What is Authentication?
Authentication is the process of verifying a user’s identity before providing access to information or permission to operate accounts. This verification can be done based on digital or physical credentials that the user provides upon request. These credentials can then be compared to the existing database or user profile to ensure that the user is who they claim to be.
Why is it necessary?
Conventionally, if you walked into a store or your local bank, chances were, someone would recognize you, ask for identification and verify credentials. Since the storekeeper/ teller knew their customers, and most interactions took place in person, verification was sometimes not even necessary. The personal relationship between employee and customer, based largely on trust, would be extended to the workplace.
However, when the world shifted away from paper money to plastic money, new security measures had to be structured and adopted. While such advancements aim at making life easier for humans, they also open up new avenues for misuse and deceitfulness.
Moving closer to the present, the emergence of the world-wide web and e-commerce portals has made digital transactions commonplace. Digital transactions, that eliminate both paper and plastic money, are even more complex in terms of security. In a digital transaction, the user cannot be verified physically. Hence, a need has emerged to validate user identity.
Over the years, many cases of people infiltrating sensitive information to commit financial crimes have taken the world by storm. For instance, a Russian hacker by the name of Roman Seleznev, hacked into credit-card servers between 2008 and 2010, and is estimated to have caused upwards of $169 million in damages. Another cyber-criminal, Michael Calce, attacked tech giants like Dell and Amazon at the mere age of 15, causing damages equaling 1.2 billion CAD.
At the very core, these criminals are able to trick the system into believing they have been granted permission/access to critical information. They do this by feigning their identity. Therefore, authentication becomes increasingly important.
While cyber-crime is not limited to financial fraud, the monetary impact of such crimes has provided incentive to improve identification and authentication measures reliable and fail-safe.
Types of Authentication
Over the years, authentication methods have progressed from some basic measures to more complex ones that we use in our daily lives in present times. These measures are so much a part of our routine, that we fail to recognize them as new or different. Nonetheless, much effort goes into ensuring that sensitive data is secure and only authorized users are provided access to it.
Some of these measures, in order of commonality, are –
One of the most basic thresholds created for identity verification, this method depends on the possession of a unique string of characters. The user has to provide this string in order to access their account, give commands, or edit any details in the database. This unique string for each user/account holder is stored in a separate database in a hash/ encrypted form. (‘Hashing’ is a technical process used to ensure that sensitive data cannot be tampered with.)
Even though there is an innumerable amount of unique combinations that can form the password of an individual user, hackers have tried multiple combinations and managed to breach this method when they guess the right string.
In order to ensure that the strength (or predictability) of a password is not the sole factor in providing access to a user, a second layer of authentication is added. Two-factor Authentication (2FA) bases its verification standard on the provision of a password as well as a unique verification code sent via text. More recently, push notifications have also been used to enable 2FA.
For a long time before the emergence of 2FA, One-time Passwords (OTPs) were the norm. Especially for financial transactions, an OTP, which is a system-generated, random string of characters, was used as an authentication factor. While they are still commonly used today, they are now layered with other forms of verification to ensure complete security. The OTP, owing to its name, is valid only for one login session/ transaction and can only be used one time.
The term “biometric” has been defined as ‘a physical or behavioral characteristic that is unique to an individual and can be used to digitally identify a user’s identity. While behavioral characteristics can be mimicked, fingerprints, facial features, retina scans and voice are harder to replicate. Despite the uniqueness of these physical characteristics, biometric identification is rarely used as the only factor for authentication. They are generally used for quick-access services, and passwords/ OTPs are still necessary for critical services.
Every device has a unique identity attached to it. This Id can be utilized to ensure the device that is being used to log-in is one that is being controlled by the user. However, if a single user has multiple devices, this authentication factor becomes redundant. In another extreme case, if the user has lost a device, or there has been a robbery, this type of authentication can even prove extremely dangerous. This is why 2FA and MFA come into play.
Multi-factor Authentication (MFA) resorts to using more than one credential to verify a user. These factors may include passwords, biometric ID, OTP and/or device identity, or additional possession-based factors like a unique ID/ key. While device identity is always one of the factors included, to ensure that the loss of a device doesn’t cause problems, the biometric Id or unique key provides an extra layer of protection.
To override MFA, scammers would not only have to get hold of the device, but also guess passwords and mimic unique factors.
Completely Automated Public Turing test to Computers and Humans Apart or CAPTCHA is an authentication method that emerged when bots began being used to create click farms. It aims at distinguishing humans and computers and uses visual distortion to do so. Humans can generally surpass the visual challenges while bots cannot.
The role of RPA in Authentication Management
There is no doubt that the digital world has brought with it the need for air-tight security solutions. However, rolling these security measures out introduces a whole wave of challenges.
To elaborate, the quantity of users, devices and accounts continues to expand rapidly. Maintaining record of every single user, their devices, passwords, and IDs is, in no world, a small task. Additionally, fetching this information every time a sign-in is attempted, cross-checking it and deciding whether or not access is to be granted is not humanly possible. There are more active users at any given time than there are employees. Even in a situation where there was enough workforce to handle the flow of customers, their responsibility would remain extremely repetitive and non-gratifying.
The current solution to these challenges is Robotic Process Automation. The back-end tasks mentioned above are simple enough to be automated. There is a systematic way in which a digital workforce can manage the maintenance of user profiles, retrieve information, handle triggered messaging and even generate OTPs.
Tasks that can be automated using RPA are –
- User data collection, customer profile formation and addition to centralized database.
- Maintenance of access data and user profiles.
- Merging duplicate profiles, overwriting contradictory information, and flagging discrepancies.
- Periodic update of user information and password/Id related information.
- Generation of randomized unique log-in keys/ one-time passwords.
- Periodic reminders for password update.
- Maintenance of data catalogs, password hashes and access certifications.
- Monitoring account usage and activities.
- Expansion of databases with growing users.
Intelligent data catalogs, comprehensive customer profiles and the addition of AI-capabilities to RPA makes these tasks simplified. While there is some human interference required for information-centric decisions, most data-centric tasks can be handed over to bots. Robotic Authentication Management or Robotic Identity and Access Management (IAM) has made user authentication a simpler, more streamlined and less daunting initiative, which is easier to deploy, maintain and run over prolonged periods of time.
Enhanced security is related to better customer experience, extended customer loyalty and better service reputation. Businesses are therefore, mobilizing intensive cyber-security measures and automating them in order to create not only good customer relationships, but also save employees from the clutches of a mundane, unsatisfying professional life.