a different method.

Likewise, there will always be a need to provide alternative methods to the primary authentication method, in the event that it fails or cannot be used.

Multiple authentication methods per user and per application

Imagine, for example, that we wish to use an authentication technology based on a mobile application, which sends users a notification requiring them to provide their fingerprint to confirm their identity. Although this scenario is a secure (and increasingly common) one, what happens if the phone is switched off? Or the battery is flat? Or the phone is broken? Or stolen?
And in any case, before we mandate this method for accessing an application, are we completely sure that all users have such a device? If the device is their personal mobile phone, have they all agreed to use it? What happens to users whose fingerprints are not recognised, are damaged, or even missing?

Likewise, in an organisation that requires its users to hold a smart card for accessing their computer and applications, what about authentication methods for environments that are uncontrolled or have no card readers? How do you grant users who have forgotten or lost their cards access to their workstations? And how is this card used by staff working in a mobile environment?

In all these cases, either we provide users with (an)other method(s) of authentication, whether temporary or permanent, to enable them to access some or all of their work environment or applications, or we accept that they cannot access them, and will therefore not be able to work.

What to remember

There is probably no such thing as a single universal authentication method within a given organisation. When applying the security policies for their information systems, IT managers must support their users and provide secure working practices for them, and not restrict or modify these practices by forcing users to adopt unsuitable authentication methods.

A wide range of factors need to be considered (work environment, application sensitivity, the context of use, the user’s job, the expected ergonomics) and you must accept to manage a variety of different technologies.

Although best practice involves streamlining the means of authentication and the usage scenarios in every possible way, it relies above all on an authentication “hub”. This allows the different methods used to be taken into account, and the level of security and authentication adapted to the context, whilst guaranteeing access control and traceability of all operations performed.

Such a security base  must also be compatible with an increasingly open and evolving information system. With a centralised administration system, it will ensure that security for the IS is implemented in an iterative and scalable manner.