Transitioning to Push Authentication

Transcription

1 Transitioning to Push Authentication Summary Current out-of-band authentication solutions have not proven to be up to the task of protecting critical user data, and have been disabled in a variety of recent attacks leading to millions of dollars in losses. Push notifications offer the opportunity to make out-of-band authentication more cost-effective and secure, while also providing protected two-way communication that enables a variety of other use cases. With the power of Push Authentication, available as part of the DetectID multi-factor authentication platform from Easy Solutions, your organization can start replacing SMS-based security measures and deepen the customer relationships that make your business valuable.

2 Push Notifications: Mobile, Actionable & Smart Authentication Push notifications enable true out-of-band authentication via push messages delivered over a secure channel to enable mutual verification between the enterprise and user. It is a vast improvement over traditional forms of two-factor authentication for a variety of reasons. Better interactions with your customer Push notifications deliver value to your customers right on their home screens. Push is a proven, proactive way to drive engagement and improve customer retention with your app and brand. According to technology consulting firm Forrester Research, "Marketers we interviewed already witness 50% higher open rates on push notifications versus . Click-through rates can be twice as high, too. 1 Push notifications create a feedback loop from your customers with a number of benefits for both consumers and financial institutions, including increased interaction efficiency and improved security over existing authentication methods. They can even assist in portraying your brand as proactive, helpful and modern. A Smooth Transition from SMS-based Authentication If you are tired of the unpredictable cost structure, low security, bad user experience and dependency on telecommunications operators that one-time passwords usually possess, push technology provides an excellent alternative. Enabling push instantly lowers operating overhead by eliminating the cost per text or the expense of sending hardware tokens to an entire customer base, while also improving the end-user experience. Instead of going through the steps from initiating the login process to receiving and entering an OTP via text, end users can now instantly verify these requests right on their phone with a tap of the screen. Actionable Security Alert Delivery Authentication is just one use case for push technology. There are many more benefits that both organizations and their customers gain from the use of push notifications. For example, you can put customer minds at ease with actionable protection alerts. By integrating push notifications with fraud monitoring tools, your customer can receive alerts if any irregular or possibly fraudulent activity is detected. Potential fraud concerns can then be verified in seconds, with the ability to automatically dispute the transaction, cancel the card or acknowledge a transaction as legitimate. This is a clear advantage over one-way fraud notifications, which often result in phone calls to call centers where customer service representatives have no visibility into the fraud alert sent to the customer most of the time. Improvements to the High-Risk Transaction Verification Process Instead of manually contacting your cash management customers to verify high risk wire and ACH transactions or require verification over the phone for trade orders, you can leverage push notifications to streamline these processes, and decrease the amount of manual callbacks to verify high-risk transactions. The integrated auditing capability of push notifications allows your organization to keep track of all interactions performed with customers as they relate to transaction verification. 2 www. e a s y s o l.n e t 1 Push Mobile Engagement to the Next Level, Forrester Research, Inc., 10/17/2013

3 Key Inhibitors to New Authentication Systems Reliable online authentication is the primary obstacle keeping cybercriminals from stealing sensitive customer bank account data. Companies have been adopting stronger authentication by adding one or two extra factors is to protect important personal data. But over the years, hackers have learned to bypass some of legacy factors and once again gain access to sensitive data. There is an increased need to start upgrading to a stronger authentication system and move toward mobile, but providers are often hesitant to deploy new authentication due to three major Inhibitors: cost, usability, and security. Cost The high cost of traditional strong authentication solutions has often been a major barrier to changing them for consumer applications. In most cases, the main business problem is authenticating a massive user base with multiple and diverse devices at a scalable price. Calculating the total cost of ownership (TCO) depends on many variables, including acquisition, integration, deployment, support, and annual maintenance. The expense can quickly get out of hand as more factors are added to the overall authentication ecosystem over the years. Hidden SMS Costs When it comes to SMS one-time-passwords (OTPs), there is a price tag per SMS message that can be very unpredictable due to geography, message volumes and the false-positive rate of risk assessment tools. Many solutions are tied to a particular network operator, or require contracts with several operators to keep SMS costs low. Then there is the often-overlooked expense of building the integration process that allows consumers to update their phone numbers. Customers will also frequently need assistance when updating their phone number, either online or through other channels like branches, which requires additional staffing on top of the employees already necessary to support password resets. Maintenance Costs More often than not, companies have to simultaneously deploy a variety of different authentication system such as hardware tokens, SMS OTP or soft tokens. Each one of these solutions usually has its own team responsible for keeping it functioning smoothly, in addition to its own infrastructure and interfaces. Essentially, each of them is a closed system that creates inconsistent, uncoordinated experiences for end users and makes adapting to changing authentication options difficult. This is all in addition to the fact that it can be very time consuming to manage multiple authentication systems, especially if they are from different vendors. Secured Application Mobile Banking e-bank IVR Office & Branches Other/Web/ VPN SSL ATM API API API SMS DeviceID SMS OTP Hard Token API??? KBA Support Team 1 Support Team 2 Support Team 3 Support Team 4 Usability Ease of use remains a higher priority for consumers than security, even after all the massive data breaches dominating recent headlines. If the authentication process is too difficult, consumers will not use an application for this purpose in the first place. Some providers follow a strategy of giving consumers authentication that is simple enough to use without making them abandon the application, while injecting enough security to satisfy a minimal level of assurance. It works enough of the time, but cybercriminals have disabled these systems in major attacks that have resulted in millions of dollars in losses. A temporary security shortcut meant to save a few bucks can prove enormously costly if it ends up enabling a large-scale breach. Today, the main authentication mechanism in place is the use of one-time passcodes (OTP), but the process of simply having to look up and enter unique codes during log-in also creates friction: it slows the user down and is subject to error, especially for mobile users where the keyboard is more challenging to type. As the user performs more transactions, the level of disdain for that process will only increase. 3 www. e a s y s o l.n e t

