PREDI C TI VE I NTEL L I GE NC E
Simplifying
eight key
authentication terms
Industry jargon around authentication is practically
inescapable. In today’s threat landscape, there’s certainly
justification for keeping these topics front-of-mind and
sparking conversation. Axel Hauer, Director EMEA Enterprise
Sales, IAMS at HID Global, says: “When authentication concepts
start to get a little tangled, it can be hard to know if you’re speaking
the same language as everyone else. Simplifying key terms is important
to understand what they really mean, so you’ll see just how complex the
world of authentication can be.”
1.
1. Strong authentication
Strong authentication is one of those
industry terms that’s been overused in
so many contexts, that its significance
has been blurred.
Many people consider strong
authentication to be the same as multi-
factor authentication (MFA) or two-factor
authentication (2FA), but if you examine
the European Central Bank’s standards
for strong customer authentication, there
are a few more hoops to jump through
than just having more than one factor:
• There have to be at least two
methods used to authenticate.
These two methods should come
from these three categories:
something only the user knows,
www.intelligentciso.com
|
Issue 23
something only the user has or
something only the user is.
• The methods used have to be
independent of one another, meaning
if one is breached, the others aren’t
automatically compromised. One
also has to be non-replicable (unable
to be duplicated), unable to be
stolen through online means and
not reusable.
Here’s a caveat, though: this term, like
any term based (however loosely) on
codified standards, can be a double-
edged sword. Just because you’ve
complied with standards doesn’t mean
you’ve chosen the most secure or
appropriate mix of authentication factors
for your organisation. Compliance
matters but strategy and thoughtful
implementation matter too.
2. Authorisation creep
To understand the problem posed by
authorisation creep, you first need to
understand the difference between
authentication and authorisation.
Authentication is when a system
determines that you are who you say you
are. Authorisation is when the system
determines what you have the right to do
within the given network or application,
given your authenticated identity. That’s
where things can get tricky.
The problem with authorisation creep,
also called privilege creep, is that the
threat it poses to your organisation
will typically have nothing to do with
the strength of your authentication,
but instead is all about your policies,
oversight and the ease of managing your
33