RSA Adaptive Authentication Balancing Risk, Cost and Convenience
As more organizations look to migrate customers, members, and partners to the costeffective online channel, the need to instill confidence and implement stronger security measures becomes critical. In addition, online threats such as phishing, Man-in-the-middle attacks, and Trojans are constantly evolving so organizations need to be concerned about deploying a long-term solution that can readily adapt to changes. Achieving the right balance of authentication security without compromising the user experience or straining the budget is a challenge for many organizations. Even so, strong authentication is key to protecting sensitive data and increasing adoption of the online channel. And as most users now experience the implementation of stronger authentication when banking online, they have come to expect that same level of protection when accessing sensitive information at any online site. The Right Choice for Authentication RSA Adaptive Authentication is a comprehensive authentication and risk management platform providing cost-effective protection for an entire user base. Adaptive Authentication monitors and authenticates user activities based on risk levels, institutional policies, and customer segmentation and can be implemented with most existing authentication methods including: Invisible authentication. Device identification and profiling Site-to-user authentication. Site-to-user authentication assures users they are transacting with a legitimate website by displaying a personal security image and caption that has been pre-selected by the user at login. Out-of-band authentication. Phone call, SMS, or e-mail Challenge questions. Challenge questions or knowledge-based authentication (KBA) One-time passwords. Hardware tokens, software tokens and toolbars, display card tokens, transaction signing tokens or CAP/EMV Adaptive Authentication is capable of supporting most existing authentication technologies. 2
High risk (minority) KBA Secondary authentication Exisiting credentials Manual review Phone call Real-time risk assessment Existing phone credentials Web activities & fraud patterns Policy settings Low risk (majority) Risk-based authentication provides users with strong protection and a convenient user experience by challenging only the highest risk activities. Continue By having the ability to intelligently support most existing authentication technologies, organizations that use Adaptive Authentication can be flexible in: How strongly they authenticate end users How they distinguish between new and existing end users What areas of the business to protect with strong authentication How to comply with changing regulations What they are willing to accept in terms of risk levels How to comply with the various requirements of the regions and countries where they operate The Dynamics of Risk-based Authentication Adaptive Authentication is powered by RSA s riskbased authentication (RBA) technology, a sophisticated system that measures a series of risk indicators behind-the-scenes to assure user identities. This transparent authentication provides for a superior user experience as users are only challenged in the highest risk scenarios or when an institutional policy has been violated. In addition, risk-based authentication is self-learning to help protect against Trojans, Man-in-the-middle attacks and other forms of malware threats. RSA s risk-based authentication is powered by a series of core technologies RSA Device Identification, the RSA Risk Engine, the RSA efraudnetwork, the RSA Policy Manager, and the RSA Multi-credential Framework. RSA Device Identification RSA Device Identification enables transparent authentication for the vast majority of users by analyzing the device profile (the device where the user accesses from) and the behavioral profile (what activities the user typically performs) and matching the current activity against these profiles. RSA Risk Engine The RSA Risk Engine is a proven, self-learning technology that evaluates each online activity in real-time, tracking over one hundred indicators in order to detect fraudulent activity. A unique risk score, between 0 1000, is generated for each activity. The higher the risk score, the greater the likelihood is that an activity is fraudulent. RSA Policy Manager The RSA Policy Manager enables organizations to instantly react to emerging localized fraud patterns and effectively investigate activities flagged as highrisk. The Policy Manager is used to translate organizational risk policy into decisions and actions through the use of a comprehensive rules framework that can be configured in real-time. 3
