Guest post from IBM Security Systems.
According to the Verizon 2013 Data Breach Investigation Report, roughly 76% of all data breaches were enabled by weak credentialing and user authentication. We can therefore say that most – if not all – of our traditional security measures are doing little to close credentialing vulnerabilities. If that’s the case, then we need to discuss replacing them with something that does work.
Importantly, the location of the authentication transaction affects the risks, liability, convenience and economic feasibility for the service provider and consumer differently. Consider that there are effectively only two locations the user-authentication transaction can occur; on the device, and/or in the cloud.
Authentication on the device
Authentication on the device implies just that; processing the authentication of the user on the phone. Many phone manufacturers contemplate including fingerprint sensors on the device to authenticate the phone user – presumably the entitled privilege holder associated with the credentials stored on the phone or in some data repository elsewhere.
Authentication in the cloud
Authenticating in the service provider’s cloud implies capturing the biometric data on the phone and securely retrieving or transmitting it to the service provider’s cloud, where the authentication transaction takes place. In this case, the service provider could reduce risk by comparing user-authentication data, captured during applicant enrolment, to data of existing customers so as to negate dual enrolments and fraud.
To learn more about Threat-aware Identity and Access Management for a multi-parameter world, hear Ravi Srinivasan, Director, Strategy and Product Management, IBM Security Systems, present during the keynote at Ovum Identity & Access Management on 22nd October.
Read the full story http://securityintelligence.com/passwords-are-dead-we-need-a-better-system-now/