SlideShare une entreprise Scribd logo

Just Enough Authentication

F
ForgeRock Identity Tech Talks

Diane Joyce London Identity Tech Talk - October 2016

Technologie
1  sur  18
Télécharger pour lire hors ligne
Just Enough Authentication Making the authentication journey frictionless Diane Joyce Matakite
A bit about me Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/ Solution/ Enterprise Identity Consultant Diane Joyce - Matakite 2
Just enough authentication  With Big Data, smart devices and the rapid evolution of biometrics, the current one size fits all authentication model should be dead.  In today's digital world the customer has high expectations and low brand loyalty, the winner is always the organisation that makes it easy but retains the security.  Some times referred to as Frictionless or Zero Touch authentication, I think of it as ‘just enough authentication’ to avoid risk whilst retaining the customer , it could also be referred to as Just in Time Authentication  Remove or minimise the inputs a customer needs to provide to authenticate themselves  Apply a risk based model to determine when to apply additional authentication  Authentication now become a key part of the UX journey and not a bolt-on at the front Diane Joyce - Matakite 3
Risk Based Authentication Principles  Aim for as little customer input as possible  Throw away the concept of one size authentication fits all  Determine the risk model on a transactional basis  We own cyber security not the customer  Redesign your transactions to be flexible  Use the same model for internal and external authentications Diane Joyce - Matakite 4
As little data input as possible  Aim to have the customer only provide credential information as and when needed  The less provided the less is able to be compromised  Don’t always use the same credential sets  Have lots of options and mix them up  Use point and click as much as possible Diane Joyce - Matakite 5
Categorise the risk  Could be data, could be value  If steal my name and address from a website, not so great but this data is pretty freely available  If you steal my name, address, dob, I’m a bit more concerned but this data is still quite freely available  If you steal my ALL login credentials and like 80% of people I used the same passwords on various sites then I’m concerned  If you lock me out of my account when I need it, I’m annoyed  If you steal my money, now I’m unhappy Diane Joyce - Matakite 6
Create multifactor authentication tokens at registration  Don’t restrict this to 2 factor, capture as much as possible  Some is provided by the customer  Password  Memorable word/picture  Device for OTP or authenticator app  Fingerprint  Voice  Facial recognition  Ear print  Signature  Some we can capture with customer consent but without customer input  Device information including UID, virus status, security apps  Location  Typing pattern analysis  Pointing device pattern analysis  Gait analysis  Device location history  Device usage history  Device proximity  Network connectivity Diane Joyce - Matakite 7
We own cyber security  We are the experts  Expecting customer to be aware of and up-to-date with cyber security is not feasible  We can guide them to a more secure experience  BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need to secure from endpoint thru to data sources  Big data offers a valuable resource for identifying threats in both real time and post event analysis  Understanding device vulnerability is critical Diane Joyce - Matakite 8
Make the transaction digital  The risk model dictates  The authentication required  The data shown on the screen  The transactions available  The action to take  Risk Models change, Products Change, Security Models change and need to be designed flexibly  Use rules based workflow  Use dynamic screens to show only the data applicable to the risk model AND the authentication level  Its not standalone design, include it in both the UX and security design. Diane Joyce - Matakite 9
Let’s step through some examples Diane Joyce - Matakite 10
Registration Enter personal details Create username Create Password Create multi- factor Validate and verify personal details Validate username Validate Password Create multi- factor Create baseline credentials Diane Joyce - Matakite 11
Authentication to view a balance Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Diane Joyce - Matakite 12
One size fits all Authentication to view a balance - comparison Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Enter Username Enter password Enter 2nd Factor Select View Balance Diane Joyce - Matakite 13
Authentication to view a balance – new device Enter Username Validate Username Validate Credentials View balance Request Additional Credential Enter additional credential Valid Credenti al? Assess Risk Select Balance Validate Credentials Diane Joyce - Matakite 14
Authentication to pay an existing payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Risk Process Credentials process Risk Acceptable ? Diane Joyce - Matakite 15
Authentication to pay a new payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Credentials process Risk Acceptable? Enter additional credential Validate CredentialDiane Joyce - Matakite 16
In summary  Throw away the one size fits all authentication  Take the burden from the customer  Use risk based rules to determine how and when to authenticate  Authentication can take place anywhere in the customer journey  Authenticate internal and external users in the same way  Own the cyber security responsibility Diane Joyce - Matakite 17
Questions? Diane.Joyce@matakitegroup.com @kiwiIDgal Diane Joyce - Matakite 18