4 The two-step process does not have to be completely removed to please customers, especially as more become aware of security risks. Consumers are now skeptical of websites that only rely on passwords or do not require frequent password changes. But when consumers feel uncomfortable with online security, whether because there is too little or too much of it, they withdraw or move elsewhere. Security Two or more security factors are usually combined to create a strong layered solution in the two-factor authentication process, but only if they are all sound. The quality of an authentication factor is determined by the following: The factor is not forgettable The authentication codes cannot be easily guessed The factor cannot be replicated The factor cannot stolen via the Internet Unfortunately, the most frequently used two-factor authentication technology today relies on one-time passwords for online banking security, and most current OTP systems have been compromised in the past few years. OTPs are easily stolen due to technology that relies on browser-based communication back to servers for validation. There are numerous reports of advanced malware that can easily bypass these systems by intercepting the OTP as it is being used. The attacker then creates a second hidden browser window in order to remotely log into an account from the user s own computer. OTPs sent via SMS are also not considered secure for several reasons. The OTP is sent to a device using a phone number, but the organization sending the SMS has no idea about (or control over) the level of security on the receiving device. The OTP could be intercepted by the command control of an attacker, which is what happens in the case of Mobile SIM swaps or SIM clones and call forwarding scams. Even if the OTP reaches the legitimate user s phone, the SMS message can be automatically redirected to command control by Trojans like Zeus, Zitmo and Zveng, which leverage open access to SMS on mobile phones. It is no surprise that almost all malware now comes with SMS hijacking as a standard capability. Push Authentication Overcomes the Key Inhibitors to Stronger Authentication Adoption Push notifications are easier for enterprises to manage, and may help reduce total cost of ownership for a consumer solution, paying big dividends in the long term. Push is not hardware-based and is network and operator independent, and also does not rely on phone numbers. It reduces need for help desk support to assist customers through the authentication process. Since consumers rarely go anywhere without their smartphones, these devices offer the most potential for providing frictionless strong authentication. Push technology allows phones and servers to validate each other, in order to prevent network-level attacks against the authentication process, striking the right balance between user experience and security. For Users Ease of Use No OTP to remember Simple, Fast One-Tap Benefits of Authen cation For Information Security Owners Increased PKI Security Threat visibility Better risk assessment Push Push on For Marketing Owners Drive engagement Increase satisfaction and retention Transparent deployment 4 www. e a s y s o l.n e t

5 Part of the DetectID Framework for Easy Migration Push Authentication is part of the DetectID Framework, which unlike standalone push systems, allows you to transition from traditional form factors to push at your own pace. DetectID allows you to do this by supporting most of the current form factors and vendors that offer hardware tokens, soft tokens or SMS OTP. DetectID also permits greater deployment flexibility, in which your organization can deploy form factors per channel, user group, or individual user. The DetectID Framework Mobile Banking e-bank IVR Office & Branches M obile SD K W eb S e rvices Server Hardware OTP Tokens Out Of Band SMS/ Other/Web/ VPN SSL ATM Push Compared to other Mobile Form Factors On the table below, push authentication s user-friendly array of functionalities is compared with legacy software authentication methods that leverage user mobile devices. Push is more versatile and flexible than any other authentication system, and protects against threats that one-time passwords and PIN numbers just can t stop. Low costs Ease of Use Easy of Integra on Easy Enrollment Not Phone Number Dependent Mul -Channel Man-in-the-middle Phishing protec on Digital Signing Push Authen ca on So OTP (mobile app) QR Code SMS OTP (one- me code) 5 www. e a s y s o l.n e t

