User Authentication for the Real World
In mid-2016, according to an article in Fortune Magazine, it was finally revealed that as many as 167 million LinkedIn user names and passwords were available on the dark web. Shortly after the announcement, LinkedIn made 2-factor authentication an option for user accounts. Earlier this year, GoToMyPC asked all their users to reset their passwords stating they suffered a “sophisticated password attack.”
In spite of all the great security efforts that have been implemented to monitor and control access, the simple fact remains that most bad actors simply walk right through the front door and login with stolen credentials via a browser. According to Verizon’s Data Breach report, almost two-thirds of confirmed breaches in 2015 involved weak or stolen credentials. That’s down from 95% in 2014, but still too high.
Add to this end-user research showing well over half of Internet users re-use the same password and layer in the advances in phishing schemes, and it’s no wonder why hackers are having a field day.
While many well-known sites are offering 2-factor authentication (2FA) using text or a token generator, most are not. Of those sites that do offer this more secure feature, it is optional and well under 10% of users are opting in.
Why is it still so easy for thieves to use stolen credentials?
First, there is very low opt-in for the sites offering 2FA. Inconvenience is the biggest factor – the user has to turn this on for their account, often download an app to their smart phone, and set it up. I know it sounds easy, but the facts don’t lie. Users are either too lazy or unsure how to do it.
Second is the login experience. It’s one thing to have to enter a passcode sent to your phone every login. It’s absolutely unreasonable to expect all customers to download a soft-token generator application.
If you are reading this, you are either nodding in bewildered agreement or stunned by the seeming ignorance of the general population.
Finally, many sites chose to leave their users unprotected, encouraging them to choose a strong password and change it often.
Customers are not employees. You cannot require a customer to do anything even if it’s for their own good. They will simply move to another site providing a more frictionless experience.
Because of that, the only reasonable solutions involve adaptive multi-factor authentication (AMFA) technology. This technology works silently in the background, invisibly protects all users, and only asks the user for additional verification if some threshold is met regarding abnormal user behavior or a transaction threshold.
Fantastic, right? Transparent protection for all application users. Just one problem. The available solutions are far too expensive and complicated to protect consumer credentials and transactions…until early last year.
In March, 2015, the thought leaders at aPersona released their Adaptive Security Manager (ASM). While security is rightly a very difficult marketplace to crack, aPersona went head to head with the usual suspects in an analysis of software to protect consumer web and mobile applications that was chartered by one of the largest property and casualty insurance providers in North America. aPersona’s Adaptive Security Manager was chosen as the winner.
At the same time, IBM’s Sandy Carter announced their partnership with aPersona to provide AMFA protection to applications built on their billion dollar BlueMix platform. Since then, they have done integrations with TransCirrus to provide the only cloud-in-box solution with AMFA included to protect administrative credentials, OpenIAM to provide a single, cost-effective platform for AMFA and identity management, and many other integrations are in process.
Using patent-pending behavioral and multi-factor analysis, aPersona’s founder, Kelly Sparks, is no stranger to solving problems. With over a dozen patents to his name, the patent-pending technology behind ASM allows it to have the lowest total cost of ownership (TCO) of any AMFA solution in the marketplace – and there aren’t many. This is very complex stuff.
Designed from the ground up by a team with a background in financial and cloud application software, the ASM platform scales up well for very large user groups, has a very thin IT footprint (a big contributor to the low TCO), and supports passwordless authentication for mobile applications. The ASM is also multi-tenant out-of-the-box allowing IT service providers to deliver their own Authentication-as-a-Service.
“I’ve been in the cloud provider space since its inception,” said Kelly Sparks, IBM veteran and the founder and CEO of aPersona. “I was not comfortable with only a user name and password protecting administrative access for my customers. When I looked for a cost-effective solution, I couldn’t find one. So, we built the Adaptive Security Manager.”
If you have a large user base to protect or are just tired of the hassle and cost of tokens, aPersona’s ASM should be given serious consideration.