Security versus User Convenience
Whether we act as a consumer of a bank, an employee of an enterprise or a citizen, everyday we are consuming a wide range of digital services that are more or less sensitive. Not to say that convenience is a key factor in the success of a service, security matters as well because no one wants to be impersonated or have a financial loss that results from fraudulent use. The main problem is that usually higher security comes with a degraded user experience. The challenge is all about finding the right trade-off between convenience and security.
But why should users spend time managing their digital security? Why would it be up to them to deal with security constraints enforced by service providers? What is the rational of managing tens or even hundreds of passwords when they could simply use a unique authentication method such a biometric sensor or a security key to access all these services?
From an end-user perspective, what users really care about is the ability to access smart services in the most convenient way to make their life easier. All side actions such as identity verifications, authentications and out-of-band confirmations are cumbersome, and directly impact the user experience. This is the challenge that service providers face. How can they provide a smart user experience while ensuring a high level of trust and security? The ultimate goal would be to have people continuously and silently authenticated so they focus on using their digital services without the burden of handling security actions.
Optimize for Security Best Practices
A significant amount of effort has been made over the last few years to optimize the authentication experience with enhanced risk evaluation techniques in order to adapt the level of authentication to the context (user’s location, type of device, accessed application, action…). With the exponential growth of cloud services and cyberattacks, this is no longer good enough security (especially given the major paradigm shift that has taken place). Here are some of the security best practices that organizations should now take into consideration:
- User-centric solution design: solution security design should focus on user needs and it should not be the other way around where users would have to cope with solution constraints.
- No compromise on security: a smart UX is an enabler for strong security
- Unified experience across services: the cybersecurity experience should be the same across all digital services remaining under the control of the user
- Delegated security: authentications should no longer be specific to each service provider. On the opposite they should be managed on the client side and thus delegated to OEM vendors to enable one-fits-all authentication methods (biometrics sensors, security keys) that can be used across multiple digital services
- Smarter and continuous security: artificial intelligence becomes a must to bring more security intelligence to ecosystems that are becoming extremely complex with a need to continuously monitor all user activities (also known as continuous authentication)
So why a Passwordless Experience?
A passwordless experience is not only a matter of getting rid of passwords. Rather, it is a global trend to address all these new digital challenges while allowing users to choose how they authenticate in the most convenient way. Nevertheless, service providers should still have some control with the ability to enforce security policies like, for instance, asking users to use a specific type of authenticators (e.g. hardware-backed authenticators using a secure element, use of biometric sensor).
Over the last few years, the FIDO Alliance has been promoting these concepts that resulted in the specification of two main standards to ensure full interoperability between service providers, OEM vendors and cybersecurity solutions. They are:
1. FIDO Client-To-Authenticator Protocol (CTAP) which specifies the interface between users’ devices and FIDO-compliant authenticators. Such authenticators may be:
a. remote devices such as security keys accessed through different bearers (e.g. USB, NFC, BLE)
b. on-device authenticators that are embedded in equipment such as smartphones, tablets or laptops (e.g. embedded secure elements, fingerprint sensors)
2. W3C Web Authentication API (also referred as WebAuthN) that defines a set of JavaScript APIs used in service provider applications to trigger local authentications from a web application. OEM vendors are providing their own set of SDK and APIs as well to trigger these authentications from mobile applications.
Thales as a key contributor to this passwordless journey
At Thales, we are playing a key role to bring this passwordless experience to the enterprise for an enhanced protection of data and identities in complex ecosystems.
Not only do we provide hardware tokens (e.g. FIDO devices in different form factors) on the client side but we also provide the IAM platform as a service (SafetNet Trusted Access) to deliver end-to-end protection.
This passwordless journey is part of a more global zero-trust security trend where enterprises need to regain visibility on their sensitive data (cf. Data Discovery & Classification), have better control on access policies (who accessed what and when), detect anomalies so remediation actions (authentication, data protection…) can be enforced.