Recommandé

When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
Venafi
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
Steven Aiello
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
Bee_Ware
 
Portal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationPortal Protection Using Adaptive Authentication
Portal Protection Using Adaptive Authentication
SecureAuth
 

Recommandé

When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
Venafi
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
Steven Aiello
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
Bee_Ware
 
Portal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationPortal Protection Using Adaptive Authentication
Portal Protection Using Adaptive Authentication
SecureAuth
 
IT security
IT securityIT security
IT security
Steven Aiello
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive Action
Mighty Guides, Inc.
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
Nick Normile
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – Finance
Xenith Document Systems Ltd
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
caca1009
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
Doug Copley
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
Matt Moneypenny
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
SecureAuth
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
Priyanka Aash
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
Tyler Hannan
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Berezha Security Group
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
Mighty Guides, Inc.
 
Issp for Uadigitals 2019
Issp for Uadigitals 2019Issp for Uadigitals 2019
Issp for Uadigitals 2019
Elena Peday
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
Forte Advisory, Inc.
 
The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021
CIO Look Magazine
 
Identity Verification
Identity VerificationIdentity Verification
Identity Verification
IDology, Inc
 
5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx
SameerShaik43
 
A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!
Caroline Johnson
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
Lucy Zeniffer
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online Transactions
ITIO Innovex
 

Contenu connexe

Tendances

Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
caca1009
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
Matt Moneypenny
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Berezha Security Group
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 

Tendances (15)

IT security
IT securityIT security
IT security
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive Action
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – Finance
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Issp for Uadigitals 2019
Issp for Uadigitals 2019Issp for Uadigitals 2019
Issp for Uadigitals 2019
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 

Similaire à Just Enough Authentication

AY - Adaptive Access Control
AY - Adaptive Access ControlAY - Adaptive Access Control
AY - Adaptive Access Control
Adrian Young
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Core Security
 
Fraud Prevention - Experian
Fraud Prevention - ExperianFraud Prevention - Experian
Fraud Prevention - Experian
Alex Robbins
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
indragantiSaiHiranma
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
Hai Nguyen
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days
 

Similaire à Just Enough Authentication (20)

Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
 
The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021
 
Identity Verification
Identity VerificationIdentity Verification
Identity Verification
 
5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx
 
A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online Transactions
 
AY - Adaptive Access Control
AY - Adaptive Access ControlAY - Adaptive Access Control
AY - Adaptive Access Control
 
What Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdfWhat Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdf
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Security and Privacy
Security and PrivacySecurity and Privacy
Security and Privacy
 
Fraud Prevention - Experian
Fraud Prevention - ExperianFraud Prevention - Experian
Fraud Prevention - Experian
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 

Plus de ForgeRock Identity Tech Talks

Plus de ForgeRock Identity Tech Talks (16)

Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
Authentication
AuthenticationAuthentication
Authentication
 
Anonymity, Trust, Accountability
Anonymity, Trust, AccountabilityAnonymity, Trust, Accountability
Anonymity, Trust, Accountability
 
Gov.uk Verify - The Journey So Far
Gov.uk Verify - The Journey So FarGov.uk Verify - The Journey So Far
Gov.uk Verify - The Journey So Far
 
EU Single Digital Market - eIDAS To The Rescue
EU Single Digital Market - eIDAS To The RescueEU Single Digital Market - eIDAS To The Rescue
EU Single Digital Market - eIDAS To The Rescue
 
Delivering Identity at Internet Scale
Delivering Identity at Internet ScaleDelivering Identity at Internet Scale
Delivering Identity at Internet Scale
 
The Slow Death of Passwords
The Slow Death of PasswordsThe Slow Death of Passwords
The Slow Death of Passwords
 
Steak and OAuth Pi
Steak and OAuth PiSteak and OAuth Pi
Steak and OAuth Pi
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMA
 
A Deep Dive Into Identity Work Flow
A Deep Dive Into Identity Work FlowA Deep Dive Into Identity Work Flow
A Deep Dive Into Identity Work Flow
 
Rethinking The Policy Agent
Rethinking The Policy AgentRethinking The Policy Agent
Rethinking The Policy Agent
 
