In our latest posts, we described how context and continuity are essential components of a dynamic authentication platform. In this installment we’ll explain the third key characteristic of dynamic authentication. That is, it must be complementary.
As noted in iovation's latest white paper, “Dynamic Authentication: Aligning the Authentication Experience with Risk, Reputation and Reward,” an important facet of dynamic authentication is the need for disparate authentication technologies to work closely together, as the authentication system makes decisions about which method suits the risk/request scenario currently being faced.
For example, next-generation multi-factor authentication solutions can leverage a common platform, usually a mobile app, to provide multiple authentication methods such as personal identification numbers, graphic pattern codes or biometrics.
There are plenty of other examples, as described in the white paper:
- Device-based authentication leverages data from a user’s device, along with rich contextual data, to provide an additional layer of security while removing friction from the user experience.
- Mobile one-time passwords are out-of-band processes that also leverage the mobile platform, but do so out of band of the primary request.
- Knowledge-based authentication asks for a password, code or secret information that has been previously shared.
Each of these methods has its own pros and cons, and different levels of assurance can be assigned to them. In the dynamic authentication model, they all work together.
There might be enough confidence in a device’s digital fingerprint, and low enough risk in the request, to allow access based on that method alone. If the risk is higher or the integrity of the device is in question, the request could immediately be handed off to the multifactor solution, which might then prompt user’s physical fingerprint or another user authentication factor determined by the business.
A system comprised of usernames and passwords could, if too much time has elapsed since the last login, leverage SMS or push technology to send a confirmation message to a mobile device, such as an application response or a text message. It’s worth noting, however, that this method is being used less these days due to man-in-the-middle risks (and per recent guidelines provided by the National Institute of Standards & Technologies).
As the white paper points out, dynamic authentication requires some form of policy manager or decisioning engine that calculates the request and risk, and provides overall situational awareness in order to invoke the appropriate authentication solution.
This can be a static policy based on rules or an automated decision based on machine learning, which compares returning devices with known device profiles and calculates rates of acceptable change.
So as we’ve seen, a dynamic authentication system is contextual, with a keen awareness of all risk signals surrounding an authentication request; continuous, ignoring the padlocked single-gate paradigm in favor of a model that has many different gates and doors that all require greater or lesser assurance; and complementary, melding together multiple authentication solutions ranging from fully passive to highly interactive, and potentially adding real-time authorization as well.
Want to learn more about why being complementary is such an important part of dynamic authentication? Check out the white paper at: https://www.iovation.com/resources/white-papers/align-authentication-with-risk-reputation-and-reward