Recommendations for IAM pros in B2C

Forrester Consulting’s report, “To Increase Security And User Trust, Embrace A Federated Consumer Identity Model,” spells out a series of recomendations for business to consumer identity providers.

To begin, recognize the choice you want to make regarding your identity and authentication infrastructure.

The three choices are:

• Stay as you are and manage your own siloed authentication structure, risking serious breakdowns in user engagement and security
• Become a subscriber of a third-party identity provider, outsourcing identity the way many already outsource payment
• Become a cloud identity services provider, making the service more “sticky” and monetizable.

Next, be honest about your security stance around user login and recovery.

The first step to admitting you have a security problem is acknowleging the “security theater” present in your identity and authentication strategy. If the strategy involves only passwords and security challenge questions, don’t be so sure that high security standards are being met.

Users can and do undermine efforts, both by choosing passwords that meet policy but don’t have a high degree of strength (such as “p@55w0rd”) and by reusing passwords from other accounts on your site. Relying on static secrets is still a single-factor solution, no matter how many “things the user knows” are required.

Brainstorm identity providers that address the populations and credential strengths you need.

If your organization outsources other sensitive business functions such as human resources apps for employees or payment systems for customers, it should be able to consider outsourcing authentication and other related aspects of user management. But first you have to find one or more suitable identity providers that are likely to be securely authoritative for what you need to know.

 

Password managers address pesky problem

Web browser form fills, password-protected documents and the Post-It note are a couple of common ways people keep track of passwords. Unfortunately, they’re all are low-tech and insecure.

Password management software is emerging as a solution for consumers and enterprises to keep track of complicated passwords, and at times, create them. LastPass started off on the consumer side of things but now has an enterprise version for corporate clients, says Amber Gott, marketing manager at the company.

Users download the LastPass software and create an account. The solution integrates with the Web browser and then encrypts and stores the individual’s user names and passwords in the cloud with the login data only being decrypted locally. LastPass also enables individual’s to use the system to create complex passwords. When creating a new account on a site, LastPass will offer the option of creating a complex password and then storing it in the vault too.

LastPass works on all major computing and mobile operating systems as well as the major Web browsers, she says. Users can also add different multi-factor authentication solutions for added security.

The enterprise version integrates with Active Directory and other network solutions. IT administrators can push the solution out to users who then create an account and use it for access. Administrators can provision access, enforce policies and track usage.

Other services encrypt and store the credentials on the user’s devices rather than in the cloud.

The 1Password offering consists of an app and Web browser extension, says David Chartier with AgileBits, creator of 1Password. After a user installs the app and browser extension, 1Password asks to save the credential info for the different sites visited.

When creating a new login for a site, it will offer to generate a new, complex password for the user. When returning to a site 1Password will automatically log the user back in with the stored credential information.

Form fill and new user profile creation can also be done in just a couple of clicks, Chartier says. All the information is securely stored on the consumer’s computer or mobile device. 1Password is available on Windows, Mac, iOS and Android devices.

1Password has an enterprise version as well. Users can create DropBox accounts that will enable passwords to be shared across users. This same functionality enables users to synch their mobile devices to their computers.

1Password doesn’t store any user data, the consumer is in control, Chartier says. “We don’t have any information on our customers,” he explains. “We don’t even have analytics on what operating systems they are using.”

The failure of IAM: Small and medium-sized enterprises

Identity and access management has focused on large systems and enterprises, leaving small and mid-sized businesses on their own, says Francois Lasnier, senior vice president of identity and access at Gemalto. This means that smaller companies haven’t had the ability to deploy proper systems.

As the benefits provided by these systems has increased, small and medium-sized businesses are finding it necessary to deploy an identity and access management system and are looking to the cloud to do so, Lasnier says.

Cloud-based identity and access management systems are more scalable than their server-based counterparts and enable enterprises to easily integrate server-side apps as well as the increasingly popular cloud-based services.

More enterprises are switching to cloud-based apps that enable access from anywhere an Internet connection can be established. Making sure employees can easily and securely access all the necessary applications can be a challenge, but it’s one that a cloud-based identity system can provide, Lasnier explains.

IT administrators can point a cloud-based identity and access management system to an identity directory and then begin to provision access and rights. These systems provide federation and single-sign on for the users as well as the ability for multi-factor authentication, Lasnier says.