RSA efraudnetwork The RSA efraudnetwork is a cross-organization database of fraud patterns gleaned from RSA s extensive network of customers, ISPs, and third party contributors across the globe. When a fraud pattern is identified, the fraud data, transaction profile, and device fingerprints are moved to a shared data repository. The efraudnetwork provides direct feeds to the Risk Engine so that when a transaction or activity is attempted from a device or IP that appears in the efraudnetwork data repository, it will be deemed high-risk and prompt a request for additional authentication. RSA Multi-credential Framework The RSA Multi-credential Framework (MCF) provides an abstraction layer that enables one software platform to support multiple authentication methods (based on end user segment and risk assessment) in a single deployment. With the Multi-credential Framework, different authentication methods are leveraged through policy settings to accommodate different end user populations, different online products, and different risk levels. A Myriad of Authentication Possibilities Adaptive Authentication is a flexible solution offering a wide array of authentication options that enables organizations to customize risk and authentication policies by user and activity. Risk policies are the adjustable risk thresholds for suspicious activities established by an organization when they want to trigger an authentication challenge to a user. Authentication policies refer to how an organization selects the type of authentication method it wishes to invoke in the event that additional authentication is warranted. Following are several of those methods that Adaptive Authentication supports: Invisible Authentication: Device Identification and Profiling Adaptive Authentication uses an invisible authentication credential that is based on sophisticated device tracking and profiling techniques. RSA developed these technologies in order to fingerprint user devices in a non-intrusive manner. Device identification enables the vast majority of users to be authenticated transparently by analyzing the device profile (the device where the user accesses from) and the behavioral profile (what activities the user typically performs) and matching the current activity against these profiles. The device forensics are composed of two important elements: (1) device identification (identifying the device was previously used by this user) and (2) device authentication (considering known devices as automatically authenticated up to a certain risk level, and beyond that, requiring additional authentication in order to trust the device, as well as using authentication in order to bind a device to a user). Adaptive Authentication treats a device identifier as a second factor credential and, based on its existence and authenticity, invokes additional authentication if required. With device identification (sometimes also referred to as device fingerprinting), information regarding specific attributes of the device provides a qualified distinction but not an entirely unique identification of the device. If a device is known for a long period of time, it means that the user performing the current activity is likely to be genuine. The techniques used in this group do not provide a unique identifier of the device, but this is not needed for positive identification. Device fingerprinting serves a similar role to that of a PIN number by itself, it does not identify the user, but together with the Account ID, it provides a reasonable certainty of positively assuring identity. Also, since these techniques are used together with additional risk sensors, it is possible to be less strict than having a PIN. 4
Techniques used in this method provide unique device identification; however, they are more vulnerable to deletion by savvy users. This fingerprinting method is always attempted by default. Along with other important device identifying parameters, device fingerprint information is also fed to the RSA Risk Engine for risk assessment and user profile building. A device fingerprint is a unique statistical fingerprint of a device and is made up of a set of device parameters including: Actively introducing additional identifiers by simple addition of a cookie and/or a Flash Shared Object (also referred to as Flash Cookie ) which then serve as more unique identifiers of the device Tracking the geo-location of the device based on the IP address Tracking device characteristics that are a natural part of any device HTTP headers, operating system versions, operating system patch levels, screen resolution, browser version, software versions, display parameters (size and color depth), languages, time zone settings, installed browser objects, installed software, regional and language settings, and PC Clock and Time Drift Adaptive Authentication maintains a history of the devices used by each user. The profile for the device and the profile for the user include information such as the first and last date they have been seen together, Site-to-user Authentication Increases Online Channel Usage Site -to-user authentication provides a visible layer of security and peace of mind to online users and also encourages them to conduct more online activities. A 2006 Gartner study found that 67% of users rated site-to-user authentication as extremely or somewhat important to their decision to perform online activities. (Source: Bank of America s SiteKey Fosters Confidence, but Issues Remain, Avivah Litan, September 29, 2006, Gartner) what level of authentication was achieved on this device-user combination, and the number of times this combination has appeared. Site-to-User Authentication Adaptive Authentication offers a method called site-touser authentication which provides organizations and their online users with a visible security reminder at each login. Site-to-user authentication assures users they are transacting with a legitimate website by displaying a personal security image and caption that has been pre-selected by the user at login (both are selected during a previous enrollment session). Users Web site with site-to-user authentication Real-time risk assessment Risk analysis Device identification Logon with username Confirm security image and caption Enter password Proceed with online session 5
