Authentication as risk management

Strong Authentication has become an issue of "risk management." Traditionally, authentication has been a binary problem with a binary answer -- you are or are not authenticated...

Strong Authentication has become an issue of "risk management." Traditionally, authentication has been a binary problem with a binary answer -- you are or are not authenticated. But recent "guidance" (which is fancy government way of saying, "do it or else") by the FFIEC has changed all of that in the online banking and brokerage space (and I'm sure the ripples will be felt elsewhere).

The guidance made the financial institutions see that strong authentication ("strong auth" for short) was a risk management problem by telling them that they needed to A) perform a risk analysis and then B) arrange for authentication methods that were suited to the risk level of the interaction. In other words, different interactions and transactions could have different authentication mechanisms.I recently spoke with Corillian (and specifically their Chief Security Executive, Greg Hughes) about all of this.

Corillian is one of those interesting companies that you hardly ever hear about: several hundred financial institutions as customers; running back-end financial industry specific software; aware of all of the stringent requirements of financial institutions. So, its not like Corillian is just "getting into the game," its more like they're adding to an already deep bench. They're adding their Intelligent Authentication product.

The interesting thing about Intelligent Authentication is that it begins by recognizing the risk management approach to strong authentication. Accordingly, it uses a variety of methods to authenticate you based upon the interaction (or transaction) that you're having. These methods include: client OS and browser checks, behavioral pattern analysis, geo-location (via a partnership with Quova), challenge and response questions (chosen by the customer), and my favorite - out of band phone authentication (via a partnership with StrikeForce).

Suddenly, strong auth really is a "layering" solution: just coming to the home page, no authentication necessary; logging in to your account for the thirty-third time, welcome Mr. Norlin; logging in from Grandma's house on an old netscape browser, please verify the last horrible movie you saw in a theater; logged in and wanting to transfer 10,000 dollars from savings to checking, your cellphone rings and asks for PIN verification. The authentication fits the circumstance. The authentication is a function of the risk being taken, and not an on/off switch that is flipped as someone "enters a domain."

What all of this really speaks to is the fact that metaphors of identity lie at the core of a risk management approach to authentication. In a world where strong auth is simply a binary decision, then your only option is to build bigger walls and deeper moats -- i.e., you're living in an out-dated, security-driven, paradigm. But in a world, where I can intelligently make individual decisions according to individual patterns based upon dynamic activities and attributes, now I'm living in a world based on "identity first." The difference is dramatic and necessary. Strong authentication no longer needs to carry the "hurdle" of "user adoption." Rather, all hurdles are now placed back where they should be - on the service provider (as they choose the parameters and mechanisms for risk management).

One last note that's important with regards to Corillian. Its not widely known yet, but Corillian's Intelligent Authentication suite has been outfitted to work with InfoCards -- Microsoft's forth-coming "identity selector" which is based on the work of Kim Cameron. This is (of course) good for Corillian, but I view it as even more important to InfoCards. The more that InfoCards becomes a serious mechanism for all levels of "identity-risk" on the internet, the more important it will become.