ForgeRock Says IoT is Pushing Security To Become ‘Password-Less’ and More Friction-Free

ForgeRock says it’s finally time to push ‘password-less’ security.  The company is adding push authentication to its identity platform to enable password-less login and frictionless second factor authentication – for devices and human users.

Tags: authentication, ForgeRock, IAM, identity, IoT, login, OAuth, password, push, security, TouchID, wifi,

With billions of Internet of Things (IoT) devices and services coming online, the conventional login-and-password approach to authenticating users and authorizing access to data and services is increasingly becoming impractical, according to one security provider.


ForgeRock, a provider of identity management solutions, is adding push authentication to its identity platform that will support password-less login and frictionless second factor authentication. This will bring a new level of automation to security, and will especially benefit IoT devices as well as millions of conventional ‘human’ end users of web, mobile and cloud apps, according to ForgeRock CEO Mike Ellis.


“With password-less authentication available in the ForgeRock Identity Platform, customers can create highly secure, frictionless user experiences that will delight and engage end users, while keeping the growing number of IoT devices and data out of the wrong hands,” Ellis said.


Ellis also highlighted the need for applying smarter technologies to security. User frustration is a real concern with two-factor authentication. This is a significant barrier for organizations working to create the kind of secure, seamless online experience that users have all come to expect, he elaborated.


ForgeRock is taking a different approach. 


Rather than offer password-less login at the beginning of a session, the approach of some identity management platforms, the ForgeRock Identity Platform invokes password-less, second factor authentication any time during a session should an anomaly occur, Ellis said.


“For instance, if your laptop switches from a secure company wifi network to an unsecure network in a coffee shop, re-authentication would be invoked via a required response to a push notification sent to your phone – through a biometric TouchID, a swipe or other action – in order to maintain access to an online service,” Ellis noted.


This kind of continuous security without passwords delivers a friction-free security experience. It will also prove especially useful beyond end user security encompassing the new demands of securing the Internet of Things business cases, Ellis said. Among them: smart cars, smart home applications, wearables, mobile banking and devices for healthcare and other industries.


ForgeRock’s ‘Password-less’ Authentication is More Secure, Better for Users

ForgeRock’s website provided a technical description of implementation for password-less authentication, and what benefits it offers.

The first authentication step happens via the Internet. The second method is ideally completed over a separate network (out of band), which is what happens with push notifications that travel over the Apple (APNs) or Google (GCM) dedicated notification networks. These steps make it more difficult for potential cybercriminals, who would need to hack into both an individual’s laptop and mobile device to gain access to user data.


Additionally, using push notifications provided through an authenticated mobile app is often dramatically less expensive than conventional token-based approaches, which are notorious for hidden costs associated with deploying hardware and software, token licenses, maintenance and help desk costs.

ForgeRock’s latest update to its identity platform sports other security enhancements:

* Stateless OAuth Token Support - Reduces the complexity of securing hundreds or thousands of microservices and API endpoints using industry standards OAuth2 and OIDC.


* Common Audit Event Handlers for Elasticsearch and JMS - Simplifies the audit and analysis of complex identity activity across all applications and devices, while enabling real-time monitoring of identity activity for better security insight.


* Identity Relationship Visualization - ForgeRock Identity Management users can now visually display all relationships to any given identity through the management console and will be represented in a graph database-style display.


* API Protection (Rate Limiting) - A new Request Throttling filter capability in ForgeRock Identity Gateway regulates traffic volume to ensure consistent levels of service, and reduces the risk of malicious attackers attempting to disrupt a service using DoS-style attacks.


* Encrypted Database Entries - Encrypting data while at rest protects sensitive customer information like account numbers from accidental exposure by administrators and unauthorized users. Distribution of data virtually across public, private and hybrid environments is becoming commonplace, and requires an additional level of data security.

The ForgeRock updates come as more enterprise stakeholders begin to assess how they can employ identity technologies to meet new needs of multiple aspects of the digital business.


Ashley Stevenson, Identity Technology Director in ForgeRock’s office of the CTO, remarked on the scope of identity management during a Federal Executive Forum radio show:

Identity moves from being compliance-driven to driving the key values of the mission - simply because the scope of identity is broad and it’s continuing to get even larger with connected devices. And there is value to be presented around identity to all the different executive audiences. A CFO cares from a financial perspective, from auditability and traceability. A citizen, a customer, care about making their experience and consuming a digital service easier and more transparent, but yet still more secure, but that security being transparent. And of course there’s the value that identity brings from adding security to the internal enterprise and helping to mitigate insider threat, whether intentional or unintentional.