Adaptive Authentication Integration Options. John Murray Manager, RSA Systems Engineering

Adaptive Authentication Integration Options John Murray Manager, RSA Systems Engineering

What is RSA Adaptive Authentication? Comprehensive authentication and fraud detection platform Powered by Risk-Based Authentication technology Measures risk associated with a user s login and post-login activities Determines level of authentication required based on risk, policies, and customer segmentation 2

The Risk Engine Gathers Facts Build Profiles, Generates Predictors, & Learns Assesses Risk Internet Protocol (IP) Information Proprietary Device Fingerprints RSA Risk Engine Scoring Results User Behavior RSA efraudnetwork Profiling 3

Hosted or On Prem 4

On Premise J2EE Java Based Application installed and maintained within a customer s own datacenter. Flexible Platform Support Including: OS: Windows Server, Red Hat Enterprise Linux, Solaris and AIX Application Servers: WebSphere, Web Logic, JBoss, Tomcat DB Servers: Oracle, MS SQL Server 5

Hosted AA fully hosted in the cloud by RSA. Integration handled via SOAP calls over HTTPS. Access to back office tools granted via online web portals. New re-architected 12.0 platform to be released Q4 2014, running on an elastic cloud provider. 6

Integration Method Direct API or Adapter 7

Direct Integration Standard code (SOAP) based integration following Request- Response model between Application and AA Server Customer integrate into their own applications by developing against the AA WSDL Standard methods include: Analyze, Notify, Query, Challenge, UpdateUser, CreateUser, Authenticate 8

SOAP Request Example <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:body> <ws:analyze> <ws:genericactiontypes>sessionsignin</ws:genericactiontypes> <ns1:httpacceptchars>iso-8859-1,utf-8;q=0.7,*;q=0.3</ns1:httpacceptchars> <ns1:httpacceptlanguage>en-us,en;q=0.8</ns1:httpacceptlanguage> <ns1:httpreferrer>http://rsademos.com:8080/demobank/index</ns1:httpreferrer> <ns1:ipaddress>158.24.172.5</ns1:ipaddress> <ns1:useragent>mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17</ns1:userAgent> <ws:username>jmurray</ws:username> <ws:userstatus>verified</ws:userstatus> <ws:usertype>persistent</ws:usertype> <ws:apitype>direct_soap_api</ws:apitype> <ws:requesttype>analyze</ws:requesttype> <ws:version>7.0</ws:version> <ws:callercredential>password</ws:callercredential> <ws:callerid>caller</ws:callerid> </ws:analyze> </soapenv:body> </soapenv:envelope> 9

AA SaaS Direct Integration Architecture INTERNET Firewall DMZ Firewall TRUSTED ZONE Customer browser Web servers App servers App database Credential store SOAP RSA Adaptive Authentication (SaaS) 10

AA On Direct Prem Integration Direct Integration Architecture INTERNET DMZ TRUSTED ZONE Customer browser Web servers App servers App database Credential store SOAP RSA Adaptive Authentication RSA AA database Firewall Firewall 11

Adapter Pre-built integrations with popular enterprise portals No software development required Full customizable pages handle entire workflow and interaction with AA Server including: Enrollment Forensics Collection Challenging Blocking Current RSA Adapters RSA Access Manager* Tivoli Access Manager CA SiteMinder Juniper SSL VPN Cisco SSL VPN Citrix NetScaler Microsoft UAG 12

Sample Adapter Architecture - Citrix 13

Web vs. Mobile 14

Mobile Browser - Data Collection Data collected via JavaScript: Browser characteristics: Browser type, version, language, etc. Device forensics: Time zone, Screen resolution. Geolocation: Latitude, Longitude, Accuracy, Additional Information: User Agent String IP Address Cookie FSO WAP sites: WAP header sent as the HTTP header In the Other ID field in the API send the WAP client id 15

Mobile Apps Data Collection Data elements collected and sent to AA using either Mobile SDK or a native API Location information collection Mobile device identification data Device model Device multitasking supported Device Name Device System Name Device System Version Language Wi-Fi Mac Address Wi-Fi Networks data: Station Name Wi-Fi Networks data: BBSID Wi-Fi Networks data: Signal Strength Wi-Fi Networks data: Channel Wi-Fi Networks data: SSID Cell Tower ID Location area code Screen size Number of address book entries RSA Application key MCC MNC OS ID Location error code 16

What To Protect Login or Post Login Transactions 17

Transaction Monitoring Allows AA Risk Analysis and Actions to be applied to Post Login Events Has the ability to monitor both: Profile Changes Changes to the user s password, address, e- mail, security question, phone numbers, etc. Funds or Financial Transfers Add Payee, Add Beneficiaries, Request Credit Increase, Request Checks, etc. Events will utilize additional information as part of risk model. E.g. Payment: Amount, Payee Acct #, Currency, Type, Time, etc. 18

AA Full Event Type List ACTIVATE CARD ADD PAYEE CHANGE ADDRESS CHANGE ALERT SETTINGS CHANGE AUTH DATA CHANGE EMAIL CHANGE LIFE QUESTIONS CHANGE LOGIN ID CHANGE PASSWORD CHANGE PHONE CHANGE STATEMENT SETTINGS CHANGE STU CLIENT DEFINED CREATE USER DEPOSIT EDIT PAYEE ENROLL FAILED CHANGE PASSWORD ATTEMPT FAILED LOGIN AUTHENTICATION FAILED OLB ENROLLED ATTEMPT OLB ENROLL OPEN NEW ACCOUNT OPTIONS TRADE PAYMENT READ SECURE MESSAGE REQUEST CHECK_COPY REQUEST CHECKS REQUEST CREDIT REQUEST NEW CARD REQUEST NEW PIN REQUEST STATEMENT COPY SEND SECURE MESSAGE SESSION SIGNIN STOCK TRADE UPDATE USER USER DETAILS VIEW CHECK VIEW STATEMENT 19

Transaction Monitoring More Fraud Stopped and Fewer Customers Challenged Increase in fraud detected when adding transaction level protection Increase in fraud detected from Device ID to Device ID & efraudnetwork 20 20

Challenge Methods What are my options? 21

Step-up Authentication An additional factor or procedure that validates a user s identity, out-of-the-box options include: Challenge Questions Secret questions that have been selected & answered by end user during enrollment Out-of-Band Authentication One time passcode sent to the end user via phone call, SMS text message or email. Transaction details, such as transfer amount, can be included Dynamic Knowledge- Based Authentication (KBA) Dynamic questions that are unique to the end user, and generated from publically & commercially available data in real-time Provided by LexisNexis Identity Verification service (available in US & UK) Multi-credential Framework Allows organizations to use in-house or third party method through a RSA Professional Services engagement 22

RSA Out-of-Band Authentication One Time Password RSA Generated OTP RSA Delivery Customer Delivery Delivery Method Phone SMS Email Phone SMS Channel Delivery Mobile Landline Mobile Landline 23

THANK YOU