As do other companies in the anti-fraud space, Cydelity considers geo-location and atypical behavior, such as changing or disabling e-mail notification in conjunction with money transfer requests and attempts to access from suspicious locations.
Increasingly, customers are combining this kind of analytics-based risk detection with soft, two-factor alternatives to tokens and smart cards that are easier to deploy and support. For example, Diversinet’s soft tokens offer strong authentication akin to traditional tokens but can be delivered over a wireless network and stored on a PDA or mobile phone. Bharosa, meanwhile, offers a choice of form factors for its Authenticator soft two-factor authentication application, while on the back end its Tracker application monitors the origin of log-ins to avoid fraud. Metrics used include the computer or mobile device used to log in, geo-location, and behavioral profiles, says Bharosa CEO Jon Fisher.
A wide-open future
According to guidance from the Federal Financial Institutions Examination Council (FFIEC) in 2005, “Single-factor authentication, as the only control mechanism, is inadequate for high-risk transactions” such as money transfers.
In June, the White House’s Office of Management and Budget seconded that, directing federal agencies to comply with NIST security standards, including encryption of data on mobile devices and two-factor authentication for remote access to data.
These advisories have sent financial institutions and government agencies scrambling to shore up user authentication with additional factors. But that’s not necessarily a good thing for enterprises. With vendors focused on consumer fraud protection for the government and financial verticals, enterprise-targeted products are being put on hold.
“The market opportunity is such on FFIEC that right now we’re 99 percent on that,” VeriSign’s Popp says. “Between fraud, identity theft, and regulations, vendors are all-hands-on-deck.” But when the flood of FFIEC-compliance money dwindles, he says, companies will begin looking to tap the even larger enterprise authentication market.
Like Popp, IBM’s Blakley sees a role for risk-based analysis as part of the ordinary authentication process at organizations of all stripes. “Right now people mostly do risk analysis up front. It’s plausible that in the future you’re going to have more dynamic assessments of risk factors, so if a system becomes aware that something squirrelly is going on, you’re asked to pass an additional authentication test to increase confidence in the strength of the authentication,” he says.
Customers can already combine identity analytics with business rule checks to spot relationships within enterprise user populations. Adding more authentication data into that mix will lead to even more focused offerings, Blakley says.
But the future of strong authentication may lie outside the hands of any one vendor. The open source Initiative for Open AuTHentication (OATH) now boasts more than 66 members, including smart-card vendor Axalto, BMC, IBM, USB-token maker SanDisk, and VeriSign, among others. The idea is to create an ecosystem of authentication hardware and software that is based on open source components, encouraging creativity in a market that has long been dominated by a handful of large companies.
“One thing we’ve pushed with OATH is an open approach to fraud detection. Proprietary networks will never succeed, if each vendor says, ‘This is my fraud data, and I’m not going to share it.’ That just helps the bad guys,” VeriSign’s Popp says.