Forrester: Securing identity and access management for consumers
04 April, 2014
category:
A report from Forrester has examined the importance of identity and access management, and the research firm posits that the real future of the technology will lie in the consumer sector.
For its report, Forrester profiled business-to-consumer security decision makers from the financial services, health care, government and online merchant sectors to evaluate the security of consumer portals. This latest report comes off the back of Forrester’s Security Survey, which found that 56% of IT security officials reported having implemented or consumer identity theft/fraud management, 60% of whom also implemented or plan to implement consumer identity and access management.
The time for change is now, as IT officials still utilize single-factor authentication methods like username and password (83%), challenge questions (62%) or emailed links (58%) to protect their consumer-facing web portals.
Traditionally, the reasoning behind simple, single-factor security is simple user experience. However, Forrester states that security specialists are becoming increasingly aware of stronger authentication options, to combat ever-present security and fraud risks.
Respondents indicated a significant interest in using one-time password tokens, mobile device generated passwords and certificates stored on a device for two-factor authentication.
Threats to security aren’t going away, and weak authentication, authorization and fraud detection capabilities only add to the growing risk. Clients all to often reuse passwords in an attempt to simulate single sign-on, but this method leaves the client much more vulnerable to attack than true single sign-on.
Consumer sites can be made vulnerable by a number of factors, but Forrester states that its respondents found that privacy issues, loss of consumer trust and regulatory compliance are the top three threats to their consumer portals. Moreover, some 70% of respondents rated their level of concern for each of these threats as a four or five on a five-point scale, while an additional 59% cited concern regarding loss of business due to poor customer experience.
The type of data affected by poor authentication security is also an area of concern. According to Forrester, two of the three most common types of data to be compromised in a breach are personally identifiable information and authentication credentials.
To make matters worse, personal info is frequently used as the basis for security challenge questions. Acquiring personal data when stronger authentication, authorization and contextual fraud detection techniques aren’t present can provide a hacker with everything he needs to gain full access to consumer accounts.
As poor authentication, authorization and fraud detection strategies make the need for more robust identity and access management security a vital concern, Forrester warns that the loss of trust in the business by consumers forced to perform password resets, or a poor transaction experience for the consumer, could greatly affect a business’ bottom line.
A full copy of the Forrester report can be downloaded here.