The expectations of B2B platforms have changed radically over the last ten years. Users have become accustomed to the sophisticated user experience of Amazon, Netflix, and the like in their private lives and expect similarly convenient operation in a professional environment. At the same time, web applications – whether it’s the ERP system of an industrial company, the ordering system of a supplier or the billing software of a healthcare provider – are subject to the highest possible security requirements: if a website grants access to sensitive data, it’s vital to ensure that only clearly identified, authorised persons can log in. At the same time, the stored digital identities of employees and customers also need to be optimally protected against cyberattacks. With the latter in particular, it is not only vital to shield sites against hacking attempts, but also to take into account the human vulnerability component that criminals try to exploit via phishing or social engineering.
One of the most powerful solutions for providing this kind of protection is software-based identity and access management (IAM) systems. They enable companies to centrally and securely manage verified digital identities and their various access authorisations. As the name suggests, IAM consists of two central components: identity management and access management.
Identity management serves to enrich and manage user identities with the corresponding user rights and attributes. Access management secures access to the approved resources; generally, users are not allowed to view and edit all of the information within a system without restrictions. For this reason, identity management matches the defined identities with user rights – also called roles – and thus controls access. In parallel, access management grants or revokes users’ access to digital data, services, and applications in conjunction with identity management.
Identity put to the test
Any IAM system has to be able to check who it has in front of it. The basis for this is the “digital identity” of the user. A person’s identity is unique and unmistakable and is defined by characteristic qualities – the so-called identity attributes. These include physical characteristics such as facial image and fingerprint, but also personal data such as the user’s name, address and date of birth. For example, anyone can verify their identity by presenting an ID card, in order to clearly identify themselves to an organisation such as a public authority.
This principle works the same way with a digital identity, because a “virtual ID card” can be created. Electronic data that characterise a person, such as a user name and password, smart cards, tokens or biometric data, serve as identity attributes. If users want to log into their employer’s ERP system, for example, they need to authenticate themselves using various procedures.
Authentication and authorisation
The first step towards authentication is identification. This means that the user presents proof of a particular identity, which the system must then verify and confirm. The simplest, but unfortunately not the most secure authentication method is the combination of a user ID and password. Modern procedures which use unique biometric features such as fingerprints or facial features (face ID) for authentication are far more secure.
Authentication is followed by authorisation – this means adding authorisation attributes to the identity and the evaluation of these attributes when accessing the service. This step is equally important, enabling functions such as compliance requirements and data protection guidelines to be met at all times. This ensures that users only have access to the specific data they need for their work.
Step-up: an extra step for security
The procedures used for authentication guarantee the highest possible security, but do not do so at the expense of user-friendliness. IAM systems provide a wide range of different login options and use them in a context-based manner. For example, a login via password may be sufficient for an uncritical query. As soon as the security requirements of the service being accessed are higher, an IAM system is able to intervene adaptively and evaluate additional identity attributes – such as the IP address or device location, which should not deviate from the expected values – or guide the user through a step-up process.
This kind of step-up allows users to register a smartphone, for example, and to agree to the evaluation of further characteristics for security purposes. After registering the smartphone, the login can then be carried out simply via an authentication app using face ID or a fingerprint. With this convenient security measure, the need to assign long and complicated passwords is also a thing of the past.
The advantages of modern authentication are also significant in the B2B sector: it not only facilitates access to the company’s site for all user groups, but also greatly increases IT security – for example, by protecting particularly sensitive transactions with additional authentication measures. Passwordless procedures make logging in more convenient than with any other method.
For more information on passwordless authentication using the Nevis Authentication Cloud, see our solution paper.