Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords Mika Devonshire Associate Product Manager 1
Agenda 2
What is Cybersecurity? Quick overview of the core concepts 3
Cybercrime 2013 Year of the hack, stolen passwords, and weak authentication Cost of Cybercrime Exceeds Spending on Security Increase in Frequency and Intensity of Cybercrime In 2013 alone Total Cyber Attacks went up 42% ~1 attack every 18 seconds Cost per victim rose 56% Avg. cost to a small business $8.7K Avg. cost to large corporation $5.4M The greatest threat to National Security Defense Leadership Poll 4 European Commission Study 2013 Symantec Security Study 2013 Ponemon Institute US CERT Crime Reporting
What is Cybersecurity? Quick overview of access control Weak or stolen passwords account for 76% of all breaches Disclosure Alteration Destruction 82% can be cracked in a matter of hours or days Decryption Brute Force Dictionary Attack 6 times as many vulnerabilities as in 2012 Skimming Malware Phishing Identification Username Authentication Password Authorization IDM Auditing Static Logs 5 https://itservices.stanford.edu/service/webauth/twostep/text_message
Traditional Methods of Access Control Characterized by inconvenience, cost, and vulnerability 1. Longer Passwords Hard to remember Often written down 2. Hardware Tokens Cumbersome especially if lost or stolen 3. SMS Access Codes Can be disabled or seen in Plaintext 4. Security Questions Easy to Guess or Publicly available Date of birth? Last 4-digits of SSN? 6 itservices.stanford.edu/service/webauth/twostep/text_message
Mobile Multi-factor Authentication Usher combines three fundamental factors to ensure the rightful owner is always in possession of their Mobile ID 1. Something you know Device Passcode Account Email 2. Something you have Device Certificate Access Token 3. Something you are Biometrics Face or voice print 7
Usher Mobile Identity Designed for the mobile age, optimized for biometrics, deployed across your enterprise for enhanced security Dematerialize Link Extend Log in to Unlock Create Applications Workstations SSO Session 8
Usher Identity Architecture Web Applications Mobile Devices Physical Access System Client Layer API Usher Mobile API Server Layer Usher Server Connector Layer Connectors Existing ID repositories IDMS SSO PACS 9
Out of Band, Encrypted Credentials Present nothing in the open, time-limited codes serve as access requests while private credentials remain encrypted in the database User Attributes Lisa Smith Product Manager MicroStrategy, Inc. Picture PKI Certificate Log in to Applications Unlock Workstations Create SSO Session ID Tokens 10
Out of Band, Encrypted Credentials Present nothing in the open, time-limited codes serve as access requests while private credentials remain encrypted in the database Log in to ID Tokens Usher PIN Usher Stamp Usher Signal Applications Unlock Workstations Create SSO Session 11
Something you have PKI Certificate Only a registered device can send requests using Usher Mobile ID 1. User Logs in to Usher for the first time Access Token Certificate Signing Request Usher Server Client Certificate 4. Certificate is delivered to client for use Client Certificate 2. Connected IDM signs the Certificate 3. Server stores a copy Server Copy 12
Something you have PKI Certificate Only a registered device can send requests using Usher Mobile ID X.509 Certificate Lisa Smith JK8DC902KCM7839 Product Manager 889SDN0WK390KNI MicroStrategy, Inc. EN948301JJK0193J 3J0J6720CC9MA6H Usher Stamp 1. Private Key stored securely on client in keychain 2. Revoke or Renew automatically or on- demand 3. Certificate Signing on- Premise or use Usher as CA 13
Something you are Enterprise Biometrics Link the rightful owner to their Usher Mobile ID 1. Usher user recites displayed code 2. Usher verifies voiceprint 3. Mobile Identity ready for use Usher Voiceprint Database Log in to Applications Unlock Workstations Create SSO Session 14
Something you are Enterprise Biometrics Link the rightful owner to their Usher Mobile ID 1. Usher user recites displayed code 2. Usher verifies face scan 3. Mobile Identity ready for use Log in to Applications Unlock Workstations Create SSO Session Usher Facial Recognition Database 15
