WEBINAR

AUTHENTIFUSIONCLARIFYING THE FUTURE OF USER AUTHENTICATION

MARCH 2016

MICHAEL THELANDER Product Marketing Manager, Authentication

2

Understand Advanced Authentication as a multilayered approach

Understand the critical relationship between Advanced Authentication and Risk

Understand the role of device recognition in a “passwordless” future

Provide a three-step plan to evaluate device-based authentication for your customers

3

4

5

PASSWORDS HAVE BEEN WITH US A LONG T IMEPA S S W O R D S I N R O M A N G A R R I S O N S

1

23

4

5

6

781

0

9

6

PASSWORDS HAVE BEEN WITH US A LONG T IMEPA S S W O R D S I N H A M L E T

7

PASSWORDS HAVE BEEN WITH US A LONG T IMEPA S S W O R D S I N D - D AY , 1 9 4 4

8

The credential market is huge

TARGET70M

SONY 10M

EBAY145M ADOBE

152M

HOME DEPOT56M

2014: 675 MILLION RECORDS EXPOSED

IDENTITY THEFT RESOURCE CENTER

9

2015 adds to 2014’s record

OPM22M

ANTHEM80M

Experian/ T-Mobile

15M

2015: 169 MILLION MORE RECORDS EXPOSED

IDENTITY THEFT RESOURCE CENTER

11MPREMERA

PATREONUnknown

(15GB of passwords)

10

2015 adds to the record exposures from 2014

FROM ONE SELLER *

NOW 1.2 BILLION CREDENTIALS

AVAILABLE ON BLACK MARKET

*An active FBI investigation as reported by SC Magazine, November 2015

11

Protected by only6 passwords.

1 2

3 4

5 6

PASSWORDS ARE INCREASINGLY UNREL IABLE

Consumers have an average of 24 online accounts.

1 2 3 4 5 6

7 8 9 10 11 12

13 14 15 16 17 18

19 20 21 22 23 24

21GRBlue14

21GRGreen14

21BlackGR14

14PurpleGR21

12

“In an era in which passwords are generally considered inadequate, at best, it’s easy to understand why many

organizations are turning to advanced authentication”

-PwC’s Global State of Information Security 2016

13

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O RTA N T A D D I T I O N

Devices & Hardware PC fingerprint

based on JS Phones &

devices with SDKs

Bluetooth & NFC Consumer IoT Contextual data

(geo, IP, etc.)Operating System

Hash of fonts

IP Address Flash executionBrowser version Plugin

inventoryLanguage Flash 4-part

vers. Screen Resolution

Hundreds of attributes

14

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O RTA N T A D D I T I O N

Devices & Hardware PC fingerprint

based on JS Phones &

devices with SDKs

Bluetooth & NFC Consumer IoT Contextual data

(geo, IP, etc.)

One-Time Passwords Valid for a

session SMS Text Push Mobile token Mobile “in-app” Proprietary

token Smart cards

15

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O RTA N T A D D I T I O N

Devices & Hardware PC fingerprint

based on JS Phones &

devices with SDKs

Bluetooth & NFC Consumer IoT Contextual data

(geo, IP, etc.)

One-Time Passwords Valid for a

session SMS Text Push Mobile token Mobile “in-app” Proprietary

token Smart cards

Biometric / Behavior Fingerprint scans Retinal, facial

scans Voice analysis Brain/heart

signals Behavior

patterns

16

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O RTA N T A D D I T I O N

Devices & Hardware PC fingerprint

based on JS Phones &

devices with SDKs

Bluetooth & NFC Consumer IoT Contextual data

(geo, IP, etc.)

One-Time Passwords Valid for a

session SMS Text Push Mobile token Mobile “in-app” Proprietary

token Smart cards

Biometric / Behavior Fingerprint scans Retinal, facial

scans Voice analysis Brain/heart

signals Behavior

patterns

Knowledge Secret questions Captcha Passwords Pattern Matching Local knowledge Web

pictographic

17

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O RTA N T A D D I T I O N

Context User’s goal & request Data sensitivity Geo location

Risk-Aware IP Address (real and implied) Device reputation Privileged access Vector (TOR browsers,

anonymizers)

18

“ADVANCED” ACCORDING TO PwCU S E A N Y O F F O U R M E T H O D S … . W I T H O N E I M P O RTA N T A D D I T I O N

Devices & Hardware PC fingerprint

based on JS Phones &

devices with SDKs

Bluetooth & NFC Consumer IoT Contextual data

(geo, IP, etc.)

One-Time Passwords Valid for a

session SMS Text Push Mobile token Mobile “in-app” Proprietary

token Smart cards

Biometric / Behavior Fingerprint scans Retinal, facial

scans Voice analysis Brain/heart

signals Behavior

patterns

Knowledge Secret questions Captcha User details Pattern Matching Local knowledge Web

pictographic

User’s goal & request Data sensitivity Geo location IP Address (real and

implied)

Risk-Aware Device reputation Privileged access Language Patterns of usage

19

“Consumers will adopt solutions that ease the burden of remembering passwords or carrying tokens.