are instructed to only enter their password after the website they are accessing has proven its authenticity by displaying their personal security image and caption. Site-to-user technology offers a number of benefits including: Provides end users with a sense of security and confidence that electronic communications are genuine by displaying their unique personal security image and caption Involves end users in their own online security Presents a clear and concise message to end users to never enter their password at the website before the website has proved its authenticity by displaying their image and caption Increases the adoption rates and usage of the online channel RSA s site-to-user authentication is used by over 50 million end users worldwide and has resulted in increased online activity in many areas. A recent end user satisfaction survey of 10,000 online users conducted by Alliance & Leicester in the UK supports this: 90% rated the security measures provided as good or excellent, 92% stated that they clearly understand the purpose of the new authentication system, and 83% confirmed that they would not enter their PIN into the website without their personal security image and caption being displayed. Out-of-band Phone Authentication Module The Adaptive Authentication Out-of-band (OOB) Phone Authentication module is one of the strongest alternative options organizations have against fraud because it leverages a means to communicate with the user that is outside of the online channel. One of the key benefits offered by out-of-band phone authentication is that it is simple to use. Also, it does not require the end user to purchase new hardware or software as it relies on any ordinary analog telephone, VoIP telephone, or mobile phone. This meets the demand by end users for an authentication method that is easy-to-use and understand while maintaining the security inherent in an OOB solution. Out-of-band (OOB) communication methods are a powerful weapon against fraud because they circumvent the communication channel(s) fraudsters typically use. Out-of-band (OOB) communication methods include the telephone, text messages (Short Messaging Service (SMS)), or e-mail. Out-of-band phone authentication occurs either when a high-risk activity (identified as such by the RSA Risk Engine) occurs or when an institutional policy (e.g. Challenge all activities originating in Country X or Country Y ) triggers it. When either or both of these scenarios occur, Adaptive Authentication challenges High risk (minority) Customer challenged with out-ofband (OOB) phone authentication 12345 (fail) (success) Login/ transaction blocked Real-time risk assessment Policy settings Continue Login / transaction activity Low risk (majority) 6
What is the color of your 97 Nissan Maxima? Which of the following people are you most closely associated with? From whom did you purchase your current property? Which of the following domain names is/are registered in your name? (fail) Login/ transaction blocked Customer challenged with knowledge-based authentication (KBA) High risk (minority) (success) Real-time risk assessment Policy settings Continue Login / transaction activity Low risk (majority) the end user to reconfirm that they are who they claim to be through an easy to understand automated phone call process. First, the system will ask the user to select one of the phone numbers previously recorded during enrollment at which to receive a phone call. Next, the system generates an automated call informing the actual user of the activity details and prompting them to enter the confirmation number (a one-time password (OTP)) displayed on the web browser into the keypad on the phone. After delivery of this OTP, the user enters the OTP number into the phone and, provided it is the correct number, the user can continue without disruption. Out-of-band phone verification is generally used to protect high-risk activities such as a change in personal information or a high-value money transfer. The strength of out-of-band phone authentication is especially effective in protecting against nefarious threats such as Man-in-the-middle servers and other crimeware such as keyloggers, screenscrapers, and Man-in-thebrowser Trojans. Out-of-band phone authentication prevents the scenario in which a fraudster has all or most of a customer s personal account information or has even placed a piece of crimeware on the customer s device. Without access to the customer s phone, the fraudulent attempt will be blocked successfully. Challenge Questions Challenge questions (sometimes called shared secrets ) are questions which an online user enrolls in and is then prompted to answer when additional authentication is required based on the transaction or activity. Enrollment in challenge questions occurs when the end user signs up for stronger authentication. This typically occurs either when a new user initially joins an organization s website or when an organization chooses to roll out this new form of authentication protection. 7
