Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model

Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model Andrew Rolfe Authentify, Inc. Andy.Rolfe@Authentify.com

Presentation Overview Authentication basics What is OOBA? Why is it important? Examples Q&A

Security Mantra Security is a process Technologies without processes are useless Deter, detect, recover Three basic authentication tools: Knowledge based Object access based Biometric based

Framing the Authentication Problem Authentication: The verification of the identity of a person or process. Applies to Users Servers Applications The Free On-line Dictionary of Computing, 1993-2001 Denis Howe Authentication event categories First time registration Known relationships (direct or sponsored) New relationships Recurring access Transaction authorization

Typical First Time Authentication Solutions Data Comparison (own or 3rd party) Pros: easy to implement, real-time, no (to moderate) expense Cons: very weak audit trail, lack of secret data, intrusive Email activation information Pros: positive response required, extra step a deterrent Cons: not out-of-band,, weak audit trail Mailing security credentials send a PIN via mail Pros: out-of of-band communiqué,, provides real-world anchor Cons: slow, weak audit trail In-person proofing Pros: physical presence, can get signatures, pictures, etc. Cons: slow, not scalable, asynchronous from digital activity

Typical Recurring Authentication Solutions User ID with password/pin Pros: well understood, self-contained Cons: PIN management, audit trail, insider threat Digital certificates Pros: promise of Driver s s License for the Internet Cons: not broadly deployed, difficult to use, cross-certification certification issues Tokens Pros: restrict access to token you ve issued Cons: physical distribution is difficult/costly, difficult to use, tokens get lost/disabled Biometric solutions Pros: something you are,, can t t forget it Cons: trust & compatibility of capture device, complexity of device/process, first time registration, probability based

Typical Transaction Authentication Solutions Enter PIN Pros: easy, prevent casual walk up incidents, extra step (if not access PIN), confirmation of intent Cons: weak audit trail, PIN management issues Negative response notification Pros: notification that transaction took place Cons: horse is out of the barn,, not certain of destination of notice Paper authorization (mail, fax) sent after the fact Pros: paper audit trail Cons: slow, not scalable, subject to paper document fraud, data coordination Insurance (?) Pros: mitigate risk for participants Cons: costly, limits are low

What Is Your Security Objective? What do you wish to attain? Assurance of person vs. assurance of payment What is your risk/reward balance? What s s at risk? Calculating the ROI of security Raising the bar without breaking the bank Zero-tolerance fraud prevention requires non-digital backup processes Is this appropriate/necessary for your system?

Common Attacks Trojans Key loggers Phishing / Pharming Man in the Middle (MITM)

What is OOBA? Utilizing another, different channel during authentication Makes compromise twice as hard Essentially adding an outside trusted observer or participant to a single channel transaction

OOBA Examples Postal mail Registration documents PIN mailers SMS Telephone

Putting It All Together Examples: Challenge / Response Transaction Verification Session Aware Multi-factor with Biometric

Challenge / Response Gaming site wishes to do an ethical check for age Call a phone number on file (access) Ask for DTMF entry of random portion of account number (liveness( liveness,, knowledge) Ask for verbal attestation of age (deter, audit)

Transaction Verification Bank site wishes to verify high value transaction Call a phone number on file (access) Announce transaction value and ask for verbal confirmation (detect, audit) Ask to respond to randomly selected security question (liveness( liveness,, knowledge)

Session Aware Cash Management System Login Compute hash based on initial session negotiation (session binding) Call a phone number on file (user binding) Ask to enter random portion of session hash value (liveness( liveness,, detect MITM)

Biometric Multi-factor High value bank transaction verification Call a phone number on file (access) Ask to speak CAPTCHA or other cognitive, displayed value (liveness( liveness,, deter) Ask to speak shared secret (knowledge) During speech, compare with previously enrolled voice (biometric)

OOBA Web Service Credential Issuing Site ESC Site Visitor Records Internet Site Visitor Authentication / Authorization Service Executable Instructions Transaction Records PSTN Public Switched Telephone Network

A Service Based Telephone OOB Authentication process can be as simple or as complex as the situation requires with same base user interface Session Aware Confirmation Reverse Telephone Look-up Telephone Type (cell, land, other) Voice Recording Spoken or Entered PIN IP / Postal / Phone Location email alert to 3 rd party Telephone alert to 3 rd party Voice Biometric enrollment/verification Auto-callback 2 rd party approval sponsored enrollment/access

No Silver Bullet Manage risk appropriate to your application Employ the multiple tools at your disposal Easy is better than hard Use solutions that make sense for your business Remember Everything Can Be Broken Continually re-evaluate evaluate risk & technologies

The New Yorker Collection 1993 Peter Steiner from cartoonbank.com. All rights reserved. except Authentify Contact Information: Andrew Rolfe V.P. of Development & Operations Phone: 773-243-0339 Fax: 773-243-0225 Email: Andy.Rolfe@Authentify.com World Headquarters: Authentify, Inc. 8745 W. Higgins Road, Suite 240 Chicago, Illinois, 60631 773-243-0300 www.authentify.com

NIST s Assessment of Text Independent Speaker Recognition Performance Latest results show improvements

User Stats on Out-of of-band Source: Betasphere Study