Authorization Using JWTs
Authorization Using JWTsAuthorization Using JWTs
Authorization Using JWTs
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
Blockchain
BlockchainBlockchain
Blockchain
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Just Enough Authentication

  • 1. Just Enough Authentication Making the authentication journey frictionless Diane Joyce Matakite
  • 2. A bit about me Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/ Solution/ Enterprise Identity Consultant Diane Joyce - Matakite 2
  • 3. Just enough authentication  With Big Data, smart devices and the rapid evolution of biometrics, the current one size fits all authentication model should be dead.  In today's digital world the customer has high expectations and low brand loyalty, the winner is always the organisation that makes it easy but retains the security.  Some times referred to as Frictionless or Zero Touch authentication, I think of it as ‘just enough authentication’ to avoid risk whilst retaining the customer , it could also be referred to as Just in Time Authentication  Remove or minimise the inputs a customer needs to provide to authenticate themselves  Apply a risk based model to determine when to apply additional authentication  Authentication now become a key part of the UX journey and not a bolt-on at the front Diane Joyce - Matakite 3
  • 4. Risk Based Authentication Principles  Aim for as little customer input as possible  Throw away the concept of one size authentication fits all  Determine the risk model on a transactional basis  We own cyber security not the customer  Redesign your transactions to be flexible  Use the same model for internal and external authentications Diane Joyce - Matakite 4
  • 5. As little data input as possible  Aim to have the customer only provide credential information as and when needed  The less provided the less is able to be compromised  Don’t always use the same credential sets  Have lots of options and mix them up  Use point and click as much as possible Diane Joyce - Matakite 5
  • 6. Categorise the risk  Could be data, could be value  If steal my name and address from a website, not so great but this data is pretty freely available  If you steal my name, address, dob, I’m a bit more concerned but this data is still quite freely available  If you steal my ALL login credentials and like 80% of people I used the same passwords on various sites then I’m concerned  If you lock me out of my account when I need it, I’m annoyed  If you steal my money, now I’m unhappy Diane Joyce - Matakite 6
  • 7. Create multifactor authentication tokens at registration  Don’t restrict this to 2 factor, capture as much as possible  Some is provided by the customer  Password  Memorable word/picture  Device for OTP or authenticator app  Fingerprint  Voice  Facial recognition  Ear print  Signature  Some we can capture with customer consent but without customer input  Device information including UID, virus status, security apps  Location  Typing pattern analysis  Pointing device pattern analysis  Gait analysis  Device location history  Device usage history  Device proximity  Network connectivity Diane Joyce - Matakite 7
  • 8. We own cyber security  We are the experts  Expecting customer to be aware of and up-to-date with cyber security is not feasible  We can guide them to a more secure experience  BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need to secure from endpoint thru to data sources  Big data offers a valuable resource for identifying threats in both real time and post event analysis  Understanding device vulnerability is critical Diane Joyce - Matakite 8
  • 9. Make the transaction digital  The risk model dictates  The authentication required  The data shown on the screen  The transactions available  The action to take  Risk Models change, Products Change, Security Models change and need to be designed flexibly  Use rules based workflow  Use dynamic screens to show only the data applicable to the risk model AND the authentication level  Its not standalone design, include it in both the UX and security design. Diane Joyce - Matakite 9
  • 10. Let’s step through some examples Diane Joyce - Matakite 10
  • 12. Authentication to view a balance Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Diane Joyce - Matakite 12
  • 13. One size fits all Authentication to view a balance - comparison Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Enter Username Enter password Enter 2nd Factor Select View Balance Diane Joyce - Matakite 13
  • 14. Authentication to view a balance – new device Enter Username Validate Username Validate Credentials View balance Request Additional Credential Enter additional credential Valid Credenti al? Assess Risk Select Balance Validate Credentials Diane Joyce - Matakite 14
  • 15. Authentication to pay an existing payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Risk Process Credentials process Risk Acceptable ? Diane Joyce - Matakite 15
  • 16. Authentication to pay a new payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Credentials process Risk Acceptable? Enter additional credential Validate CredentialDiane Joyce - Matakite 16
  • 17. In summary  Throw away the one size fits all authentication  Take the burden from the customer  Use risk based rules to determine how and when to authenticate  Authentication can take place anywhere in the customer journey  Authenticate internal and external users in the same way  Own the cyber security responsibility Diane Joyce - Matakite 17