Authentication must be frictionless and easy to use.”

Suzanne Hall, Managing Director, from PwC’s Global State of Information Security 2016

20

1

Use device recognition to

augment passwords and reduce friction

Device-based authentication with context-aware risk

assessment becomes the norm

3

Limit the use of passwords to high-

risk transactions and

requests only

2

iovation’s milestones on the road to passwordless

IMPROVEMENT

AVOIDANCE REPLACEMENT

21

Something you KNOW

Something you HAVE

Something you ARE

ADVANCED AUTHENTICAT ION REQUIRES 2 FACTORSW H Y “ D E V I C E I D ” I S T H E F O U N D AT I O N O F A P A S S W O R D L E S S F U T U R E

22

ADVANCE AUTHENTICAT ION INCLUDES R ISK CONTEXTW H E R E D O W E E X P E R I E N C E T H E G R E AT E S T R I S K ?

WEBSITE

23

RISK IN CONTEXTW I T H D I F F E R E N T A U T H E N T I C AT I O N M E T H O D S

24

DEVICE AUTHENTICAT ION WORKFLOW

DEVICE ID

GEO LOCATION

DEVICE INTEGRITY

ADDITIONAL DEVICE CONTEXT

ASSOCIATIONS &REPUTATION

USER ACCESS

25

DEVICE AUTHENTICAT ION WORKFLOW

DEVICE ID

GEO LOCATION

DEVICE INTEGRITY

ADDITIONAL DEVICE CONTEXT

ASSOCIATIONS &REPUTATION

USER ACCESS

+10SCORE

LOW RISK = FrictionlessConsumer Experience

SHOPPINGRESOURCESNEWS

+10SCORE

26

DEVICE AUTHENTICAT ION WORKFLOW

DEVICE ID

GEO LOCATION

DEVICE INTEGRITY

ADDITIONAL DEVICE CONTEXT

ASSOCIATIONS &REPUTATION

USER ACCESS

0SCORE

MEDIUM RISK= Moderate Friction

USERNAME &PASSWORD

27

DEVICE AUTHENTICAT ION WORKFLOW

DEVICE ID

GEO LOCATION

DEVICE INTEGRITY

ADDITIONAL DEVICE CONTEXT

ASSOCIATIONS &REPUTATION

USER ACCESS

-10SCORE

HIGH RISK= Step-Up Authentication

FRAUD TEAM

28

DEVICE AUTHENTICAT ION WORKFLOW

DEVICE ID

GEO LOCATION

DEVICE INTEGRITY

ADDITIONAL DEVICE CONTEXT

ASSOCIATIONS &REPUTATION

USER ACCESS

+10SCORE

0SCORE

-10SCORE

LOW RISK = FrictionlessConsumer Experience

MEDIUM RISK= Moderate Friction

HIGH RISK= Step-Up Authentication

CREDENTIALINPUT

CREDENTIALINPUT

SHOPPINGRESOURCESNEWS

USERNAME &PASSWORD

CREDENTIALINPUT

29

DEVICE CHANGE TOLERANCEW H AT A B O U T N AT U R A L D AY-T O - D AY C H A N G E S ?

FONTSBROWSERLOCATION

EXPECTED

NOT EXPECTED

UPDATEDBROWSER

-12BROWSERREGRESSION

+1LIMITEDTRAVEL

MULTIPLE TIME ZONES IN 1 HOUR

Aa

30

PRECISE MATCH FUZZY MATCH

ELAST IC DEVICE MATCHING

Device Type: MACBOOK PRO Device Type: MACBOOK PRO

MINIMUM THRESHOLD

MAXIMUM THRESHOLD

Operating System OS X YosemiteIP Address 22.231.113.64Browser Safari 8.0.2Language EnglishScreen Resolution 2880 x 1800

Operating System OS X Yosemite or later

IP Address Similar LocationBrowser Safari 8.0.2 or laterLanguage EnglishScreen Resolution 2880 x 1800

31

HISTORICALREPUTATION

SECURITY RISK INDICATORS

LINKS ANDASSOCIATIONS

ANOMALOUS BEHAVIOR

AUTHORIZEDFOR ACCOUNT

32

33

HISTORICALREPUTATION

SECURITY RISK INDICATORS

LINKS ANDASSOCIATIONS

ANOMALOUS BEHAVIOR

AUTHORIZEDFOR ACCOUNT

34

35

1. For brand managers, product owners, or web experience managers, understand where the greatest risk is in your site

2. Understand what benefits would be realized if your customers experienced less friction

3. Assess the impact of a device-based alternative to your current methods of authentication

A Three-step Plan to evaluate iovation’s

Customer Authentication for your sites

36

iovation’s Customer Authentication service wins

“Best Multi-factor Authentication Solution” in Cyber Defense Magazine’s2016 Editor’s Choice Awards

CONTACT US

www.iovation.comtwitter.com/iovation

Product Marketing Manager, AuthenticationMichael Thelander

michael.thelander@iovation.com+1 503-224-6010