White paper Convenient Multi-Factor Authentication (MFA) for Web Portals & Enterprise Applications
As the usage of online portals, SSL VPN applications, and web access management (WAM) products continue to grow, so does the need for strong authentication to protect access to the information contained within them. Providing single-factor authentication, or passwordonly protection, creates a significant security threat to organizations. Single-factor authentication is easily defeated by hackers and can result in a security breach, financial loss, or loss of sensitive data such as personally identifiable information (PII). Concurrently, many IT departments are grappling with business requirements to extend access to enterprise applications to an even broader audience including vendors, suppliers, partners and customers. While the primary objective of any authentication strategy is to secure access to information, new factors must be considered such as: User population. Who are my users? What is the size of my user base? What are their needs? Risk. What types of activities do my users perform online? What types of information do my users access? Cost. What are the direct and indirect costs of deploying an authentication solution? Convenience. How willing are my users going to be to adopt this new security measure? What are the risks I face by disrupting the user experience? Whether driven by compliance or the need to effectively manage information risk, organizations are faced with the challenge of providing strong multi-factor authentication to secure their assets and information while balancing cost and end user convenience. The Right Choice for Authentication A recent survey by RSA shows that on average, only 20-40% of the typical enterprise workforce is issued hardware or software tokens. The main reason for low deployment rates is often attributed to the acquisition cost and ongoing management of rolling out physical authenticators to every single user. As a result, organizations are considering new methods of authentication that will enable them to extend strong authentication to a broader user base and provide an additional layer of security without impacting the user experience. Risk-Based Authentication is becoming a likely choice among organizations in multiple industries, especially for protecting access to VPNs and other enterprise applications. Risk-Based Authentication (RBA) is an authentication technology that operates transparently and conducts a risk assessment of all users by measuring a series of risk indicators. Risk-Based Authentication operates behind the scenes, using a user s device and behavioral patterns as credentials to positively assure the user s identity. Risk-Based Authentication considers a number of other factors and assigns a unique score to each activity. If an activity exceeds a predetermined risk threshold (as customized by each organization), the user is prompted to provide an additional authentication credential to validate his identity. If the activity falls below the risk threshold established by the organization, the user is permitted to proceed without interruption. RSA Adaptive Authentication is a comprehensive authentication and fraud detection platform that offers cost-effective protection for an entire user base. Powered by RBA technology, Adaptive Authentication monitors and authenticates activities based on risk, organizational policy, and user segmentation. Adaptive Authentication is flexible and enables a variety of authentication methods to be layered on top of it in cases where additional authentication is needed. This requirement is established by each organization, depending on their business and user needs. For example, in the event an activity is deemed high-risk and exceeds the acceptable risk score threshold, an organization may determine that users have to pass an additional authentication challenge in order to be granted access. Or an organization may decide that certain users who perform high-risk activities on a regular basis or have access to the most sensitive data are automatically required to provide an additional form of authentication. Some methods that can be used in conjunction with Risk- Based Authentication include: 2 RSA White Paper
Invisible authentication. Device identification and profiling Out-of-band authentication. Phone call, SMS, or e-mail Challenge questions. Challenge questions or knowledgebased authentication (KBA) Multi-Credential Framework. For organizations wanting more choices, Adaptive Authentication can easily integrate with a large selection of other authentication methods. The Multi-Credential Framework allows organizations to develop authentication methods via RSA Professional Services, in-house or through third parties to customize Adaptive Authentication. Site-to-user authentication. Site-to-user authentication assures users they are transacting with a legitimate website by displaying a personal security image and caption that has been pre-selected by the user at login. By providing the ability to support most existing authentication technologies, Adaptive Authentication enables organizations to be flexible in: How strongly they authenticate end users How they distinguish between new and existing end users What areas of the business to protect with strong authentication How to comply with changing regulations What they are willing to accept in terms of risk levels How to comply with the various requirements of the regions or countries where they operate The Dynamics of Risk-Based Authentication RSA s Risk-Based Authentication technology is powered by the following components: RSA Device Identification RSA Risk Engine RSA efraudnetwork RSA Policy Manager RSA Multi-Credential Framework With RSA Adaptive Authentication, Geisinger has been able to offer our referring and affiliated physicians secure access to critical online resources, thereby facilitating the sharing of patient information out to external physicians. Dave Young, IT Program Director, Geisinger Health System Device Profiling: Providing Invisible Authentication Device profiling enables the vast majority of users to be authenticated by looking at the device profile, or the physical laptop or PC from which the user accesses the website or application on a regular basis, and whether the device is known as having been previously used by the user. The two main components of device profiling are unique device identification and statistical device identification. Unique device identification assists in identifying a user by embedding two main elements on the user s device: (a) secure first party cookies and (b) flash shared objects (sometimes referred to as Flash cookies ). Secure first party cookies play an important role in identifying laptops and PCs. They involve placement of a unique cryptographic identifier on the user s device and are the initial mechanism typically used to identify a user. Flash cookies are used in conjunction with first party cookies to provide a double layer of reliability. Adaptive Authentication uses Flash cookies to tag a user s machine in the same way that first party cookies store information for retrieval at a later time. The advantage of using Flash cookies is that they are not deleted as often as first party cookies because most users are not aware that they even exist. Even users that are aware of them are not always certain how to remove them. Statistical device identification is a technology that uses a device s characteristics to statistically identify a user s device. Sometimes referred to as device forensics, forensic analysis or device fingerprinting, statistical device identification is generally used as a fallback mechanism in the absence of a unique cryptographic identifier (which can be deleted from the device). Some of the elements measured in the statistical device identification process include data collected from HTTP headers and via Java script, e.g., operating system versions, operating system patch levels, screen resolution, browser version, user-agent data, software versions, display parameters (size and color depth), languages, time zone settings, installed browser objects, installed software, regional and language settings, and IP address information. RSA White Paper 3
