Without context, how can you be sure of your users’ identities?
Continuous identity assurance improves security posture and user experience, but it’s only possible when the identity proofing and user authentication teams incorporate signals from their colleagues in online fraud detection.
So far, we’ve explored the converging nature of identity assurance across three business functions that have, historically, been isolated from each other: identity proofing, user authentication, and online fraud detection.
Once a linear process, identity assurance now demands continuity. The three teams will have to collaborate as one, not as discrete points in a one-way sequence.
Continuity implies the passage of time and changes in circumstance: users move across cities and continents, acquire new devices and give up old ones, grow their social-media footprints, and otherwise go about their digital lives.
In the linear model of identity assurance, the identity proofing and user authentication teams haven’t had to account for this change. Their roles were executed with finite snapshots of the user. That’s incompatible with the nature of continuous identity assurance and its driving imperatives.
Now, to determine if an identity can be trusted with some account privileges, identity proofing and user authentication leaders need context.
What context means to identity assurance
According to Gartner’s new report on establishing and sustaining trust in digital identities, context brings two benefits to the enterprise. First, it helps establish an appropriate level of trust in the user’s identity, as defined by the use case and the enterprise's risk appetite. Second, context removes the "burden of proof" from the user by taking an adaptive approach that minimizes the use of intrusive authentication methods. (We call this dynamic authentication.)
If you’re responsible for identity and access management, fraud prevention, or identity proofing in your organization, this report is a must-read. Get your free copy here.
Gartner clarifies the composition of context in their Trusted Identity Capabilities Model. They describe four types of ‘signals’ as contributing to the context necessary to maintain trust in an identity:
|Attack signals||Familiarity signals||Risk signals||Anomalies|
|Device, location spoofing||Trusted device, location||Malware/Jailbreak detection||Other deviations from normal behaviors|
|Nonhuman behavior||Entity link analysis||Short phone/email lifetime|
|Human-farm behavior||Social footprint (“Internet life”)||Anonymity|
|Attacker-like behavior||Normal behaviors||Location mismatch|
|Probing||Passive biometric modes|
In the linear model of identity assurance, these signals haven’t been useful to the identity proofing and user authentication teams. A binary worldview was sufficient:
Can the user provide valid credentials? If so, create an account and assign privileges.
Can the user provide the correct username and password? If so, grant access to the account.
In that model, the enterprise just needed a hard perimeter and an ability to identify and repair damage to that perimeter quickly.
But the world isn’t binary. Users are tired of this treatment. Fraudsters have shown they can pass through the hard perimeter. It doesn’t make sense to challenge all users with the same authentication methods for all tasks.
The risk is relative and slippery. How do you assess and address the risk of the transaction, user and device in real-time? With flexibility rooted in context.
The fraud team has all the context you could want
Identity proofing and user authentication don’t have to look far for the context they need. For years now, the online fraud detection team has been monitoring in real time for anomalies and various elements of attack-, familiar-, and risk-signals to reach an informed decision about suspicious users, transactions and accounts.
If you can combine continuous identity assurance at any point in the user journey with context, you're on your way to dynamic authentication. That enables you to calibrate the level of authentication to the circumstances. Using risk-appropriate authentication only when it’s needed allows you to preserve a smooth user experience for longer periods, which improves brand image and results in greater user acceptance. It also yields a superior position to prevent fraud and maintain information security.
For more on this, and what it means for you and your organization, get your copy of Gartner’s new report and watch for our upcoming webinars, where we’ll continue this conversation.