For the last two decades, authentication has been limited to the use of static passwords and token/One-Time-Password (OTP)-based solutions.
That limit needs to be lifted in order for businesses to minimize risk; to secure end-users' data, privacy and identity; and to free the mobile computing revolution to meet its lofty expectations. Current authentication techniques can't hit those high-water marks.
In any industry today, enterprise networks are becoming more distributed via the cloud, and the number of users bringing their own devices to work is rapidly increasing. Businesses face a much higher risk of exposure from the dark side of the internet, which is getting more efficient, prevalent and malicious. Stronger authentication is a must.
At the same time,consumers (their customers) are holding their smartphones aloft and taking control of their own IT services. Their expectations for authentication are rising beyond system access. While consumers put convenience first, they also want to protect their privacy, data and identity and use their mobile device to process sensitive transactions such as payments
Authentication based on inherently insecure user-managed passwords or on tokens/OTPs, which were originally designed for use in an offline world, can no longer deliver on these expectations.
Authentication must move beyond passwords, be smarter than tokens and must protect more than access to services and infrastructure. Because the proliferation of mobile devices has changed the way people connect to services and applications, future authentication services must be mobile-based and implement two key requirements:
Future authentication must smartly cover standard multi-factor authentication (MFA) which often is referred to as out-of-band-authentication (i.e. a user requires a second device to authenticate the primary device "out-of-band"). Authentication must be based on the user's context so that authentication can be relaxed to optimize usability in daily situations (e.g. access via your work laptop from home) or stepped up to protect the user's risk in exceptional situations (e.g. access via an Internet Cafe from abroad). To achieve this adaptive experience, services must leverage all relevant authentication factors, such as location (where-you-are), devices-used (what-you-have), credentials (what-you-know) and man-vs-machine verifications (what-you-are).
More important, future authentication must cover mobile-only transactions. In a mobile world, users accessing a service via a mobile device want to use the same device to authenticate themselves. There is an urgent need to provide a solution that will enable the same high level of security, while preserving the flow of the user interaction with the mobile app. Services must provide virtual out-of-band authentication validating the same device in different bands. They must break up authentication across several apps to protect against phishing ("two-party-authentication") and enable man-vs-machine authentication ("what-you-are") to ensure trojans cannot take control over the device.
With the acquisition of the Israeli startup accells, Ping has started to deliver on those requirements. Accells has taken a very unique approach and been designed around usability with online and mobile use in mind. Based on patented security and authentication technologies, the accells service is being built on secure smartphone apps and SDKs, a user-centric, reliable and extensible cloud service platform and service connectors for cloud, VPN, and third-party services. The core intellectual property of accells securing mobile transactions and data-access is already patented in the USA, with multiple additional patents pending.