Quality health plans & benefitsHealthier livingFinancial well-beingIntelligent solutions
Abbie Barbir, Aetna Global Security
FIDO Opportunities in Healthcare
May 2017
© 2017 Aetna Inc.
Allow Aetna to establish a digital competitive advantage by equipping Aetna web and mobile applications with an unparalleled set of behavioral and biometric authentication technologies in a manner that empowers a world-class user experience and assures the integrity and confidentiality of member data.
Our Mission
Improved User Experience
Reduced Risk
Reduced Cost
2
© 2017 Aetna Inc.
What is Next Generation Authentication?
3
The ObjectiveImplement world-class capabilities to reduce risk and
enable a frictionless user experience.
Key Features
• Password elimination/reduced reliance
• Multimodal user authentication
• Context aware access control
• Real-time behavior analysis
• Continuous authentication
• Dynamic Authentication Assurance Levels (LOA)
• User across application and devices
NGA is driving a paradigm shift in mobile & web authentication
© 2017 Aetna Inc.
Key Drivers: Evolving user experience
4
Identity & Access Management is Evolving
From: Providing the right access to legitimate users at the right time
To: Providing the best user experience to legitimate users and their things at the right location & time
Binary Authentication Creates a Poor User
Experience
• User frustration• Forgotten passwords
interrupt interactions• Reuse & abandonment• Difficult to remember• Provide a conduit to
member account compromise
2FA and Other Mechanisms are Imperfect, Provide Poor User
Experience and Suffer from Low Consumer Adoption
© 2017 Aetna Inc.
Key Drivers: Member protection & fraud prevention
5
Phishing is Incredibly Effective
• Phishing is a component of 95% of incidents involving nation-state threat actors
• 100 million phishing messages distributed everyday
• Median time-to-first-click: 1 minute 22 seconds across all campaigns
• $2B in business impact annually
Healthcare Organizations & Consumers are an
Increasing Target for Fraud
• Sophisticated & targeted attacks from nation-state & crime syndicates
• Account takeover
• Fraudulent registration
• Payment Account Fraud
• Claims Fraud
PHI & PII Have Value on the Dark Web
• 2016 – $.50->$1.00 per record
• Readily available records provide a conduit for account takeover
• Increasing market value drives threat actors to target individual accounts for PII/PHI harvesting
*Source: EY
© 2017 Aetna Inc.
Authentication is no longer an event…it is integrated into the application
6
The way you use an application is a better indicator of who you are than knowledge of a password
Moving forward, authentication is continuous and integrated natively into application interactions
Continuous Behavioral
Authentication
Biometric Authentication
Continuous Contextual
AuthenticationIn the past, authentication has been a single event, taking place only when an application is launched
© 2017 Aetna Inc.
Backend
Analytics
&
Risk Engine
LOA
Real-Time (RT)
Authorization
ControlMonitor
Prevent @ Inception
Cognitive &
Device
Biometrics
Decentralized
Authentication
Aetna NGA’s core building blocks
11
Aetna Authentication Hub
Device stores biometric and
validates it locally (no central database)
Examples:Swipe speed, geolocation,
typical application usage patterns
Integrate authentication events into the user experience
(not binary)
Big data analytics create a risk score
for that user/device combination
• Adaptive• Continuous• Behavioral• Analytics
© 2017 Aetna Inc.
NGA: Design principles
9
• Based on Open Specifications (i.e. FIDO)
• Easy SDK integration for web and mobile
• NGA’s centralized authentication hub provides centralized analysis and decision making across all NGA applications
• API-based architecture
• Lightweight and efficient
• Device and platform portability
• Flows and interactions designed to reduce friction and improve user experience
• Eliminate fraud through increased friction for threat actor interactions
• Support for dynamic authentication through LOA
© 2017 Aetna Inc.
NGA: Mobile offering
10
NGA’s mobile integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Transparently and continuously authenticates the device and user• Improves security and reduces the risk of fraud• Removes barriers to application access
…while improving the user experience
Reduced reliance on passwords
through enhanced user & device authentication
Continuous Behavioral
Authentication(i.e. swipe attributes)
Continuous Contextual
Authentication(i.e. geolocation)
Biometric Integration
Designed in alignment with FIDO Standards
© 2017 Aetna Inc.
NGA: Mobile user experience example
11
Enrollment
SubsequentApp Usage
• Behavioral & contextual attributes collected continuously
• Centralized authentication hub makes ongoing authentication decisions
© 2017 Aetna Inc.
NGA: Web offering
12
Reduced reliance on passwords
through enhanced user & device authentication
Browser & System Fingerprinting for
each session improves security
& usability
Associate members & their devices through
Device Binding to improve user
experience & security
Eliminates risk of impersonation,
account takeover, and registration
fraud
NGA’s web integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Improves member data security • Reduces the risk of fraud
…while improving the user experience
© 2017 Aetna Inc.
NGA: Web user experience example
13
Let’s follow Aetna Member Pam as she uses an Aetna web application with NGA
Pam accesses her online Aetna account
for the first time Pam is using this system for the first time, so she completes an easy verification processes via SMS or email
Following validation, the NGA Authentication Hub adds her computer is to her profile, along with the other devices she uses. She will not be
prompted again from this computer
Hacker Harold later tries to gain access to
Pam’s account
Hacker Harold is unable to gain access to the account, as the NGA Authentication Hub identified that his system is not part of Pam’s profile he does not have access
to Pam’s email or cell phone
Pam is comfortable with this process, as it is similar to what she is used to for the Financial Servicesorganizations she has accounts with, and aligns with her data protection expectations
© 2017 Aetna Inc.
FIDO modern authentication
14
IMPLICIT
AUTHENTICATION
EXPLICIT
AUTHENTICATION
• MUST eliminate symmetric shared secrets • Address poor user experiences and friction • FIDO is a building block
− complements federation solutions
Impact• Identity binding is essential• Strong identity proofing a must
Source FIDO
© 2017 Aetna Inc.
Federation
15
Second Mile
FEDERATION
SAML
OAuth
OpenID
Connect
Complicated Authentication
NO
PASSWORDS
First Mile
• Standards are catching up on mile one• Mile two is getting more mature
• Federation need improvement• No prior relationship
• SAML: Dynamic AuthN/Z• OAuth, OIC dynamic end point• Blockchain Opportunity
• How about identity assurance?− Poorly deploying strong authentication
is the same as weak authentication• FIDO solves the PW problem but mandates
better identity binding at the relaying part• Proper Identity vetting/proofing becomes
essential
© 2017 Aetna Inc.
Issue to consider
16
Identity proofing and account recovery
Account Login Current Pain Points • I forgot my password• I cannot find/lost my phone• I am locked out of my account
Account Recovery Options• KBA (static and/or dynamic)• Email account (compromised)
− Password reset link− Or a new password− Enrolling back in FIDO
Identity Proofing• Binding a FIDO authenticator to a user
account on relying party requires performing an Identity vetting step
− Trust anchor (aka Bootstrapping problem)
• Currently pre-established Authenticators are used as anchors of Trust (such as passwords)
Online identity proofing is challenging and still relies on something “you know”
Top Related