Business must use multi-layer authentication, says Gartner

Most single-layer authentication methods are broken and more are being broken all the time, says Gartner analyst Avivah Litan.

Most single-layer authentication methods are broken and more are being broken all the time, says Gartner analyst Avivah Litan.

Criminals have demonstrated their ability to by-pass authentication methods such as those that use a series of questions or one-time passcodes, she told the Gartner IAM Summit 2011 in London.

Cybercriminals are using advanced techniques to steal information and cover up their actions, making authentication an increasing challenge, she said, especially in the face of computing paradigms such as virtualisation and cloud computing.

The trend is towards stealthy malware, a greater number of identity-related fraud and the increasing use insiders as a source of sensitive information.

Gartner recommends organisations relying on authenticating users of IT systems build a comprehensive, multi-layer fraud detection and authentication system.

"Organisations need to be able to see activity across all products and channels so that they can identify anomalous or potentially fraudulent behaviour," said Litan.

She says a data warehouse for all identity-related information and data mining tools, with which to look at the relationship between entities, can help organisations identify if, for example, a single pone number is used to set up multiple new accounts.

According to Litan, the ability to cross-reference identity-related data is achieving returns on investment for some companies of up to ten fold.

Gartner also recommends identifying devices accessing products and services to check whether those devices are linked to any criminal activities.

Added to this, geo-location information; web access behaviour analysis to detect automated sessions; and botnet identification systems can get rid of a lot of bad traffic through device identification, before they are even allowed access.

Organisations should plan to link to external services, such as credit rating companies and public record aggregators, to support authentication processes and augment identity verification.

This could be done by checking, for example, that identification data matches with address information, that financial details match with demographic information, and that account applicants have a well-established social footprint.

Gartner recommends organisations assess their fraud detection and authentication systems and processes to identify potential gaps and draw up a blueprint of the desired future state.

The next step is to work towards implementing access and behaviour monitoring systems that reference external sources, eventually working towards a layered approach that includes entity-linking analysis.

"It will become increasingly important for organisations to use external data wherever they can to verify identity," says Litan.

Read more on IT risk management