6 Push Authentication A Technical Overview At Easy Solutions, we have taken the power of push notifications and added our security expertise to create our own Push Authentication solution, helping organizations to overcome the barriers of cost, usability and security that prevent them from deploying stronger user verification. Our solution enables you to deliver signed and encrypted messages with clear calls to action, and allows users to take immediate action from their device lock screens or in their notification center. Push is genuine out-of-band authentication that supports reciprocal verification between two entities and protects against all phases in the life cycle of a typical fraud attack. The technology is based on push notifications, providing a native user interface that does not interfere with the mobile experience and actually enhances customer engagement. Push technology is provided as part of our DetectID multi-factor authentication solution, and allows your organization to enable a second isolated, secure communications channel between a user s mobile device and your organization. This channel leverages advanced digital certificates and push notifications to digitally sign and encrypt all sensitive transactions with just one touch. At no point can a third party, not even the mobile carrier, access or tamper with these transmissions. After downloading and installing the mobile application (with DetectID technology embedded), the mobile device can be registered using QR code scanning, entering a manual activation code or transparently upon successful login into the mobile banking app. As part of the activation process, the Software Development Kits (SDKs) automatically generate a key pair and unique device identifier also referred to as a DeviceID. This process is seamless to your users and online service providers. Each private key is generated and securely stored on the mobile device and is used to sign authentication responses while the public key verifies the signature on the server. Push Authentication Flow Channels Application Servers IVR Mobile Banking Customer initiates a transaction from any channel ATM e-bank Customer ID Customer s Response Request to Customer s Response SDK Customer s Response Customer s Phone with Push SDK Server Mutually Secure Communication Channel 6 www. e a s y s o l.n e t

7 Push Authentication Key Features: Unique device ID: DetectID technology generates a unique deviceid in addition to the public/private key pair to uniquely identify your customer s mobile device. This device ID is used to individually recognize the device based on its particular hardware characteristics, mitigating possible key pair theft. A fully encrypted communications channel: The SDK s self-contained cryptographic stack enables an isolated, encrypted communications channel between the user s mobile device and your organization. No third party can access these communications. Simple one-click authentication: No phone calls to wait for or passcodes to type in; transaction or login authentication requests are pushed to your customer s mobile device over the encrypted communication channel. Your customers only need to tap a button on their phone to approve or decline transactions. Transaction signing: All communications between the customer device and servers are signed and support nonrepudiation. A private key is generated and securely stored on the mobile device and is used to sign authentication responses, while the public key verifies the signature on the server side. Channel integration through a full web-services-based API: A well-defined API provides flexibility in tailoring functionality and customizing the design according to parameters that your organization sets. Rooting/jailbreak detection: The SDK includes advanced detection of rooting, jailbreaking, or similar mobile operating system security bypass hacks. Trusted device - In addition to authentication, Easy Solutions delivers real-time mobile analytics and threat deactivation, increasing your decision-making capabilities based on the level of threats present on the device. Gain full visibility and assess risk on all the mobile devices interacting with your service. 7 www. e a s y s o l.n e t

8 An In-Depth Look at the Technology Behind Push Authentication Activation The activation process for Push Authentication binds the user s identity to a smart device. The binding is established through the registration and issuance process that is described below. It is assumed in the following that the user is already known to the service provider and has been issued with a set of existing security credentials (e.g. username/password). Note: When a service provider chooses to transparently deploy activation, all steps are performed silently by the SDK without the end user s interaction. 1 Device Activation Flow 2 3 The activation process for DetectID is as follows: 1. Activation code is entered. Upon request, the DetectID server generates a time-limited activation code. The service provider sends the activation code to the user and asks the user to enter the activation code into the device. The DetectID SDK on the smartphone or mobile device generates a private/public key pair during the activation process. 2. Activation code is verified. After the device has captured the activation code, it calls the DetectID server and sends the activation code for verification along with the device's public key and the unique deviceid. The public key and the deviceid are then stored by the server. Once verified, the DetectID server knows that the user holds the specific device and what type of device the user has. 3. Activation Successful. Upon successful validation of the activation code, the server public key will be sent to the mobile device and be used to verify the signature of the push messages. Note: The DetectID SDK "fingerprints" the device to create a device ID for the mobile device. All keys are stored and secured with a personal unblocking code that is unique to the device. Transaction Signing DetectID offers PKI key generation that provides legally binding digital signatures for authentication processes and non-repudiation. A private key is delivered to the mobile device and is used to sign authentication responses, while the public key verifies the signature on the server side. 8 www. e a s y s o l.n e t

