- Forrester Councils
- Councils Overview
- log in
Posted by Eve Maler on March 24, 2014
Security and risk professionals know what to do with security vulnerabilities: we mitigate the risk directly as best we can, and put in place compensating controls when we can't change the underlying dynamic. But in the age of the customer, upping our game in authentication strategies has forced us to take a harder look at an area that, generally speaking, is not our specialty at all.
Last summer, Forrester published a Customer Authentication Assessment Framework that leveraged some exciting academic research called “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” out of the University of Cambridge Computer Laboratory. (Gunnar Peterson has a recent post highlighting the arc and nature of these researchers' work, and even has a nice back-and-forth in the comments with contributor Cormac Herley of Microsoft Research.)
What I like about their work is that it walks right up to the "usability versus security" tradeoff -- and keeps going. They developed a 25-point system for understanding the various usability, deployability, and security (UDS) benefits of passwords and other authentication mechanisms, allowing a finer-grained look at what the potential problems are with each choice. Forrester's framework tweaks the criteria, resulting in a total of 26, and provides a way to weight each unique customer authentication scenario's requirements to give a nuanced view of which authentication methods have "soft spots" that deployers must take into account.
More recently, we completed an extensive authentication market overview report (and webinar), looking past the incumbent web password system to really dig into strong auth options for employees and customers alike, across web, mobile, and voice channels. Part 1 examines the seven trends and three generations we're seeing now. Part 2 assesses the inherent "UDS nature" of 40 -- count 'em -- solutions, which got tricky because to really understand how a solution looks, you need to pick a particular server-side and client-side "footprint." This research gives us tools to understand how different solutions fare across the generations (such as hard tokens versus one-time passwords sent by SMS) and types (various mixtures of mobile-fueled, biometric, risk-based, SaaS-backed, knowledge-based, and more). What's cool about the data underlying Part 2 is that you can combine it with the customer authentication model, generating what-if scenarios and heat maps for different customer populations, requirements, and solutions.
What does it all mean for those security pros who know passwords alone aren't going to solve their authentication problems?
What's your take? What solutions have you been considering? And what do you think are the upsides and downsides of our brave new authentication world? Let me know in the comments or on Twitter.
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »
Free On-Demand and Live Events
Latest events from Forrester analysts, online and in person. »