General precautionary advice has always focused on user password strength and uniqueness, which have largely been resisted by end users. Steps in the Enterprise sector enforced both strength and regular changes of password on users as an administrative policy.
Most major service providers have implemented technology based solutions such as two-factor authentication to provide defence at individual user account level. Such solutions have failed the test of user acceptance as having unfriendly experiences. The result has been that these higher levels of security have been offered as user options only, to avoid incurring the negative perceptions resulting from enforcement. Service providers waited for the big incident that would provide the opportunity to enforce higher levels of user security whilst gaining the PR advantage of quickly responding with constructive help.
Packaging of password replacement access methods has gathered pace, with the formation of the Fast Identity Online (FIDO) Alliance to encourage interoperability of different strong authentication methods. The FIDO consortium includes PayPal, Lenovo and Google and first release was Google’s Security Key, a USB U2F key device supported by Chrome browser and intended to replace the far from reliable and already compromised OTP delivery to a specified mobile phone. FIDO intends to support a full range of authentication delivery technologies including biometrics, embedded Secure Elements (eSE), Smart Cards, NFC and Trusted Platform Modules.
An alternative is the widespread adoption of a single alternative method such as low cost integrated fingerprint sensors in terminal equipment. The true performance of these sensors on widespread deployment has still to be fully evaluated, but end user experience issues could arise around the False Accept Rate (FAR) vs False Reject Rate (FRR) achieved. Coordinate data of a captured fingerprint still has to be compared, and this reference information must be securely stored but easily and quickly accessed to perform authentication. An additional test for the low cost sensors is that fingerprints are widely available, so their usefulness will be determined by the levels of anti-spoofing protection achieved.
The intention is to replace the unrealistic expectation of end users to create and remember different strong passwords for every service used. In reality it is an effort to protect the end user from themselves, but how is this likely to play out?
At present the end user controls their access through their password management. To replace the password is likely to require different authentication methods depending on the type of access devices used. As an example the Google Security Key will be fine with my desktop or laptop with USB sockets, but how does this work for my tablet or smartphone? Will I use a mixture of methods, or will I access both my laptop, tablet and smartphone using the different fingerprint sensor authentication methods provided by the equipment vendors? If the authentication fails, exactly who do I contact to resolve the issue? Enterprise help desks already know the problem, but anonymous volume web sites hiding behind FAQs will experience a backlash if they adopt the wide scale “hands off” approach of password lockout.
Whilst end users generally welcome the concept of 3rd party security management in return for a simple stress free experience, do they really trust the service providers to deliver this?
In the Enterprise controlled environments considerable investments are being made to provide secure IT environments, encompassing physically remote mobile and cloud resources. A vast amount of marketing collateral and resources is focused on communicating different strategies and methods to achieve defence against the continually moving threats.
An increasing number of employees feel that security policies are inhibiting innovation and collaboration, and are making it harder for them to do their job effectively – to the point where some employees take steps to circumvent the policy by using uncontrolled external resources such as Dropbox. This introduces a new concept of security policies that effectively defend the Enterprise from unwanted and damaging security breaches, but can identify and adapt to different types of employee behaviour to stem the need for employees to adopt creative but unmonitored methods to achieve their work goals. This largely goes against the existing structure of security which work with predefined environments and behaviours and the unknown is therefore the threat.
End users in both Enterprise and Consumer segments are exhibiting security and breach fatigue as yet another incident of compromised security is revealed over which they have no control. Often a new security control method is introduced post event which may have technical virtues, but has a poor user experience. This tends to reinforce a perception that security is being managed on a retrospective basis. One or more organisations are hacked and others then take measures to prevent becoming victim to the attack.
Ultimately end users want a security environment that is unobtrusive and flexible to accommodate their varied needs. They want minimum responsibility for its management, but it to be provided by someone they consider trustworthy.
The challenge to provide unobtrusive security needs a solution to the dilemma put forward by Heraclitus (c.535 BC – 475 BC) “If you do not expect the unexpected, you will not find it; for it is hard to be sought out and difficult”. Is this a realistic goal? In particular the financial industry has been motivated by the measurable metric of fraud and has achieved a reputation of managing to implement methods so secure even the owners of funds could not access them. New entrants have taken a fresh look at the problem and have found ways to actively manage adoption of new financial methods, along with their unique risk profiles and fraud mitigation steps, whilst achieving good perceived levels of user flexibility.
One entrant was Amazon, adopting the “one click” checkout procedure and rejecting the 3-D Secure experience. In doing this they assumed the liability for fraud losses. Likewise, the online gambling industry has developed sophisticated methods to protect their extensive geographic online presence, accepting a large matrix of different local and international payment methods, whilst actively managing fraud and money laundering requirements. These methods are intended to work with a user experience that provides bets to be place even when the event is in progress. There is a flip side to this if the threat management can restrict losses to a financial only level. A certain level of financial loss can be accepted as a cost of business but this is not generally the case with information.
Exactly who is considered trustworthy? Historically certain categories of organisations have been regarded as inherently achieving trustworthy status. Projecting into the future, is this status likely to continue? Human behaviour tends to regard the status as a challenge of intelligence, and such a status in turn attracts attacks.
In addition there is the need to protect both customers and brand reputations. Increasingly the threat has adopted an indirect approach, with successful access to significant volumes of stored information beyond user level control. In the case of JPMorgan Chase, their SEC filing revealed that their breach compromised 76 million households and 7 million small business accounts. Suddenly the threat involves the consolidation of user profile information, allowing the possibility of background “identity cloning”. Further headlines have claimed breaches by Apple, Dropbox, eBay, mumsnet and Google increasing the public profile. 1,500 confirmed breaches in 2013. LexisNexis in their 2014 True Cost of Fraud Study reported that in the USA, the relationship between data breach and fraud victimisation has increased from nearly 1 in 9 consumers in 2010 to nearly 1 in 3 in 2013. Each breach increases the amount of individual information circulating and available to circumvent user profile checks.
This has introduced an additional consumer fear of information privacy in addition to security, resulting in an increased need to account for third party information held.
What is clear is that the security management will need to take some innovative approaches to respond to both the increased sophistication of threats which are becoming multi-threaded in their approach. In turn the end users will not accept security restrictions that limit their scope or the range of access devices that can be used. Any measures will have to be implemented within an environment of diversity, as increasing use is made of geographically distributed and outsourced cloud solutions. The key will be to build security structures that work proactively against undefined threats, and so are always expecting the unexpected.