Written by Karson Kwan, Solutions Consultant
When we browse the web, shop online or visit social media, we’re doing so as an online persona or identity – whether we know it or not. Our activities, behaviors, and who we’re connected to all complete an anonymous identity profile that can be tracked to enhance our online experience.
The truth is, identity is at the core of how users interact with the online world, and any compromising of that identity can come with a variety of different downfalls. A secure identity management (IDM) posture doesn’t just help ensure your identity is safe and secure, it is also key in protecting your customers’ highly sensitive information.
IDM has come a long way in the last two decades. Here’s a look back at the progress made and what the latest trends might bring.
Late 1990s / Early 2000s
Early on, Lightweight Directory Access Protocol (LDAP) was established as a directory service protocol open standard that allows anyone to access data about organizations, individuals, and resources (files, folders, users, etc.) on either a public Internet server or a local intranet.
Then, released in 1999 as part of the Windows 2000 Server, Microsoft’s Active Directory, which leverages the LDAP protocol, kickstarted the age of corporate identity management in the 2000s. And despite being over 22 years old, Active Directory continues to play an essential role in IDM for many companies worldwide.
In 2003, Active Directory Federation Services was launched as part of Windows Server R2, allowing users to use single sign-on through Active Directory (in compliance with SAML and WS-FED standards).
The trend of the early 2000s was that passwords were nothing more than a simple way to log in, with no way to enforce any additional security measures, such as multi-factor authentication (MFA). Each person generally had a book of websites, usernames, and passwords to keep their logins straight, and access management could only see who had access to what, typically through Active Directory. Users of the internet (outside of a corporate identity workspace) did not have nearly as many web apps as we do today, so a username and password were all that was needed.
In the early 2010s, with single sign-on becoming more prevalent, an influx of new security technologies flooded the market, including new (and improved) identity standards like SAML 2.0 and OpenID Connect.
With single sign-on technologies came innovation in the security of applications. Technology companies like Okta and Ping Identity started shifting to allow companies to secure their applications in the cloud (instead of relying on on-premise hardware infrastructure). And the establishment of the FIDO Alliance in 2013 helped to “develop and promote authentication standards that help reduce the world’s over-reliance on passwords.”
Although not yet seeing widespread adoption, there was also an increase in the use of MFA – specifically, simple factors and tokens such as One-Time Password (OTP) via SMS — with some consumer-based apps starting to enforce MFA to protect customer accounts.
Despite the continued use of MFA as an added layer of security, weak authentication persists. And with some business and consumer applications beginning to require the use of MFA, a wide array of new factor types came into play, including:
- OTP (SMS)
- OTP via Authenticator Apps
- Push Notifications via Mobile Apps
- Hardware Tokens (YubiKey)
- FIDO2 (fingerprint, biometrics, etc.)
- Security Questions
- And more
Passwordless Authentication was also starting to become popular, along with the understanding of the differences in the variety of factor types, such as:
- Something you know (information, such as an answer or password)
- Something you own (possession of a factor)
- Something you are (biometrics)
These different types of factors build on security, and having a combination can help increase the security posture of your accounts. “Something you know,” the least secure form, consists of information such as passwords that can be easily stolen and manipulated, while “something you are,” the most secure, consists of biometrics.
As identity management evolves, Passwordless Authentication is poised to continue revolutionizing IDM – with more websites and applications adopting different types of passwordless options such as WebAuthn. This technology stores unique keys on devices you own (and are cross-platform compatible), as the technology is built on the open FIDO standard.
Apple Inc. is one of the leaders in adopting Passwordless Authentication, specifically with ‘Passkeys,’ a new feature that generates unique keys only accessible by FaceID or TouchID (biometrics) on iOS and macOS devices.
Adaptive Authentication is also growing, with the need to ensure ease of use, good user accessibility, and high security — understanding who the user is, whether they should have access to the system, and ensuring fine-grained access controls without adding unnecessary friction to the user experience. This type of experience is growing in corporate and consumer identity management.
Dealing with the added friction of MFA lessens your customers’ experience and, in turn, puts you at risk of diminishing their lifetime value.
Forter can reduce such friction by blocking bad actors before they strike. Forter understands users’ behavior patterns and only adds friction when there’s reason to believe they’re not who they say they are. If Forter detects that the user is not who they say they are, we can ensure that unnecessary access is blocked and the user’s account stays secured.
Forter’s Trusted Identities works in conjunction with identity providers and your multi-factor authentication systems to ensure that we provide security against unwanted account takeovers while reducing added friction to the user experience.