In January, PwC’s The Global State of Information Security declared its top 8 goals for 2016. Among these it asserted CISOs need to focus on “Replacing passwords with advanced authentication.” With terms like advanced authentication being thrown into a mix that already includes adaptive, contextual, behavioral, risk-based, multifactor and dozens more, it’s easy to give up and let confusion reign over the authentication space. And the idea of replacing passwords altogether? Is that even possible? In this on demand webinar, iovation’s Michael Thelander will clarify the authentication landscape and make sense of a rapidly evolving field that brings together the needs of both information security and fraud prevention teams. You’ll learn: * What analysts like PwC mean by “advanced security,” and what it might provide * Some ways password-less authentication might be achieved at scale * How different technologies might be combined to bring to the nirvana state of “continuous authentication”

1. WEBINAR
AUTHENTIFUSION
CLARIFYING THE FUTURE OF USER AUTHENTICATION
MARCH 2016
MICHAEL THELANDER
Product Marketing Manager, Authentication

2. 2
Understand Advanced Authentication as a multilayered approach
Understand the critical relationship between Advanced Authentication and Risk
Understand the role of device recognition in a “passwordless” future
Provide a three-step plan to evaluate device-based authentication for your customers

3. 3

4. 4

5. 5
PASSWORDS HAVE BEEN WITH US A LONG TIME
PA S S W O R D S I N R O M A N G A R R I S O N S
1
2
3
4
5
6
7
81
0
9

6. 6
PASSWORDS HAVE BEEN WITH US A LONG TIME
PA S S W O R D S I N H A M L E T

7. 7
PASSWORDS HAVE BEEN WITH US A LONG TIME
PA S S W O R D S I N D - D AY, 1 9 4 4

8. 8
The credential market is huge
TARGE
T70M SONY
10M
EBAY
145M ADOBE
152M
HOME
DEPOT
56M
2014: 675 MILLION
RECORDS EXPOSED
IDENTITY THEFT RESOURCE CENTER

9. 9
2015 adds to 2014’s record
OPM
22M
ANTHEM
80M
Experian
/ T-Mobile
15M
2015: 169 MILLION
MORE RECORDS EXPOSED
IDENTITY THEFT RESOURCE CENTER
11M
PREMERA
PATREON
Unknown
(15GB of passwords)

10. 10
2015 adds to the record
exposures from 2014
FROM ONE SELLER
*
NOW 1.2 BILLION CREDENTIALS
AVAILABLE ON BLACK MARKET
*An active FBI investigation as reported by SC Magazine, November 2015

11. 11
Protected by only
6 passwords.
1 2
3 4
5 6
PASSWORDS ARE INCREASINGLY UNRELIABLE
Consumers have an average of
24 online accounts.
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
21GRBlue1421GRGreen1
4
21BlackGR1414PurpleGR2
1

12. 12
“In an era in which passwords are generally considered
inadequate, at best, it’s easy to understand why many
organizations are turning to advanced
authentication”
-PwC’s Global State of Information Security 2016

13. 13
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
 PC fingerprint
based on JS
 Phones & devices
with SDKs
 Bluetooth & NFC
 Consumer IoT
 Contextual data
(geo, IP, etc.)
Operating System Hash of fonts
IP Address Flash execution
Browser version Plugin inventory
Language Flash 4-part vers.
Screen
Resolution
Hundreds of attributes

14. 14
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
 PC fingerprint
based on JS
 Phones & devices
with SDKs
 Bluetooth & NFC
 Consumer IoT
 Contextual data
(geo, IP, etc.)
One-Time
Passwords
 Valid for a session
 SMS Text Push
 Mobile token
 Mobile “in-app”
 Proprietary token
 Smart cards

15. 15
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
 PC fingerprint
based on JS
 Phones & devices
with SDKs
 Bluetooth & NFC
 Consumer IoT
 Contextual data
(geo, IP, etc.)
One-Time
Passwords
 Valid for a session
 SMS Text Push
 Mobile token
 Mobile “in-app”
 Proprietary token
 Smart cards
Biometric / Behavior
 Fingerprint scans
 Retinal, facial
scans
 Voice analysis
 Brain/heart signals
 Behavior patterns

16. 16
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
 PC fingerprint
based on JS
 Phones & devices
with SDKs
 Bluetooth & NFC
 Consumer IoT
 Contextual data
(geo, IP, etc.)
One-Time
Passwords
 Valid for a session
 SMS Text Push
 Mobile token
 Mobile “in-app”
 Proprietary token
 Smart cards
Biometric / Behavior
 Fingerprint scans
 Retinal, facial
scans
 Voice analysis
 Brain/heart signals
 Behavior patterns
Knowledge
 Secret questions
 Captcha
 Passwords
 Pattern Matching
 Local knowledge
 Web pictographic

17. 17
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
 Context
 User’s goal & request
 Data sensitivity
 Geo location
Risk-Aware
 IP Address (real and implied)
 Device reputation
 Privileged access
 Vector (TOR browsers, anonymizers)