BNY Mellon Shareowner Services After implementing RSA Identity Verification, we experienced a significant reduction in our Call Center volume which has offered us tremendous cost savings. In addition, we have been able to greatly improve customer satisfaction with the new authentication process providing shareowners with real-time & secure access to our self-service website. (Marc Librizzi, CIO) The use of challenge questions ensures the utmost security while providing the best possible user experience. Challenge questions have been developed and perfected by RSA through authenticating millions of online users in the past several years. From a security perspective, the following are some of the aspects that make RSA s challenge questions method among the most advanced: Randomly selecting the questions that are collected from each user from a very large pool of questions The order of the selected questions is randomized Collection of multiple questions while authenticating the user with only a subset of those questions Collecting the answers only occurs during low-risk scenarios in which the user has been positively identified and authenticated The use of fuzzy logic, a proprietary, advanced matching algorithm to ensure low rejection rates through errors that are traditionally caused by simple human input mistakes RSA Identity Verification Powered by Knowledge-based Authentication* Knowledge-based authentication (KBA) presents an end user with a series of top-of-mind questions utilizing relevant facts on the individual obtained by scanning public record databases. Quickly and accurately, KBA delivers a confirmation of identity usually within seconds without requiring any prior relationship with the user. Knowledge-based authentication assures user identities based on knowledge of personal information, driven by a real-time question and answer process. Knowledgebased authentication enables organizations to: Increase revenues and attract new end users by simplifying authentication and avoiding privacy concerns that result when personal information is requested from end users and prospects Enhance enterprise security by enabling scalable and easy-to-implement authentication Strengthen identity protection throughout the end user relationship via the use of additional authentication methods, re-issuance of credentials and efficient exception handling Protect against fraud Establish KBA as either a primary authentication method, a backup for lost or forgotten credentials, or to establish an identity without a prior relationship (i.e. account enrollment or account origination) Knowledge-based authentication provides a critical role in securing real-time activities and delivers a safe environment for end users to conduct business that does not impede on their privacy or overall experience. It allows organizations to meet end user demands for more real-time, self-service options via remote channels while reducing the operational costs of authenticating users across an organization and across channels. 8 * RSA Identity Verification is currently only available in the United States.
A knowledge-based authentication system typically collects and verifies information, generates questions, collects and scores answers and delivers a pass/fail result. The system is designed to logically develop correct and incorrect answers using actual end user data in real-time. Because the answers to the questions presented are not easily found by an Internet search, it makes it very difficult for anyone other than the genuine end user to guess correct responses. Therefore, fraudsters with stolen documents are prevented from establishing new accounts and conducting unauthorized activities. One-time Password Authentication RSA SecurID one-time password technology provides a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator generates a new one-time password (OTP) code every 60 seconds, making it difficult for anyone other than the genuine user to input the correct token code at any given time. To access resources that are protected by the RSA SecurID system, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time-use password that is used to positively identify, or authenticate, the user. One-time password authentication from RSA comes in a variety of form factors to meet the needs of an organization and its end users. Deploying an OTP authentication approach may be appropriate in the following cases: Knowledge-based Authentication to Protect New Account Origination and Enrollment Despite the widespread protection of most organizational websites with important content on them (e.g. financial services, healthcare, social networking, manufacturing, and other industries), certain elements of transacting and existing online remain unprotected or have been extended insufficient protection. Typically, the processes having to do with enrolling new end users in an organization s services or in activating the online portion of an organization s business tend to be ignored. Knowledge-based authentication is the ideal solution for organizations looking to assure identities for new account origination and enrollment because it is easy-to-use and does not require any prior relationship with the end user. So what are the benefits of using KBA to protect the account origination and enrollment process? Prevents unauthorized users from gaining access to information intended for another genuine customer (i.e., a health insurance card or credit card account) Prevent new end users from using an organization s infrastructure to commit fraud Allows organizations to comply with federal regulations that mandate the prevention of identity theft and the creation of synthetic identities Where end users are accustomed to using OTP technology Where a tangible authentication solution is required to instill user confidence Where the information and/or assets being protected are such that stronger authentication is deemed necessary in all instances (for example, an employee that accesses extremely sensitive company documents or a wealthy customer that conducts high-value transactions on a regular basis) 9
