Quality health plans & benefitsHealthier livingFinancial well-beingIntelligent solutions

Abbie Barbir, Aetna Global Security

FIDO Opportunities in Healthcare

May 2017

© 2017 Aetna Inc.

Allow Aetna to establish a digital competitive advantage by equipping Aetna web and mobile applications with an unparalleled set of behavioral and biometric authentication technologies in a manner that empowers a world-class user experience and assures the integrity and confidentiality of member data.

Our Mission

Improved User Experience

Reduced Risk

Reduced Cost

2

© 2017 Aetna Inc.

What is Next Generation Authentication?

3

The ObjectiveImplement world-class capabilities to reduce risk and

enable a frictionless user experience.

Key Features

• Password elimination/reduced reliance

• Multimodal user authentication

• Context aware access control

• Real-time behavior analysis

• Continuous authentication

• Dynamic Authentication Assurance Levels (LOA)

• User across application and devices

NGA is driving a paradigm shift in mobile & web authentication

© 2017 Aetna Inc.

Key Drivers: Evolving user experience

4

Identity & Access Management is Evolving

From: Providing the right access to legitimate users at the right time

To: Providing the best user experience to legitimate users and their things at the right location & time

Binary Authentication Creates a Poor User

Experience

• User frustration• Forgotten passwords

interrupt interactions• Reuse & abandonment• Difficult to remember• Provide a conduit to

member account compromise

2FA and Other Mechanisms are Imperfect, Provide Poor User

Experience and Suffer from Low Consumer Adoption

© 2017 Aetna Inc.

Key Drivers: Member protection & fraud prevention

5

Phishing is Incredibly Effective

• Phishing is a component of 95% of incidents involving nation-state threat actors

• 100 million phishing messages distributed everyday

• Median time-to-first-click: 1 minute 22 seconds across all campaigns

• $2B in business impact annually

Healthcare Organizations & Consumers are an

Increasing Target for Fraud

• Sophisticated & targeted attacks from nation-state & crime syndicates

• Account takeover

• Fraudulent registration

• Payment Account Fraud

• Claims Fraud

PHI & PII Have Value on the Dark Web

• 2016 – $.50->$1.00 per record

• Readily available records provide a conduit for account takeover

• Increasing market value drives threat actors to target individual accounts for PII/PHI harvesting

*Source: EY

© 2017 Aetna Inc.

Authentication is no longer an event…it is integrated into the application

6

The way you use an application is a better indicator of who you are than knowledge of a password

Moving forward, authentication is continuous and integrated natively into application interactions

Continuous Behavioral

Authentication

Biometric Authentication

Continuous Contextual

AuthenticationIn the past, authentication has been a single event, taking place only when an application is launched

© 2017 Aetna Inc.

Breaches that made the headlines

7

© 2017 Aetna Inc.

Backend

Analytics

&

Risk Engine

LOA

Real-Time (RT)

Authorization

ControlMonitor

Prevent @ Inception

Cognitive &

Device

Biometrics

Decentralized

Authentication

Aetna NGA’s core building blocks

11

Aetna Authentication Hub

Device stores biometric and

validates it locally (no central database)

Examples:Swipe speed, geolocation,

typical application usage patterns

Integrate authentication events into the user experience

(not binary)

Big data analytics create a risk score

for that user/device combination

• Adaptive• Continuous• Behavioral• Analytics

© 2017 Aetna Inc.

NGA: Design principles

9

• Based on Open Specifications (i.e. FIDO)

• Easy SDK integration for web and mobile

• NGA’s centralized authentication hub provides centralized analysis and decision making across all NGA applications

• API-based architecture

• Lightweight and efficient

• Device and platform portability

• Flows and interactions designed to reduce friction and improve user experience

• Eliminate fraud through increased friction for threat actor interactions

• Support for dynamic authentication through LOA

© 2017 Aetna Inc.

NGA: Mobile offering

10

NGA’s mobile integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Transparently and continuously authenticates the device and user• Improves security and reduces the risk of fraud• Removes barriers to application access

…while improving the user experience

Reduced reliance on passwords

through enhanced user & device authentication

Continuous Behavioral

Authentication(i.e. swipe attributes)

Continuous Contextual

Authentication(i.e. geolocation)

Biometric Integration

Designed in alignment with FIDO Standards

© 2017 Aetna Inc.

NGA: Mobile user experience example

11

Enrollment

SubsequentApp Usage

• Behavioral & contextual attributes collected continuously

• Centralized authentication hub makes ongoing authentication decisions

© 2017 Aetna Inc.

NGA: Web offering

12

Reduced reliance on passwords

through enhanced user & device authentication

Browser & System Fingerprinting for

each session improves security

& usability

Associate members & their devices through

Device Binding to improve user

experience & security

Eliminates risk of impersonation,

account takeover, and registration

fraud

NGA’s web integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Improves member data security • Reduces the risk of fraud

…while improving the user experience

© 2017 Aetna Inc.

NGA: Web user experience example

13

Let’s follow Aetna Member Pam as she uses an Aetna web application with NGA

Pam accesses her online Aetna account

for the first time Pam is using this system for the first time, so she completes an easy verification processes via SMS or email

Following validation, the NGA Authentication Hub adds her computer is to her profile, along with the other devices she uses. She will not be

prompted again from this computer

Hacker Harold later tries to gain access to

Pam’s account

Hacker Harold is unable to gain access to the account, as the NGA Authentication Hub identified that his system is not part of Pam’s profile he does not have access

to Pam’s email or cell phone

Pam is comfortable with this process, as it is similar to what she is used to for the Financial Servicesorganizations she has accounts with, and aligns with her data protection expectations

© 2017 Aetna Inc.

FIDO modern authentication

14

IMPLICIT

AUTHENTICATION

EXPLICIT

AUTHENTICATION

• MUST eliminate symmetric shared secrets • Address poor user experiences and friction • FIDO is a building block

− complements federation solutions

Impact• Identity binding is essential• Strong identity proofing a must

Source FIDO

© 2017 Aetna Inc.

Federation

15

Second Mile

FEDERATION

SAML

OAuth

OpenID

Connect

Complicated Authentication

NO

PASSWORDS

First Mile

• Standards are catching up on mile one• Mile two is getting more mature

• Federation need improvement• No prior relationship

• SAML: Dynamic AuthN/Z• OAuth, OIC dynamic end point• Blockchain Opportunity

• How about identity assurance?− Poorly deploying strong authentication

is the same as weak authentication• FIDO solves the PW problem but mandates

better identity binding at the relaying part• Proper Identity vetting/proofing becomes

essential

© 2017 Aetna Inc.

Issue to consider

16

Identity proofing and account recovery

Account Login Current Pain Points • I forgot my password• I cannot find/lost my phone• I am locked out of my account

Account Recovery Options• KBA (static and/or dynamic)• Email account (compromised)

− Password reset link− Or a new password− Enrolling back in FIDO

Identity Proofing• Binding a FIDO authenticator to a user

account on relying party requires performing an Identity vetting step

− Trust anchor (aka Bootstrapping problem)

• Currently pre-established Authenticators are used as anchors of Trust (such as passwords)

Online identity proofing is challenging and still relies on something “you know”

© 2017 Aetna Inc.

Questions

Thank you