Page 17 - index
P. 17
Here is a list of best practices, that if followed will strike the right balance between security and
usability:
Biometric-grade authentication – Move beyond 2-factor. All current forms of authentication in
web, mobile or cloud rely on what the user knows (e.g. password) or has (e.g. mobile device).
Look at adding a biometric-grade factor based on who the user is; this cannot be stolen or
compromised.
Transparent Authentication – Make authentication frictionless. The driving force for the
success of an online application is usability – just think of Amazon ―1-click buy‖. Stop pouring
more and more security controls that require user actions. Look for behind-the-scene
authentication and intruder detection controls based on behavioral, device and network
information collected in the background.
No enrolment – Simplify enrolment. Strong authentication mechanisms hassle users by
requiring active enrolment. From secret questions collection to setting up SMS 2-factor auth to
collecting voice samples, the user is required to actively enroll. Look into passive biometric
controls that do not require enrolment.
Address consumer concerns of PII breaches – try minimizing the personally identifiable
information (PII) you collect – and if you consider biometrics, take into account that your users
may not like it if you collect and store their biometric identification data such as fingerprints and
facial recognition data, in fear that this information will be illegally obtained and then used
elsewhere. Look at emerging technologies such as cognitive biometrics that are context specific
and cannot be used outside your applications.
Continuous Risk Management: don‘t stop at protecting the gateway. Advanced cyber-attacks
wait for the user to successfully authenticate (irrespective of the number of factors) and
piggyback an authenticated session. Then, using in-session social engineering, cybercriminals
get the user to do virtually anything they need and pass any challenge. Look at continuous
authentication options.
Detect Criminal Behavior – Defense-in-depth security strategies prescribe a layered approach.
Authentication cannot be the sole control preventing unauthorized access to online applications.
Observing past attempts of account takeover shows that criminal exhibit behaviors that are less
common among genuine users. By analyzing and profiling criminal access , security teams can
be alerted on suspicious activity and mitigate the risk by denying access, limiting functionality or
requiring additional stronger step-up authentication.
BioCatch is a leading provider of Cognitive Biometrics and Authentication solutions for Mobile
and Web applications. Available as a cloud-based solution, BioCatch proactively collects and
analyzes more than 400 bio behavioral, cognitive and physiological parameters to generate a
unique user profile. BioCatch authenticates the user based on the way he interacts with online
and mobile applications. Unlike other biometrics solutions, our disruptive approach is totally
Cyber Warnings E-Magazine – CTIA Special Edition, September 2014
17
Copyright © Cyber Defense Magazine, All rights reserved worldwide