Hardware Tokens From a usability perspective, traditional hardware tokens (sometimes referred to as key fobs ) are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations. Each RSA SecurID authenticator has a unique symmetric key (or seed record ) that is combined with a proven algorithm to generate a new one-time password (OTP) every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security. RSA SecurID on PDA & Mobile Phones RSA SecurID software tokens support the same algorithms as the industry-leading RSA SecurID hardware authenticators, including the industry-standard AES algorithm. Instead of being stored in an RSA SecurID hardware authenticator, the symmetric key is safeguarded securely on the user s desktop, laptop, PDA, handheld, or mobile phone. RSA SecurID symmetric keys may also be stored on smart card and USB devices and used in conjunction with the RSA SecurID software token on the user s desktop. OTP Web Toolbar The OTP Web Toolbar offers a low-cost method by which to deploy one-time-password (OTP) technology directly to a user s web browser. Its Copy password function offers the ability to automatically fill in the one-time password field in the online applications without the need to manually key in the numbers. The toolbar generates multiple one-time passwords which may be required to log into different services. This eliminates or prevents the necklace of tokens problem. This option is particularly suited for users that tend to transact with an organization from only one or two PCs (although multiple instances of the toolbar can be deployed, for example at work and at home). Display Cards Organizations can now offer their users enhanced OTP security for online activities and a heightened level of trust and confidence with a thin wallet-sized magnetic stripe card that has an embedded chip and display screen. The RSA SecurID Display Card leverages this new form factor and offers OTP-based strong security and greater portability by eliminating the need to carry an additional item on a keychain and by allowing end users to easily slip the card into a wallet or purse instead. The RSA SecurID Display Card supports an eventbased derivative of the highly successful SecurID algorithm. The event occurs when the user presses the button on the card to generate a new and unique password. The event-based OTP display card, supported by Adaptive Authentication, is ideal for the needs of organizations and their end users as they authenticate themselves to their online applications. Flexible Deployment and Configuration Options RSA recognizes that no two businesses share the exact same user authentication needs which is why we offer a wide array of authentication, deployment, and customization options. Adaptive Authentication can be deployed, configured, and used in a number of ways to meet the needs of an organization and its end users. Visible or Invisible Deployment Adaptive Authentication can be deployed visibly or invisibly, depending on organizational needs and end user convenience. Some organizations prefer visible authentication to make their users visually aware they are being protected and to comply with regulations. Also, the use of visible authentication may lead some to believe that organizational and customer information is being protected more strongly. 10
On the other hand, some organizations prefer to use invisible authentication to monitor online activity in an effort to not disrupt or change the user experience, to avoid alerting fraudsters to the fact that a new security system is in place or as an additional protective layer against advanced threats. On-Premise or ASP/Hosted Deployment Organizations worldwide currently deploy Adaptive Authentication in two ways as an on-premise installation that uses existing IT infrastructure or as a hosted (ASP) authentication service. Multiple Configuration Options Adaptive Authentication can be configured in a number of ways to balance security and risk without compromising the user experience. For instance, many organizations currently provide risk-based authentication for their entire user base and allow the RSA Risk Engine to determine those individuals that require additional protection. Other organizations choose an appropriate supplemental form factor based on a user s preference or the types of activities they conduct (i.e. hardware or software tokens for individuals that conduct high-risk activities on a regular basis). Most token form factors can be custom branded, providing an opportunity for organizations to align their brand with safety and security in order to remind their users of the value placed in their online protection. A Proven Solution RSA Adaptive Authentication is a proven solution that is currently deployed at over 8,000 organizations worldwide and across multiple industries including financial services, healthcare and government. It is currently being used to protect over 150 million online users and has processed and protected over 20 billion transactions to date. 11
RSA is your trusted partner RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. 2008 RSA Security Inc. All Rights Reserved. RSA, RSA Security, the RSA logo and efraudnetwork are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies. AANON SB 0607