WavebreakMediaMicro - Fotolia
The ideal authentication method marries security and usability. Mobile admins who want to strike this balance can look into direct autonomous authentication.
Direct autonomous authentication uses the real-time data signaling from mobile carriers and mobile devices' built-in SIM cards to deliver a new method of authentication that may be faster and more secure than traditional approaches.
Behind the process
The direct autonomous authentication process begins when a user accesses an online application or website hosted by a direct autonomous authentication subscriber. Averon's tool, for example, determines the user's phone number and matches it to an existing account to confirm the user's identity. As a part of this process, the tool traces data from the mobile device as it enters a mobile tower, using the same technologies to identify the mobile device that the carrier uses.
From there, the tool hashes the phone number to protect the user's identity and then adds a subscriber-specific key to create a unique account identifier. The direct autonomous authentication subscriber uses this identifier to verify that the user's account exists. If this process is successful, the tool logs in the user in milliseconds without requiring any user actions.
It's a relatively simple and straightforward process to integrate the direct autonomous authentication process into an application or website with the necessary APIs. IT pros only need to add a few lines of code to the application or website.
Direct autonomous authentication vs. multifactor authentication
Common authentication approaches include two-factor and multifactor authentication, which require users to take multiple steps to identify themselves or their devices. For example, a website might require users to provide usernames and passwords when they set up their accounts. On top of this, the site might prompt the user to provide a cell number so it can send the user a text message with a temporary access code.
These methods are better than a username and password alone, but multifactor and two-factor authentication methods have their downsides. They can frustrate or confuse users and take up valuable time -- especially as the number of accounts grows. In addition, users commonly forget or lose their passwords, complicating the login process even more.
Two-factor and multifactor authentication can also introduce security risks. For example, it's possible for hackers to intercept the text message that provides users with a temporary passcode. At the same time, such approaches might not be enough to counter the effect of poor user habits, such as reusing passwords, sharing them or writing them down.
The direct autonomous authentication process addresses both the user experience and security risks that come with legacy authentication methods. Users don't need to provide usernames or passwords, manage passwords for multiple sites, click links, wait for texted passcodes or download special apps. The entire authentication process occurs behind the scenes, invisible to the user.
This integration also makes the authentication process less susceptible to the type of risks posed by other authentication methods, such as text or email intercepts. The direct autonomous authentication process is also impervious to social engineering attacks, such as phishing, or other types of threats because these attack vectors are no longer vulnerable.
The user is never required to provide personally identifiable information. The direct autonomous authentication tool neither collects nor stores personal data, making it easier for the subscriber to address the compliance challenges that come with meeting regulatory standards for online services.
Direct autonomous authentication tools could represent a big step forward in identifying and authenticating mobile users, but the technology isn't mature yet. It's not yet clear what risks and challenges the tool might present over the long term.
For example, what happens if hackers compromise a mobile device or infiltrate a mobile carrier's systems? What about organizations looking for a single identity and access management tool that covers all devices, including those not connected to cellular networks?
How will direct autonomous authentication technology affect the use of third-party DevOps tools or management and monitoring tools?