You’ve probably heard the terms identification, authentication, and authorization used interchangeably over the years. While they seem like very similar concepts there are very clear distinctions.
- Identification: Presenting a set of credentials that are supposed to represent the user you are interacting with. At this stage at the process, the information presented by the consumer can be validated – ensuring that name and address and phone are all legitimate and belong to the same individual (clearing checks for potential identity theft or synthetic identity creation). But just because someone claims to be Jane Doe, and the details they present all are connected to Jane Doe, doesn’t mean that the user is Jane Doe.
- Authentication: Validating the person is who they claim to be. If all the identification checks out, then you need some method to validate the individual. Typically, this is managed by multi-factor authentication, evaluating two or more methods to confirm the user is who they claim. These methods usually fall in the buckets of “Something the user knows” (e.g., shared secrets like a password), “Something the user has” (e.g., receiving a one-time passcode to a device), “Something the user is” (e.g., biometric fingerprint, behavioral analysis).
- Authorization: Once you are confident you are dealing with the person they claim to be, authorization is how you determine what access privileges that person has to resources. Access management ensures the consumer has the right level of authority or access to approved systems or data. This stage typically assumes the first two stages mentioned above have been met.
Identity Access Management (IAM) can improve user experience by reducing the need for credentials
Over the last two decades, organizations have been shifting to software as a service (SAAS) solutions. These third-party solutions, hosted in the cloud, have helped companies save money and take advantage of cutting-edge technologies while providing them with flexibility, and ability to quickly and nimbly augment their workforce and scale their businesses. Examples supporting an increasingly mobile workforce range from HR functions like payroll, benefits, performance management, recruiting; productivity tools like project management and communication; customer support tools like call center outsourcing; sales capability tools like customer relationship management systems, and more.
One big challenge when using this nimble structure, is that every tool or service requires its own set of credentials. This results in a proliferation of usernames and passwords. According to a 2017 Dashlane report1, the average person has more than 150 online accounts protected by passwords. Our brains can only retain so many username-password combinations, so it is very common for people to reuse the same password or use easy-to-guess passwords (according to an April 2019 CNN report2, the top 5 most commonly used passwords were: 123456, 123456789, qwerty, password, 111111). Bad actors know this and are ready to take advantage of these vulnerabilities.
Identity Access Management (also known as federated identity management because the identity is federated across many systems) was created out of the need to reduce the number of credentials individuals needed to keep track of, and by extension, improve the security of the credentials being used. An Independent Identity Provider (IdP) acts as a single point of entry to these systems and applications by managing the access and relationships on a user’s behalf. This assumes a level of trust between all the parties involved, and that there is agreement on what data is to be shared, the level of access a user will have to the system, and which data takes precedence if there is a conflict. Fraud and risk exposure is limited, as the end user has only one set of credentials to remember to access the services and applications they need to do their job.
Use cases for Identity Access Management expand beyond the workplace. Governments, educational institutions and other organizations can leverage these services.
- Government: A federated identity management system can give businesses and citizens access to hundreds of government services, including ability to pay taxes, claim unemployment insurance, manage pensions, handle customs, and much more. Finland citizens and businesses access more than 100 government services with one credential3.
- Research Institutions: Universities, governments and other institutions that collaborate and share information across the world using their own institution’s credentials to share data, apps, reference materials and other collaborative tools4,5.
- Retail: With a single point of access consumers can shift seamlessly across devices for payments, cross-channel price comparisons, product reviews, coupons, accessing loyalty rewards, reviewing purchase history, making payments and even taking out loans.
- Internet of Things: Access for automation continues to expand as Smart Home systems manage doors, lighting, thermostats, entertainment systems, security alarms, surveillance cameras and other connected appliances.
When relying on a single provider ensure the entry point is secure
The core capabilities of an Identity Access Management system is getting the user to the right resource, with the right level of authority, at the right time. Often these providers won’t do the vetting of the end users themselves, but rather rely on the originating organization to be responsible for doing the initial registration and authentication of the end user.
These IAM providers often partner with online fraud detection tool providers to enhance the capabilities of their platform to include risk-based analysis and adaptive authentication, to customize the user experience with adaptive authentication and stay ahead of cyberattacks. These tools range from device analysis (e.g., understanding if the device is intact or has been tampered with, device location with regard to where you expect the user to be), digital network analysis (suspicious patterns of behavior with this user across a global contributory network), behavioral analysis (e.g. user’s interaction with device, bot activity, remote access), and contact name, address and detail analysis (i.e., is the information presented legitimate and does it belong together). Through an IAM platform it is possible to stitch together multiple solutions through a single platform. Detecting risk is all about layering solutions.
For the best security and user experience, check your IAM provider’s marketplace to find those fraud and identity providers that can offer that seamless integration experience. Consider working with partners that offer the full suite of solutions with a single engagement. This can help ensure that your solution is taking a holistic approach, reducing your fraud exposure while also reducing friction for your end user, which typically results in a better end user experience.
1. Dashlane (2018, May 11). World Password Day: How to Improve Your Passwords: https://blog.dashlane.com/world-password-day/
2. Picheta, R. (2019, April 22). How hackable is your password? Retrieved from CNN Business: https://www.cnn.com/2019/04/22/uk/most-common-passwords-scli-gbr-intl/index.html
3. Ubisecure. (2019, May). Creating a nationwide infrastructure for authentication & delegation of authority. Retrieved from Ubisecure: https://www.ubisecure.com/wp-content/uploads/2019/05/Katso-Case-Study.pdf
4. Educause. (2019). Educause. Retrieved from Educause 7 things you should know about … Federated Identity: https://library.educause.edu/-/media/files/library/2019/1/est1901.pdf
5. Educause. (2013). Educause. Retrieved from Help Your Research Faculty Collaborate More Efficiently with COmanage.