9 Transaction Signing Flow 1 DetectID Push message 2 Mobile device Push message response Server The steps for enabling transaction signing are as follows: 1. Push Message to Device. The server sends a signed and encrypted push notification to the device. The push notification is encrypted using the device s public key, which guarantees that only the registered mobile device can decrypt the information. The notification is also signed using the DetectID server private key to prevent man-in-the-middle attacks. The device receives the encrypted push message, which can include the title, summary and amount to be signed. 2. Response to Server. The DetectID SDK generates an encrypted response to the challenge and sends it to the server, and the response is signed with the device s private key. The DetectID server then verifies the response against its stored deviceid and the device s public key. 9 www. e a s y s o l.n e t

10 Architecture and Integration 3 rd Party Applications Risk Engine Policy ACH and Wire Processing Systems Online / Mobile Applications Web Services Push HTTPS Wealth Management Server HTTPS Response Core components and easy integration Online service providers will need to integrate Push Authentication on both ends to successfully deploy it. The client mobile app should use the DID SDK and embed client-side functionality, while the server application should communicate with DID server via a SOAP call when authentication is needed on a login or a transaction process. The client interface consists of only a few very basic function calls that are very easy to integrate. DID SDK Libraries The DetectID SDK is delivered as a binary library together with a source code sample that demonstrates how to use different function calls. Any communication between the DID SDK and the mobile app is done via an asynchronous interface that does not block or influence the GUI experience of the app while processing the security functions. The DetectID SDK comes a graphical user interface (GUI) that mobile app developers are free to customize and for use with their own GUI. Whenever the DetectID SDK needs to show a message to the user, it informs the mobile app via the asynchronous interface. The DetectID SDK is available on Android (smart phone and tablets) and ios (iphone and ipad). A generic mobile app with an embedded and pre-configured DetectID SDK is uploaded into application stores by the service provider. Server The server interface uses the standard Simple Object Access Protocol (SOAP). DetectID is a standalone server which should run in a secure environment. Administration Push Authentication includes ready-to-use administration, reports and a help desk console. If required by the service provider, management functionality can also be integrated into existing administration consoles and business processes via SOAP calls. Activation Codes DetectID can generate and deliver activation codes for user registration via SOAP calls by the server application. Online service providers may choose between various methods of distributing activation codes to end users depending on internal security policies. Activation codes can be distributed through , SMS messages to pre-registered mobile phone numbers, or a self-service web page accessible by using existing credentials (static password, OTP, SMS, soft OTP, etc.) QR Codes Once generated, the QR Code is scanned automatically, using the camera on the device, and the device is registered and ready to use for receiving instant Push Authentication messages. Device Registration Transparent Activation Using the SDK, devices can be automatically registered when end-users successfully log into your mobile application. This allows for faster adoption of the service. With Push Authentication from Easy Solutions, you can give customers simple one-click authentication for logins, transactions, or any other sensitive requests. Push technology available as part of the DetectID multi-factor authentication platform turns any smartphone into a simple and trusted communication channel to replace SMS-based security, allowing you to strengthen relationships with your customers. Push Authentication s ease of use and intuitive functionality gives organizations the tools to enable greater user adoption of authentication, and provides a crucial extra layer of protection to your sensitive data in an era when massive data breaches show no signs of slowing down. 10 www. e a s y s o l.n e t

11 About Easy Solutions Easy Solutions is a leading security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from anti-phishing and secure browsing to multifactor authentication and transaction anomaly detection, offering a one-stop shop for multiple fraud prevention services. The online activities of over 60 million customers of more than 220 leading financial services companies, security firms, retailers, airlines and other entities in the United States and abroad are protected by Easy Solutions fraud prevention systems. Easy Solutions is a proud member of such key security industry organizations as the Anti-Phishing Working Group (APWG), the American Bankers Association (ABA) the Bank Administration Institute (BAI), the FIDO (Fast Identity Online) Alliance and the Florida Bankers Association (FBA). For more information, visit or follow us on US Headquarters -Tel Latin America -Tel. +57 (1) EMEA -Tel. +44 (0) APAC -Tel [email protected] Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectID in the Cloud, DetectID in the Cloud for SugarCRM, DetecTA, DetectCA, DetectID Web Authenticator, Total Fraud Protection, Detect Safe Browsing, Detect ATM, Detect Monitoring Service, Detect Vulnerability Scanning Service, Detect Social Engineering Assessment, Protect Your Business and Detect Professional Services are either registered trademarks or trademarks of Easy Solutions, Inc. All other trademarks are property of their respective owners. Specifications and content in this document are subject to change without notice. 11 www. e a s y s o l.n e t