How Big Data Can Secure User Authentication
Big-data-based authentication is a security method that can verify a user's identity based simply on their usage data.
Password-based as well as two-factor and multi-factor authentication processes have not been able to provide protection to systems and data as well as was expected due to various reasons. Password-based authentication is too weak, and two-factor and multi-factor authentication processes have been rejected by users because of poor user experience.
Big-data-based authentication systems promise to offer both robust authentication and a good user experience. Unlike other authentication systems, big-data-based authentication authenticates a user based on multidimensional and regularly updatable information collected about the user. The main difference between big-data-based authentication and other processes is that the former uses multidimensional information to authenticate a user. Multiple such products are already available on the market, and they are becoming popular. However, other systems have not been consigned to oblivion just yet due to various reasons. (To learn more about security methods, see What Enterprise Needs to Know About Identity and Access Management (IAM).)
Current Trends in User Authentication
In the user authentication domain now, the traditional systems such as password-based systems are still being used, while novel methods such as big-data-based authentication are emerging. Traditional systems, for all their problems, are still being used because of lesser acceptance of stronger authentication systems and integration issues with newer models. Some of the main trends in this domain are described below:
- Many companies offer a combination of password-based and multi-factor authentication system, but the latter is optional for the users because many users find it inconvenient.
- Two-factor and multi-factor authentication, though better than a password-based system, have had limited adoption because of poor user experience.
- Many companies are using passive biometrics in which data about the user such as fingerprints, voice and face recognition are collected and used to authenticate the user.
- Big data authentication is becoming popular because just like biometric authentication’s approach, it collects data about users and builds a profile of the user without the user knowing about it. The profile is regularly updated and used to authenticate the user.
How the User Authentication Process Works
For all the innovations in this industry, the core principle of authentication systems remains the same: match user inputs with the available data in the system. The different authentication systems are described below:
- In the password-based system, the password provided by the user is usually matched with that stored in the database in an encrypted format earlier.
- In the multi-factor system, the system matches multiple passwords — some of which are stored in the database and the remaining dynamically generated — with the inputs provided during the access request.
- In the biometric system, the system collects data from a person's voice, fingerprints or iris and uses that data to authenticate the user.
- In the big-data-based system, the system creates a profile of the user based on the data it regularly collects. It authenticates access requests by matching access inputs with the data in the profile.
Challenges in the Current Process
The main challenges in the current process are described below:
- Organizations have been facing a lot of financial and technical challenges in moving from purely password-based systems to more secure authentication systems. For example, in a huge enterprise with a lot of legacy systems, migrating from one process to another could be a nightmare.
- Multi-factor systems tend to mar user experience and users tend to avoid layered authentication, if given an option. It is a challenge both getting users to follow the process and keeping the authentication system robust.
How Big Data Authentication Works
Big-data-based authentication systems create profiles of all valid users of a system based on data collected about the user. The user does not even know that the system has been collecting data. Whenever a request to access the system is sent, the authentication system matches the information collected when the access request was made with that in the profile. Any mismatch or deviation from the profile could set off a warning about unauthorized attempts. (For more on security, see The 7 Basic Principles of IT Security.)
Given the evolving nature of attacks, the big data authentication system performs pretty complex functions. According to Don Gay, the chief security strategist of a user behavior analytics company, “With bad actors increasing the sophistication of their attacks, enterprises are having a difficult time pinpointing the threats and vulnerabilities that pose the largest risk.” The user data it collects can be varied, unstructured and complex, such as the following:
- Information-entering behavior: does the user use a physical keyboard or a virtual keyboard provided on the website?
- What level of security permissions does the user have?
- How many attempts does the user normally take to enter the correct password?
- How many times on an average does the user access the system in a day?
- How many times in the past has the user reset the password?
The system simultaneously collects data about the user and monitors his activities too. The system has to adapt to the unique behavior of each user. As Ivan Tendler, the co-founder and CEO of Fortscale, a reputed user behavior analytics company says, “We look at this from the user’s perspective. He has a name, a personality and habits. This user is sloppy or this user is risky or this user tends to have too much permission and so on. You have to look at the user history and profile his behavior. And only in those methods can you spot odd behavior and can pinpoint malicious users or compromised users whose credentials were stolen.”
The authentication system collects large volumes of both structured and unstructured data from a variety of sources and is able to analyze them, detect patterns of behavior and anomalies and detect attacks from a variety of sources such as network devices, security appliances, hosts, endpoints, applications and databases.
Organizations have been reaping benefits of this approach already. For example, the New Jersey Department of Labor and Workforce Development (NJDLWD) uses a big-data-authentication solution to identify fraudulent unemployment benefit claims. The data authentication system works in two steps: first, it establishes whether the identity presenting a claim is real, and second, whether the identification is owned by the person making the claim.
The following trends could possibly unfold:
- Password-based systems will be used in conjunction with other, newer authentication systems.
- More investment will be made into making the user experience of two-factor and multi-factor systems better.
- Organizations will invest a lot into making biometric systems more acceptable and robust by addressing the limitations of voice-based authentication systems. It seems that iris-based authentication is going to find many takers.
Big data authentication is still evolving and it will be a while before more is known about the system and its acceptability in the industry. Theoretically, it sounds promising, though. For all its fragility, the password-based system will not be junked, but used in conjunction with other authentication systems such as the two-factor and multi-factor systems. Another factor that needs to be considered is the ability or affordability on the part of organizations to migrate from basic authentication systems to more robust and stable systems.
According to Gartner, many organizations have been finding it tough to incorporate advanced authentication systems into their systems. Many organizations will watch the developments on the big data authentication front with both interest and caution. This applies especially in industries that deal with a lot of confidential data such as banking and finance, defense and healthcare.