Author: Sebastien Pavie, Regional Director for Cloud Protection and Licensing Activities at Thales
The UAE is home to a very technologically advanced population, with the highest mobile penetration rate in the world of 173% according to a Statista report. How does growth like that happen? With government support of course! In March 2019, the UAE allocated a budget of AED 1.5 billion to building next-generation schools in the country. Futuristic schools are teaching students about robotics, artificial intelligence (AI), automation and advanced technologies. Classrooms across the UAE are using AI to create a new learning experience, free of whiteboards and books. This is just a small part of UAE’s Artificial Intelligence Strategy that aims to change the face of services, sectors and infrastructure.
Tech giants from IBM to Google and Amazon are investing heavily in these technologies, in hope that it will help create new ways to conduct business and complete transactions automatically, intelligently and even clairvoyantly. Earlier in the year, 60,000 government employees were provided access to training in emerging technologies, powered by institutions like John Hopkins, Duke and Stanford University. From driverless metro systems to Islamic arts, the UAE is home to some of the world’s most creative uses of AI. The user identity and access management (IAM) industry is vying to ride this wave as well.
Just as investment banks use predictive data models to forecast markets, insurance companies to predict accidents, or retailers to figure out the optimal time to send you a special offer, soon user authentication could rely on similar data analytics. Corporate security teams are using machine learning to collect and find patterns in data related to log-in times, locations and device footprints. The goal is to more efficiently spot normal vs. abnormal user behavior, and to autonomously identify the type of tasks a person is doing and therefore what type of access they should have.
This will be based on the concept of adaptive authentication, which is built around the idea that you can assign a risk score and adjust the level of access a person gets based on the task they are performing and the assurance level of the user’s authentication method. Machine learning is now being used to build more detailed user personas by doing things like picking up on users’ keystroke patterns or remembering the specific Bluetooth devices a user tends to have in the vicinity of the access device. You can see applications of this every day as you unlock your phone. Does your phone refuse to recognize you if you change your look, with a longer beard or shorter hair? Probably not, but give it a go with a fake beard or wig and see what happens. Any deviation from the norm could raise the user’s risk score. The more abnormal the circumstances of a log-in, or the higher level of access a specific task requires, the more authentication factors will be required.
Related: AI in cybersecurity – friend or foe?
This approach can maintain security while greatly reducing the burden on users. Imagine you’re checking your bank account but aren’t executing a transaction. If you’re doing this from a location where you’ve done it in the past, and are using a known device, this could require a single password, or maybe no credentials at all. But, if you are actually moving money, or if you’re doing it from a previously unknown device or location, that may call for the use of a second factor of authentication, such as a one-time password sent over text. The same principles can apply for an IT admin who might have to use multiple factors, such as a hardware token and password, if he or she is looking to make a change in a system, such as adding a user. He or she could just as easily skip that step if all they’re doing is a quick check of the number of users.
These new methods will require a joint effort between machine and human. When automated algorithms provide a risk score, the IT admin can do a check on a case-by-case basis. It’s about finding the right balance, so you don’t end up with too many valid users setting off false negatives because they happen to be attempting a log-in outside of the existing parameters. Ideally, though, machine learning can be used to increase the quality of the risk score and make it easier to log in.
One of the challenges is that most of these methods rely on obtaining more information about users and their surroundings – something that often raises privacy alarms. For example, in Europe, efforts to comply with GDPR could come into conflict with this type of data collection.
As new public concerns over privacy have emerged in recent years, so too has another trend; the tech industry’s focus on usability, sometimes, at the expense of security. This is the latest swing for the security-vs-usability pendulum, which has been going back and forth for decades. The late 1990s and early 2000s were much more heavily oriented around security, with the introduction of things like PKI (public key infrastructure) and smart cards. However, these solutions were cumbersome and saw little widespread adoption outside their niche markets. Now, more convenient options, like cloud-based single-sign-on (SSO), are gaining wider adoption by using somewhat less secure methods, such as SMS and software-based security. The sweet spot is somewhere in the middle.
Finding this middle ground will likely require the reintroduction of hardware tokens, but in a more user-friendly way, by doing things like using smartphones as smart hardware tokens. Password fatigue has been well-documented, and people are more interested now than ever in frictionless authentication concepts like zero log-in and implicit authentication, where a system or device can use sensors and machine learning algorithms to simply recognize you by your behaviours.
The industry has been talking about these concepts for quite some time, but now they are finally beginning to take shape. The next two to three years will define a new frontier of context-based, risk-based, and implicit authentication as well as access management. We will just have to find the right balance of convenience, security and privacy to fully enjoy it.