In January, PwC’s The Global State of Information Security declared its top 8 goals for 2016. Among these it asserted CISOs need to focus on “Replacing passwords with advanced authentication.” With terms like advanced authentication being thrown into a mix that already includes adaptive, contextual, behavioral, risk-based, multifactor and dozens more, it’s easy to give up and let confusion reign over the authentication space. And the idea of replacing passwords altogether? Is that even possible?
In this on demand webinar, iovation’s Michael Thelander will clarify the authentication landscape and make sense of a rapidly evolving field that brings together the needs of both information security and fraud prevention teams.
You’ll learn:
* What analysts like PwC mean by “advanced security,” and what it might provide
* Some ways password-less authentication might be achieved at scale
* How different technologies might be combined to bring to the nirvana state of “continuous authentication”
2. 2
Understand Advanced Authentication as a multilayered approach
Understand the critical relationship between Advanced Authentication and Risk
Understand the role of device recognition in a “passwordless” future
Provide a three-step plan to evaluate device-based authentication for your customers
8. 8
The credential market is huge
TARGE
T70M SONY
10M
EBAY
145M ADOBE
152M
HOME
DEPOT
56M
2014: 675 MILLION
RECORDS EXPOSED
IDENTITY THEFT RESOURCE CENTER
9. 9
2015 adds to 2014’s record
OPM
22M
ANTHEM
80M
Experian
/ T-Mobile
15M
2015: 169 MILLION
MORE RECORDS EXPOSED
IDENTITY THEFT RESOURCE CENTER
11M
PREMERA
PATREON
Unknown
(15GB of passwords)
10. 10
2015 adds to the record
exposures from 2014
FROM ONE SELLER
*
NOW 1.2 BILLION CREDENTIALS
AVAILABLE ON BLACK MARKET
*An active FBI investigation as reported by SC Magazine, November 2015
11. 11
Protected by only
6 passwords.
1 2
3 4
5 6
PASSWORDS ARE INCREASINGLY UNRELIABLE
Consumers have an average of
24 online accounts.
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
21GRBlue1421GRGreen1
4
21BlackGR1414PurpleGR2
1
12. 12
“In an era in which passwords are generally considered
inadequate, at best, it’s easy to understand why many
organizations are turning to advanced
authentication”
-PwC’s Global State of Information Security 2016
13. 13
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
PC fingerprint
based on JS
Phones & devices
with SDKs
Bluetooth & NFC
Consumer IoT
Contextual data
(geo, IP, etc.)
Operating System Hash of fonts
IP Address Flash execution
Browser version Plugin inventory
Language Flash 4-part vers.
Screen
Resolution
Hundreds of attributes
14. 14
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
PC fingerprint
based on JS
Phones & devices
with SDKs
Bluetooth & NFC
Consumer IoT
Contextual data
(geo, IP, etc.)
One-Time
Passwords
Valid for a session
SMS Text Push
Mobile token
Mobile “in-app”
Proprietary token
Smart cards
15. 15
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
PC fingerprint
based on JS
Phones & devices
with SDKs
Bluetooth & NFC
Consumer IoT
Contextual data
(geo, IP, etc.)
One-Time
Passwords
Valid for a session
SMS Text Push
Mobile token
Mobile “in-app”
Proprietary token
Smart cards
Biometric / Behavior
Fingerprint scans
Retinal, facial
scans
Voice analysis
Brain/heart signals
Behavior patterns
16. 16
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
PC fingerprint
based on JS
Phones & devices
with SDKs
Bluetooth & NFC
Consumer IoT
Contextual data
(geo, IP, etc.)
One-Time
Passwords
Valid for a session
SMS Text Push
Mobile token
Mobile “in-app”
Proprietary token
Smart cards
Biometric / Behavior
Fingerprint scans
Retinal, facial
scans
Voice analysis
Brain/heart signals
Behavior patterns
Knowledge
Secret questions
Captcha
Passwords
Pattern Matching
Local knowledge
Web pictographic
17. 17
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … W I T H O N E I M P O R TA N T A D D I T I O N
Context
User’s goal & request
Data sensitivity
Geo location
Risk-Aware
IP Address (real and implied)
Device reputation
Privileged access
Vector (TOR browsers, anonymizers)
18. 18
“ADVANCED” ACCORDING TO PwC
U S E A N Y O F F O U R M E T H O D S … . W I T H O N E I M P O R TA N T A D D I T I O N
Devices & Hardware
PC fingerprint
based on JS
Phones & devices
with SDKs
Bluetooth & NFC
Consumer IoT
Contextual data
(geo, IP, etc.)
One-Time
Passwords
Valid for a session
SMS Text Push
Mobile token
Mobile “in-app”
Proprietary token
Smart cards
Biometric /
Behavior
Fingerprint scans
Retinal, facial
scans
Voice analysis
Brain/heart signals
Behavior patterns
Knowledge
Secret questions
Captcha
User details
Pattern Matching
Local knowledge
Web pictographic
User’s goal & request
Data sensitivity
Geo location
IP Address (real and
implied)
Risk-Aware
Device reputation
Privileged access
Language
Patterns of usage
19. 19
“Consumers will adopt solutions that ease the burden of
remembering passwords or carrying tokens.
Authentication must be frictionless
and easy to use.”
Suzanne Hall, Managing Director, from PwC’s
Global State of Information Security 2016
20. 20
1
Use device
recognition to
augment passwords
and reduce friction
Device-based
authentication with
context-aware risk
assessment
becomes the norm
3
Limit the use of
passwords to high-risk
transactions and
requests only
2
iovation’s milestones on the road to passwordless
IMPROVEMENT AVOIDANCE REPLACEMEN
T
29. 29
DEVICE CHANGE TOLERANCE
W H AT A B O U T N AT U R A L D AY- T O - D AY C H A N G E S ?
FONTSBROWSERLOCATION
EXPECTED
NOT EXPECTED
UPDATED
BROWSER
-12BROWSER
REGRESSION
+1LIMITED
TRAVEL
MULTIPLE TIME
ZONES IN 1 HOUR
Aa
30. 30
PRECISE MATCH FUZZY MATCH
ELASTIC DEVICE MATCHING
Device Type: MACBOOK PRO Device Type: MACBOOK PRO
MINIMUM
THRESHOLD
MAXIMUM
THRESHOLD
Operating System OS X Yosemite
IP Address 22.231.113.64
Browser Safari 8.0.2
Language English
Screen Resolution 2880 x 1800
Operating System OS X Yosemite or
later
IP Address Similar Location
Browser Safari 8.0.2 or later
Language English
Screen Resolution 2880 x 1800
35. 35
1. For brand managers, product owners, or web experience
managers, understand where the greatest risk is in your site
2. Understand what benefits would be realized if your customers
experienced less friction
3. Assess the impact of a device-based alternative to your
current methods of authentication
A Three-step Plan to evaluate iovation’s
Customer Authentication for your sites