AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Transcription

1 AUTHENTIFIERS Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

2 Authentify delivers intuitive and consistent authentication technology for use with smartphones, smartphone app end points, tablets, feature mobile phones, landlines and even desktop apps. No matter what the technology profile of your end users entails, Authentify can help you implement a consistent and intuitive authentication process to help you be certain you know who is on your website or in your network. No users are left out or behind. The service is flexible to meet your requirements, not impose rigid requirements on you or your users. The following list details the functional authentication factors or authentifiers that can be used in an Authentify-enabled authentication process. These authentication factors, much like Lego building blocks, can be combined in different ways and offer different authentication strengths. These authentication factors can be assembled one way to mimic an existing manual process while a different ordering can be used to develop a new login or other online authentication flow for your organization. The description of each authentifier is short and the security level or functionality to which it contributes is not necessarily limited to those described in this document. Authentify s approach permits considerable flexibility in designing and interfacing your existing applications to an Authentify powered authentication process. The Authentify xfa platform supports authentication via a mobile app, or a mobile SDK interface through your own mobile app. Some components available via the xfa app infrastructure are not available in work flows via standard land line or feature mobile phones. APPLICATION ELEMENT FUNCTIONALITY SECURITY LEVEL WHAT DOES THIS ADD TO AN AUTHENTICATION PROCESS? Automated Outbound Two-Factor Authentication Phone Call An outbound voice channel call, synchronized to a network or web session for two-factor authentication. In a registration application, the call confirms that a valid phone number has been entered or is on file for the user. Call must be answered for a process to continue. In login situations, the telephone serves as a proxy for a security token or other credential a two-factor authentication process. Voice channel OOBA or xfa app Keypad Entry of a Digit or # Sign Liveness test or CAPTCHA. Requiring a keystroke ensures a human has been reached vs. a bot or answering machine.

3 Confirmation Code Exchange via DTMF (Telephone keypad entry) DTMF = dual tone multi-frequency. Displays a number on the web screen that must be entered via telephone keypad in the phone. Confirms that the person, computer and phone are all in the same place at the same time. Can also be used to meet two-factor authentication requiring a PIN/OTP for successful login.. Confirmation Code Exchange via Voice Displays a number on the web screen that must be spoken into the telephone. Confirms that the person, computer and phone are all in the same place at the same time. Requires the use of speech recognition. If a user population is not used to repeating things naturally, DTMF may be a better option. Voice Recording Capture Application prompts person to speak an agreed upon word, phrase such as I authorize this transaction or their name, or both. N/A Useful as an e-signature. When a person says the words I agree to these terms there can be little doubt they understood what they were doing. Also useful as a cyberthreat deterrent. Site hackers do not want to be personally connected to their online identities if it can be avoided. A voice recording can be used to link a person in the real world to their online identity. Speech Recognition If a voice recording is used, speech recognition can be employed to ensure that the correct phrase has been spoken. It may be desirable to have the user speak the confirmation code vs. keying it in on the telephone keypad. Speech recognition ensures the string has been spoken correctly. Adds stronger support for agreeing to use of a web site, network, etc. Text to Speech Message Delivered to User often used for audio transaction verification. Text to speech will receive a text string from a server and convert it to spoken words delivered to the user via telephone. This is useful to defeat man-in-the middle attacks. A user can receive a call that confirms an account and an amount involved in a transaction. If the account numbers and amounts do not match what was typed into the computer / web portal, the transaction can be cancelled. A man in the middle can not intercept the out-ofband transmission.

4 SMS Text Message Delivered to Mobile Phone An SMS, (short message service) message can be sent instead of an audio telephone call. Useful for PIN delivery, transaction confirmation, account alerts etc. Useful for user populations unaccustomed to reading and speaking a string. Data Channel OOBA or xfa app Voice Biometrics Voice signature capture, used for high security. A returning user must possess the correct voice to make use of a biometrically enabled application. Ensures that a returning user is the same user who enrolled originally. May permit access to high security applications or financial transactions based on high certainty the user is the legitimate account owner. Can be used in lieu of security tokens or manual phone calls placed to confirm users ID. Multiple Telephone Calls Used to reach a single user multiple times or different users for dual account control. Can be used to confirm possession and control of a phone, or the ability of a person to be reached through a switchboard vs. a direct line or vice versa. Can be used to call a 3rd party to the transaction, controlled by business rules on the customer server side for dual account control. Shared Secret Challenge Response via - Voice Channel Requires Speech Recognition. Requires user to speak a string already on file. A shared secret favorite movie, secret word, secondary pass phrase etc. Used to add security to an application, or perhaps used for a password or PIN replacement application. Instead of typing a maiden name or other secret, user is required to speak a previously agreed upon shared secret. - xfa App Endpoint xfa app end point allows GUI display and multiple choice KBA questions with one touch answers PIN Password (PW) Delivery Text to speech engine will read a string to the user on the other end of the phone. Used for PIN replacement or delivery applications, PW reset applications. Data Channel xfa app SMS / Data Mobile Channel 2-Way Authentication Playback for Mutual Authentication Application stores a word or pass phrase that has been recorded by the user on a previous visit, and plays it back to them over the phone on a later visit. Offers a simple way to put end users at ease that they are not on a pharming site. The website has both the ability to phone the user, and play back a recording only the website can have. Removes risk of compromised information.

