Authentication and Encryption Working Together
As online traffic increases, organizations are making decisions about appropriate levels of authentication for their consumer-facing portals. These organizations are determining how authentication “speed bumps” in front of consumers affect adoption and use because they want to make it easy for a consumer to get to his data. The problem, of course, is that making it easy for someone to legitimately get to their data also makes it potentially easier for an impersonator to get to that data by guessing or stealing access credentials. In order to prevent different types of attacks against usernames and passwords, organizations have made the login process more difficult–passwords have become more complex, additional “security questions” have become part of the process, and organizations are increasingly moving toward two-factor authentication because they find the risk of unauthorized access to be too high for the type of data they house.
In spite of the increase in publicized attacks against web sites with guessed or stolen credentials, and in spite of multiple surveys showing that consumers continue to be concerned about security and privacy in the online channel, many consumer-facing organizations are still reluctant to move toward stronger authentication. The argument we often hear is that enterprise does not need strong authentication because the data is encrypted in transit between the browser and the server and because personal data kept by the enterprise is encrypted in back-end databases. Many enterprises have adopted “defense-in-depth” security strategies to protect themselves from attack, so why do they also need strong authentication for consumers?
The answer is that once the enterprise accepts login credentials, the rights and privileges associated with those credentials allow the user to see unencrypted data and to perform various transactions with that data. This data may include their own personal data at consumer facing sites like personal health records or tax data. If the remote access afforded through the portal is for those with higher level privileges like healthcare providers, tax preparers, or employees within the enterprise, that access could be afforded to an even broader data set.
Hackers may get only encrypted gibberish by eavesdropping on the transmission, and they may only get encrypted gibberish if they manage to get through enterprise “back-door” defenses, but if they steal or guess user credentials, they arrive at the front door with the key that allows them enter an account, view its unencrypted contents and perform transactions with the data. In many cases, hackers do not really care whose account they hijack as long as they can get into a system and then use that entry to give themselves more rights and privileges. The problem is made worse by the fact that many people use the same username and password over and over, making it easier for themselves to remember their login credentials and making is very easy for someone to compromise many of their accounts without additional effort.
Encryption and strong authentication address two different attack vectors. Encryption prevents unauthorized access to data through eavesdropping or “break-in.” Strong authentication, on the other hand, prevents unauthorized access to data and systems through the use of legitimate credentials by people who are not entitled to those credentials. In fact, strong authentication protects investments in encryption and other security measures. If you are going to put state-of-the-art locks on your doors, don’t leave the key under the mat!
Recommended For You
Technology Provides Faster, More Accurate Claim of Benefits The current benefit eligibility verification process is a daily burden for case […]
You have a lot of customer data — housed in a lot of different locations. You’re working hard to make […]
Government agencies face two key challenges: budgets under pressure and programs have to be streamlined to fight off fraud, waste, and […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]