Usher Mobile Identity Designed for the mobile age, optimized for biometrics, deployed across your enterprise for enhanced security Dematerialize Link Extend Log in to Unlock Create Applications Workstations SSO Session 16
Usher ID for Simple and Secure Log In Workstations Applications 17
Transmit Bluetooth to Log In Mobile IDs can unlock a workstation, and lock it automatically when ID is out of range 18
Transmit Bluetooth to Log In Mobile IDs can unlock a workstation, and lock it automatically when ID is out of range 19
Transmit Bluetooth to Log In Mobile Client Systems Application Log In 1. Generate time- limited Usher Code Usher Signal 2. Present Code to initiate log in process 20 Usher Server Verified ID Verified ID Usher Signal 3. Access request sent alongside PKI Certificate 4. Usher Authenticates credentials 5. Return ID computer log in
A good password will never be enough 21 http://imgs.xkcd.com/comics/password_strength.png
TEST Can you recreate my password? MichaelJordanMyHero 22
TEST Can you recreate my password? ShakeShakeShake SoundLoudHowNow BounceBallYellowDog HowNowBrownCow JumpCarWatchOut FlipBikePurpleCat WhoWhatWhereWhy MichaelJordanMyHero LunchWasGreatRight 23
TEST Can you recreate my Usher Code? 24
TEST Can you recreate my Usher Code? 25
Password-Free Log In to Applications Scan a unique Usher code generated for each session to request access 26
Application Log In with Usher Mobile ID Web Application Application Log In Mobile Client 1. Generate timelimited Usher Code 2. Scan Code to initiate log in Resource Code 3. Application Code sent alongside device certificate Verified ID 4. Authenticate credentials in Usher and return ID 5. Access granted by application 27 Usher Server Verified ID
Single Sign-on for Web and Mobile Applications Integrate with your existing SSO Systems (OAuth2.0 or SAML) 28
Web Single Sign-on with Usher Mobile ID SSO Application Application Log In Mobile Client 1. Generate timelimited Usher Code 2. Scan Code to initiate log in SSO Access Token Verified ID SSO System Code 3. Application Code sent alongside device certificate 4. Authenticate credentials in Usher and return ID 5. Access granted by SSO active session 29 Usher Server Verified ID
Mobile Single Sign-on with Usher Mobile ID Mobile Applications 1. Log in to Usher Access Token Verified ID 2. Open 3 rd Party Application on the mobile device 3. Fast app switching checks for an active Usher Log In SSO ID Token 4. Automatic log in to active SSO session 30 IDM Copy SSO ID Token Usher Server
Usher Strong Authentication Set powerful access controls and layer conditions in any combination for added security Geo- fencing Time- fencing Bio- fencing Dual authorization Restrict access to a system or entryway based on a user s location. Limit the times at which users and groups can access systems or entryways. Set high-security systems and doors to be accessible only after a biometric check. Require specific systems and doors to be only accessible if two or more people submit simultaneous requests. Within 500 feet of HQ Mon. Fri., 9:00 AM to 5:30 PM Voice print required on-demand Two VP-level or above must authorize at same time. 31
Usher Strong Authentication Set powerful access controls and layer conditions in any combination for added security Time- fencing Limit the times at which users can access systems. 32
Usher Strong Authentication Set powerful access controls and layer conditions in any combination for added security Geo- fencing Restrict access to a system based on a user s location. 33
Make Adjustments in Real-Time Stay ahead of the security challenge with behavior analytics using Usher Intelligence 1. Select an area of the map to get a closer look 2. Identify outlier activity instantly 34 Stay ahead of the security challenge with behavior analytics
Review of Usher Mobile Identity A platform to provide enterprise access to applications using password-free log in, Bluetooth enabled log in, and a strategy to improve cybersecurity 1. Cybercrime is a serious problem 2. No Password is strong enough 3. Usher delivers multi-factor authentication to Applications, Systems, and SSO Systems 4. Usher incorporates the highest standards of security 5. Identify suspicious log in behavior and curb fraudulent 35 activity with Usher Intelligence
THANK YOU Mika Devonshire E- mail: mdevonshire@microstrategy.com Twitter: @DevonshireM 36