5 Audit Trail Reporting (included in all use cases) Transaction records from Authentify telephony and web servers in downloadable format tied to web sessions. N/A Audit reports include the transaction record tied to user ID and telephone, timestamps from the Internet and telephone network, voice recordings, etc. Provices an audit trail of a transaction involving Authentify in digital format. Authentify Risk & Reliability Scoring (ARRS) Behind the scenes analysis of the data that can be associated with a telephone number, including a provisioning indication such as cellular versus landline, call forwarding, and other data. Useful when accepting a net new registration or when there is concern about who is associated with a particular phone number. The ARRS is used for verification that a call is being placed to a phone that can be traced to a particular user. Indications include cellular versus land line provisioning, prison phone, business phone indication, geographic proximity of an area code and exchange combination relative to a ZIP code, reverse look-up billing name and address information, indication of the age of the billing relationship between the user and the phone company. There are wide variations in availability of phone records on an international basis. ARRS should be discussed with your Authentify representative for validity in your particular area of interest. Features below are exclusive to the Authentify xfa mobile multi-factor authentication service with an app end-point downloaded to a smartphone, tablet or desktop. Via an SDK, these functions can be used via your own mobile app. PKI Digital Certificate A digital certificate is a form of credential allowing one device or computer to identify and authenticate to another device or computer. The digital certificate places a strong authentifier directly on the user s smart device and limits access to an account from that device. Imposters cannot login from a device without the appropriate digital certificate. QR Code Scan (option) A simple way to trigger the presentment of a digital certificate for one-touch login. Enables one-touch login without requiring typing. Gesture or Pattern Swipe Instead of a PIN or PW, and end user can trace a gesture or pattern swipe to login to xfa or onto an account protected by xfa. Often referred to as a behavioral biometric, or a kinesthetic. An additional authentication form factor that can easily be added that does not require typing. Voice Biometric Individual copies of the xfa app are registered with Authentify using a voice biometric. The combination of biometric and digital certificate is extremely difficult to spoof and ensures the same user and same device are in use. Very The use of a voice biometric welds an authentication factor unique to the individual to an authentication factor unique to the device. One is invalid without the other. The voice biometric, stored by Authentify in the cloud, also offers a legitimate user a soft landing to recovery if their smart device is lost or stolen.

6 Secure Messaging PKI digital certificates enable the exchange of encrypted information via the data channel between the end user and the enterprise. Secure messaging can be used instead of SMS text messages to deliver PINs and OTPs in a secure fashion, or provide transaction details for further approval. Knowledge Based Authentication (KBA) A Q&A exchange that only the end user should be able to answer without difficulty can be presented via multiple choice. Registration processes and recovery processes can be strengthened through the use of KBA. KBA is not device dependent and may be used if a device is lost or stolen. Transaction Verification Display transaction details for one-touch cancellation or approval via a GUI, GUI, Secure Message or QR code scan. Transaction verification adds defenses against man-in-the-middle attacks. Fingerprint On devices capable of supporting fingerprints, (Galaxy S5 and higher, iphone6 and higher) fingerprint authentication can be required. Spoofing a fingerprint requires access to the end user, access to the end user s phone and a means to copy and create a fingerprint. While spoofing a fingerprint is possible, it is not possible to launch large scale attacks against fingerprint protected phones. NFC Near field communication (NFC) capability requires the end user to hold their device near an NFC-enabled target such as a credit card or other credential. Another mechanism for demonstrating that a second or third factor of authentication is in the user s possession. They authenticate to an enterprise with digital certificate, voice, fingerprint and to conclude a transaction are asked to hold their NFC enabled credit card near their phone. AUTHENTIFY S SERVICES ARE DEPENDABLE Authentify revolutionized the authentication space by introducing phone-based two-factor authentication to security practitioners in Since that introduction, phone-based two-factor authentication has become a global standard. Authentify has the experience and the vision to protect your networks, data and user accounts from hackers and imposters. No other vendor has the experience solving the difficult authentication challenges first or offers a spectrum of authentication factors as broad and flexible as those available from Authentify. STRONG AUTHENTICATION Authentify deployed its first biometric application in 2004, and its first authentication app for smart devices in The combination of available biometrics and advanced smart technologies can be flexibly combined to thwart skilled hackers and cyber-criminals, even when they have acquired valid usernames, passwords, and accounts.

7 SOFT LANDINGS / SECURE RECOVERY As with any authentication scheme the end user is always the weakest link. If something they have is a personal device in a BYOD authentication scheme, they can be counted on to lose or forget it from time to time. Authentify s cloud-based services enable soft landings and easy secure recovery when devices or account login information have been lost or stolen. RAPID DEPLOYMENT / RAPID REACTION TIME The cyberthreat threat landscape is constantly changing. As threat levels increase, additional authentication strength can be deployed quickly using a single interface and consistent UX for the end user. Your ability to react to new threats is significantly enhanced with Authentify services. For more information visit Authentify, Inc W. Higgins Rd., Suite 240, Chicago, IL [email protected] Authentify, Inc. All rights reserved. Authentify is trademark of Authentify, Inc. Authentify technology is protected by a number of US and international patents and patents pending. For more information, visit the patent information page on the Authentify website.