My colleagues and I often have conversations with organizations that deploy consumer-facing portals and are making decisions about appropriate levels of authentication for those portals. These organizations are trying to determine how authentication “speed bumps” in front of consumers would affect adoption because they want to make getting to one’s data as easy as possible.  The problem, of course, is that making it easy for someone to legitimately get to their data also makes it potentially easier for an impersonator to get to that data by guessing or stealing access credentials.  In order to prevent different types of attacks against usernames and passwords, organizations have made the login process more difficult--passwords have become more complex, additional “security questions” have become part of the process, and some organizations have moved toward two-factor authentication either because they are required to do so by regulation or because they find the risk of unauthorized access to be too high for the type of data they house.

In spite of the increase in publicized attacks against web sites with guessed or stolen credentials, and in spite of multiple surveys showing that consumers continue to be concerned about security and privacy in the online channel, many consumer-facing organizations are still reluctant to move toward stronger authentication.  The argument we often hear is that enterprise does not need strong authentication because the data is encrypted in transit between the browser and the server and because personal data kept by the enterprise is encrypted in back-end databases.  Many enterprises have adopted “defense-in-depth” security strategies to protect themselves from attack, so why do they also need strong authentication for consumers?

The answer is that once the enterprise accepts login credentials, the rights and privileges associated with those credentials allow the user to see unencrypted data and to perform various transactions with that data. This data may include their own personal data at consumer facing sites like web mail, personal health records, or tax data.  If the remote access afforded through the portal is for those with higher level privileges like healthcare providers, tax preparers, or employees within the enterprise, that access could be afforded to an even broader data set.  Hackers may get only encrypted gibberish by eavesdropping on the transmission, and they may only get encrypted gibberish if they manage to get through enterprise “back-door” defenses, but if they steal or guess user credentials, they arrive at the front door with the key that allows them enter an account, view its unencrypted contents and perform transactions with the data.  In many cases, hackers do not really care whose account they hijack as long as they can get into a system and then use that entry to give themselves more rights and privileges.  The problem is made worse by the fact that many people use the same username and password (often a publicly available or easily guessable e-mail address) over and over, making it easier for themselves to remember their login credentials and making is very easy for someone to compromise many of their accounts without additional effort.

Encryption and strong authentication address two different attack vectors.  Encryption prevents unauthorized access to data through eavesdropping or “break-in.”  Strong authentication, on the other hand, prevents unauthorized access to data and systems through the use of legitimate credentials by people who are not entitled to those credentials.  In fact, strong authentication protects investments in encryption and other security measures.  If you are going to put state-of-the-art locks on your doors, don’t leave the key under the mat!