Sadly, most of us still authenticate to on-line banking and retail services using passwords. This is not surprising, given the resilience of passwords, their high level of interoperability, and their low cost. But recent advances in the accuracy and dependability of biometrics, combined with improvements in their underlying infrastructure support, make biometrics a viable option for many new and existing authentication needs. Programmable biometric authentication, in particular, offers a glimpse into a future where adaptive, contextual security validates our identities in a snap. I had the great pleasure to spend time with Rakesh Loonkar, Co-Founder and President of Transmit Security, in advance of the 2017 TAG Cyber Security Annual. I asked Rakesh to share his expert views on this important aspect of cyber security and modern authentication. Here is a digest of our conversation:
EA: Rakesh, should enterprise security teams start the process of getting rid of passwords from their applications and systems?
RL: I think that total removal of passwords from an enterprise may be an unrealistic goal, but everyone knows that biometrics can be more secure and a better option for many types of business and security requirements. At Transmit Security, we’ve tried to make this transition simple and easy for technologies such as eye recognition, voice recognition, facial recognition, fingerprint, and all different flavors of one-time passwords. Years ago, these seemed like technologies appropriate for use as NASA or a high-security government agency. But today they can be integrated into virtually any IT environment – and that is exciting.
EA: Have biometric factors gotten to the point where they are sufficiently accurate to serve as truly trusted means for accessing bank accounts and other important assets?
RL: The biometric accuracy is not the issue – this technology works in a dependable and secure manner. The problem is that when passwords and other weaker forms of authentication are used to enroll fingerprint users. This enables the convenience of using biometrics, and that might be just fine for some applications. But in places where the security is paramount, Transmit’s solution helps ensure end-to-end secure authentication for users, and that includes registration.
EA: How does adaptive authentication work?
RL: First, adaptive authentication is a generic term that historically has been applied to the combination of an authenticator with a device ID. Enterprises have an issue implementing truly adaptive authentication for two reasons. First, it’s very difficult for enterprises to hard-code every exception and orchestration use-case into their applications, and second, as new modalities of context become available on the market, the internal costs to acquire, integrate, and orchestrate the output of these tools are very high – typically in the millions of dollars for a large enterprise. When enterprises consider adaptive authentication, they should be thinking about how to eliminate most of the internal software development steps, to add new context, and to change an authentication process in any live application, for any reason, in a matter of minutes or hours. That would be truly changing the game.
EA: What does it mean for an authentication system to be programmable?
RL: Programmable implies that you can go from requirements to implementation in minutes without re-coding applications. That means that you can go from delivery times of months or years for identity related projects, to just a matter of minutes. Programmable authentication, as we have implemented at Transmit Security, allows for an enterprise to build and adjust the logic of biometrics, device level authenticators, context, and anti-fraud indicators. Programmability allows security and IT teams to basically off-load the work of embedding authenticators into every application, which can be a monumental task. Instead, all this logic can be abstracted out of the application and can make use of a common API for authentication and provisioning tasks. Furthermore, programmability supports selection of authenticators and anti-fraud tools based on the needs of users and the business. This allows for application owners to literally select their desired approach, whether it be facial, voice, eye, OTP, push notification, or some other means. Adaptive context can then be added and combined with behavioral profiling to create a super-secure environment with an awesome user experience.
EA: How does the analytic process integrate with authentication? Does this require connectors between tools like the SIEM and the authentication platform?
RL: You certainly could connect these different platforms, and we have many customers that do. But the Transmit Platform includes native support for behavioral learning. Users simply provide information about profile targets, and the solution automatically combines information about devices, access times, location, transactions, and other factors. The idea is that each user would be associated with a profile based on their behavior, and this would allow business owners to keep thing secure, and to also keep users happy. The alternative for the enterprise would be to procure multiple systems, and to perform the integration themselves. This typically leads to several multiples of higher costs and horrible delivery times of even basic functionality.
EA: If a company already has an authentication solution in place, do they generally have to toss the whole thing to make improvements? Or can they do something incrementally to increase strength and options for users?
RL: That’s a good question, but in general, enterprise security and IT teams rarely must toss entire systems to support better authentication. The Transmit platform is designed with a simple interface that works with new and existing systems to avoid precisely that situation. No team likes to remove systems that have been invested in and nurtured. The better option is to integrate, and we can do this for new and existing identity and access management, applications, systems, and network infrastructure. And this also goes for security analysis solutions and processes. Everything should work together. However, we are finding that over time, enterprises want to consolidate their many systems, because they are priced at a premium. So, we see customers implement our platform for one function, but then use more of the platform functionality as they see the value.
EA: You referred to your solution as being omni-channel in certain marketing literature. What do you mean by that?
RL: We’re supporting all the mobile device level authenticators that everyone is thinking about and we allow any enterprise to connect them with risk processing in the middle to their channel applications. Examples of these applications could be the call center (such as IVR), the branch or store, an ATM or Kiosk, and of course the web and mobile applications they own. Enterprises want to be able to offer their users a unified user experience for identity across all these channels. The Transmit platform, after a relatively easy one-time integration, allows any enterprise to implement thousands of use cases in any specific channel and across many channels. For example, if you want to use iBeacon in a branch, then no problem. If you want to use eye recognition to verify a user for call center verification, then no problem. I can get more sophisticated here, but you get the point. All these use cases can be engineered and implemented in a matter of minutes.