18. 18
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … . W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
 PC fingerprint
based on JS
 Phones & devices
with SDKs
 Bluetooth & NFC
 Consumer IoT
 Contextual data
(geo, IP, etc.)
One-Time
Passwords
 Valid for a session
 SMS Text Push
 Mobile token
 Mobile “in-app”
 Proprietary token
 Smart cards
Biometric /
Behavior
 Fingerprint scans
 Retinal, facial
scans
 Voice analysis
 Brain/heart signals
 Behavior patterns
Knowledge
 Secret questions
 Captcha
 User details
 Pattern Matching
 Local knowledge
 Web pictographic
 User’s goal & request
 Data sensitivity
 Geo location
 IP Address (real and
implied)
Risk-Aware
 Device reputation
 Privileged access
 Language
 Patterns of usage

19. 19
“Consumers will adopt solutions that ease the burden of
remembering passwords or carrying tokens.
Authentication must be frictionless
and easy to use.”
Suzanne Hall, Managing Director, from PwC’s
Global State of Information Security 2016

20. 20
1
Use device
recognition to
augment passwords
and reduce friction
Device-based
authentication with
context-aware risk
assessment
becomes the norm
3
Limit the use of
passwords to high-risk
transactions and
requests only
2
iovation’s milestones on the road to passwordless
IMPROVEMENT AVOIDANCE REPLACEMEN
T

21. 21
Something you
KNOW
Something you
HAVE
Something you
ARE
ADVANCED AUTHENTICATION REQUIRES 2 FACTORS
W H Y “ D E V I C E I D ” I S T H E F O U N D AT I O N O F A PA S S W O R D L E S S F U T U R E

22. 22
ADVANCE AUTHENTICATION INCLUDES RISK
CONTEXT
W H E R E D O W E E X P E R I E N C E T H E G R E AT E S T R I S K ?
WEBSITE

23. 23
RISK IN CONTEXT
W I T H D I F F E R E N T A U T H E N T I C AT I O N M E T H O D S

24. 24
DEVICE AUTHENTICATION WORKFLOW
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER ACCESS

25. 25
DEVICE AUTHENTICATION WORKFLOW
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER ACCESS
+10
SCORE
LOW RISK = Frictionless
Consumer Experience
SHOPPING
RESOURCES
NEWS
+10
SCORE

26. 26
DEVICE AUTHENTICATION WORKFLOW
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER ACCESS
0
SCORE
MEDIUM RISK= Moderate
Friction
USERNAME &
PASSWORD

27. 27
DEVICE AUTHENTICATION WORKFLOW
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER ACCESS
-10
SCORE
HIGH RISK=
Step-Up Authentication
FRAUD TEAM

28. 28
DEVICE AUTHENTICATION WORKFLOW
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER ACCESS
+10
SCORE
0
SCORE
-10
SCORE
LOW RISK = Frictionless
Consumer Experience
MEDIUM RISK= Moderate
Friction
HIGH RISK=
Step-Up Authentication
CREDENTIAL
INPUT
CREDENTIAL
INPUT
SHOPPING
RESOURCES
NEWS
USERNAME &
PASSWORD
CREDENTIAL
INPUT

29. 29
DEVICE CHANGE TOLERANCE
W H AT A B O U T N AT U R A L D AY- T O - D AY C H A N G E S ?
FONTSBROWSERLOCATION
EXPECTED
NOT EXPECTED
UPDATED
BROWSER
-12BROWSER
REGRESSION
+1LIMITED
TRAVEL
MULTIPLE TIME
ZONES IN 1 HOUR
Aa

30. 30
PRECISE MATCH FUZZY MATCH
ELASTIC DEVICE MATCHING
Device Type: MACBOOK PRO Device Type: MACBOOK PRO
MINIMUM
THRESHOLD
MAXIMUM
THRESHOLD
Operating System OS X Yosemite
IP Address 22.231.113.64
Browser Safari 8.0.2
Language English
Screen Resolution 2880 x 1800
Operating System OS X Yosemite or
later
IP Address Similar Location
Browser Safari 8.0.2 or later
Language English
Screen Resolution 2880 x 1800

31. 31
HISTORICAL
REPUTATION
SECURITY RISK
INDICATORS
LINKS AND
ASSOCIATIONS
ANOMALOUS
BEHAVIOR
AUTHORIZED
FOR ACCOUNT

32. 32

33. 33
HISTORICAL
REPUTATION
SECURITY RISK
INDICATORS
LINKS AND
ASSOCIATIONS
ANOMALOUS
BEHAVIOR
AUTHORIZED
FOR ACCOUNT

34. 34

35. 35
1. For brand managers, product owners, or web experience
managers, understand where the greatest risk is in your site
2. Understand what benefits would be realized if your customers
experienced less friction
3. Assess the impact of a device-based alternative to your
current methods of authentication
A Three-step Plan to evaluate iovation’s
Customer Authentication for your sites

36. 36
iovation’s
Customer Authentication service wins
“Best Multi-factor Authentication Solution”
in Cyber Defense Magazine’s
2016 Editor’s Choice Awards

37. CONTACT US
www.iovation.com
twitter.com/iovation
Product Marketing Manager, Authentication
Michael Thelander
michael.thelander@iovation.co
m
+1 503-224-6010