In security, context matters
November 18, 2013

Boil them down to their essence and passwords are basically keys. They unlock user accounts regardless of who actually enters the login credentials. In some circumstances, this is desirable. A wireless network doesn't care who is accessing it, so long as users provide proper authentication.  

But in many cases, the identity of the individual does matter and passwords alone are not enough. For banking, government services, healthcare and other private issues, access shouldn't be granted to anyone who has the key, because the credentials are supposed to verify a singular user. Context should matter, but all too often, it doesn't. Someone with the right login name and code can get into personal information. There's but a single gateway that's all too easily bypassed by anyone with the know-how. 

Context-aware security
The Guardian recently described this problem as "the security equivalent of putting all your eggs in one basket." Because of this problem, the news provider suggested that online safeguards must be revised to add context to the equation. This means applying multi-factor authentication draws on various sources, like situational information such as the location, time of day or computer used, as a few examples. The password still matters, but the protective measures keeping out intruders care about more than the key. Like a watchman, the technological gatekeeper can see that something's suspicious and either ask for more information or refuse the request for entry. 

Neil MacDonald recently discussed the issue of context-aware security at the Gartner EMEA Security & Risk Management Summit, The Guardian reported. During the event, MacDonald explained that if a bank detects someone logging into an account from thousands of miles away from the user's typical location, at a particularly late hour, on an unfamiliar computer, the system can tell that something might be wrong and block the attempt. 

The advantages to this method are considerable. Easily guessed passwords become less of a liability, because security measures look for more than just the right authentication details. Meanwhile, a data breach at a major company becomes less catastrophic both for the organization and its users. Stolen credentials without the secondary level of identifiers become less useful to cyberthieves. 

Another advantage in these situations is that users are rarely asked for more identification, unless something suspicious occurs. Avoiding complexity is another important consideration for improving security. Automatically detecting contextual clues enables simplicity, and ease-of-use can be particularly important for e-commerce and similar online services. 

As more sophisticated methods for breaking into an account are discovered, organizations will need stronger protections in place. However, The Guardian noted that many companies still use old, relatively unchanged software. Even without more effective means to hack into a system, simply understanding the exploits inherent to legacy technology leaves them vulnerable. Replacing these platforms with modern smart security can minimize the chance of fraud or a breach. 

Improving contextual clues
However, there are some disadvantages to context-aware security. A holiday far from home might look suspicious to the bank or credit card company, and depending on how the institution protects its data, vacationers might find themselves cut off from their accounts and have difficulty restoring their payment cards due to their location. Because of this, authentication that relies on more portable identifiers may be advantageous to both organizations and their members. Smartphones are one of the best personal markers in these circumstances, as they rarely travel far from their owners and they're typically used solely by an individual.