rics, the security process should not end when an employee logs in.
“The third piece is behavior analyt- ics,” said Mike Wyatt, leader of the identity access management practice at Deloitte Advisory.
Agencies can use pattern analysis to look for atypical interactions, he said. If something unusual is detected, the system can require a higher level of authentication. For example, if an em- ployee suddenly accesses a database he’s never used before, he could be asked for additional identity confirma- tion — or an alert could be sent to his manager.
ACCESS POINTS
Another advantage of mobile-based authentication is that today’s smart- phones don’t require any specialized readers or other technology.
Most modern phones, for example, come with several types of wireless connectivity. In addition to voice and data connections to cellular carriers, phones can also connect to local Wi- Fi networks, Bluetooth devices and touch-and-go near-field communica-
“The general trend that we see... is toward more passive, contextual authentication.”
tion (NFC) readers at point-of-sale ter- minals for mobile payments. Any one of those channels could also be used to authenticate an employee walking into a building.
For example, in addition to trans- mitting identity confirmation, an app could use a cellular or Wi-Fi network to send location information that con- firms the employee’s GPS coordinates. And Bluetooth and NFC signals could be used to authenticate employees walking through particular doors or accessing individual desktop PCs, serv- ers or other equipment.
Mobile authentication could also be used to allow employees to access websites. Today, that is usually done by sending a one-time password to a mobile device, but there are other
— PAUL MADSEN, PING IDENTITY
options. For example, MorphoTrust, which makes 80 percent of the driver’s licenses in the United States, is in the process of launching an eID service that allows users to authenticate them- selves to any website by using a cre- dentialed app on their phones to scan a QR code shown on the screen.
Web application developers could have their users download the app to do the phone-based authentication or include the eID technology in their own mobile apps.
MorphoTrust officials are hoping to get enough traction with the sys- tem that the eID becomes a ubiqui- tous form of alternative authentica- tion, just as “sign in with Facebook” and “sign in with LinkedIn” have become. •
reported lost or stolen before confirming the user’s identity. MorphoTrust’s eID system
also uses driver’s licenses when authenticating users for the first time but without the benefit of an EMV chip. Mark DiFraia, senior director of market development at MorphoTrust USA, said the mobile app works by first having the user scan the bar code on his or her driver’s license. Then the user is asked to flip the license over
so the app can see the front. Finally, the user takes a selfie. That picture is compared
to the photo on the driver’s license before final approval is granted.
Once the app has authenticated the driver’s licenses, whenever users want to log into a secure government website, they use their smartphones to scan a QR code shown on the computer screen rather than entering a username and
password.
The system is currently
being tested by the North Carolina Department of Health and Human Services and Department of Transportation and by the departments of revenue in North Carolina
and Georgia. The pilots are funded by the National Strategy for Trusted Identities in Cyberspace, a project of
the National Institute of Standards and Technology.
— MARIA KOROLOV
SHUTTERSTOCK