Statistical device identification considers known devices as automatically authenticated up to a certain risk level. Beyond that, additional authentication is required in order to trust the device, as well as using authentication in order to bind a device to a user. While it is not unique in all situations, statistical device identification is highly accurate because it uses dozens of identifiers which could each have multiple values and result in a large span of combinations. Behavioral Profiling: Leveraging Pattern Analysis Risk-Based Authentication uses behavioral profiling to identify high-risk authentication attempts by measuring elements such as velocity checking, IP address information, and time of day comparisons. Behavioral profiling identifies illegitimate activity attempted by a user. For example, consider a hacker manages to supply both the username and password for the user and bypass the device profiling layer. He will still be blocked from attempting to perform an illegitimate activity because the system will recognize it as something that is not commonly performed by the genuine user. The combination of device identification and behavioral profiling offers a form of multi-factor authentication, providing something you have (the device) and something you do (behavior). RSA Risk Engine: Protecting Against Tomorrow s Threats The RSA Risk Engine is a proven, self-learning technology uniquely designed to answer the needs of the rapidly changing online environment. The Risk Engine evaluates each online activity in real-time, tracking over one hundred indicators in order to distinguish between legitimate and illegitimate activity. A unique risk score between 0 1000 is generated for each activity; the higher the risk score, the greater the likelihood is that an activity is illegitimate. The Risk Engine combines input from three main sources: the device profile, behavioral profile, and the RSA efraudnetwork. RSA efraudnetwork: Fight Fraud in Numbers The RSA efraudnetwork is a cross-organization, cross-industry data repository of fraud patterns gleaned from RSA s worldwide network of customers, end users, ISPs, and third party contributors. The efraudnetwork community is dedicated to sharing and disseminating information on fraudulent activity to help keep its members one step ahead of fraudsters. When a fraud pattern is identified, the fraud data, activity profile, and device fingerprints are moved to a shared data repository. The efraudnetwork enables real-time protection to hundreds of millions of online users worldwide that are actively connected to the network. RSA Policy Manager: Defining Risk Policy The RSA Policy Manager allows customization of authentication policies based on organizational risk policy and end user segmentation and preference. The RSA Policy Manager allows organizations to instantly react to emerging fraud patterns and to effectively investigate activities deemed high-risk. The Policy Manager translates organizational risk policy into decisions and actions through the use of a web-based Rules Management application, comprehensive rules framework, RSA Risk Engine RSA efraudnetwork Network 10.0.1.195 IP Information Channel Information <HTTP> Behavioral Profile Device Profile Fraud Intelligence RSA Case Management Feedback 010101010 101010101 010101010 Figure 1: The RSA Risk Engine measures a number of factors in generating a risk score. 4 RSA White Paper
real-time configuration, and Performance Simulator for testing prior to production implementation. Adaptive Authentication employs a flexible and extensible Multi-Credential Framework (MCF) that enables multiple authentication options to be governed by the Policy Manager. RSA Multi-Credential Framework: Unified Credential Management The Multi-Credential Framework provides an abstraction layer that enables one software platform to support multiple authentication methods (based on end user segmentation and risk assessment) in a single deployment. With the Multi- Credential Framework, different authentication methods are leveraged through policy settings to accommodate different end user populations, different online applications, and different risk levels. Flexible User Authentication Choices Challenge Questions Challenge questions are an easy-to-use method to authenticate users without impeding on their experience. Challenge questions are a set of questions that are typically presented to a user during the enrollment process or a new account opening to obtain information on the individual. The questions are presented to a user at a later time and the information originally provided is used for verifying identity. The questions provided come from a large pool of questions that have been carefully selected and validated through extensive research including focus groups and field testing among online users. These field tests include benchmarking the failure rate of each question and eliminating the questions that exceed an acceptable rate. Usability is also a key measurement, and a special emphasis is placed on phrasing the questions so that the correct answer is clear to the user and its entry format is not ambiguous. The questions used within Adaptive Authentication have been developed to conform to the following guidelines: Easy to remember Difficult to guess or obtain the answers to Not time sensitive Personally identifiable information such as sensitive homeowner information is sometimes unintentionally compromised by REALTORS and RSA Adaptive Authentication successfully helps address this security issue. Tim P. Johnson, Chief Financial Officer and Vice President of Business Development, Rapattoni Corporation RSA Adaptive Authentication uses the RSA Risk Engine and organizational policy settings to determine when it is appropriate to use challenge questions to authenticate a user. The RSA approach balances the need for security and usability; it prevents the answers to the challenge questions from being compromised while allowing genuine users to successfully complete the challenge with ease. Out-of-band (OOB) Phone Authentication Out-of-band communication methods are a powerful weapon for preventing user credentials from being compromised because they circumvent the communication channels online criminals typically use. Out-of-band communication methods can include regular postal mail, the telephone or text messages (short messaging service, or SMS). Out-of-band phone authentication provides many benefits. It meets the demands for a solution that is easy for users to use and understand. In addition, it does not require users to buy new hardware or software and simply relies on any ordinary analog, VOIP or mobile telephone. The worldwide availability of the telephone also meets the organizational need for an authentication solution that can be applied globally. Out-of-band phone authentication occurs when a transaction is identified by the RSA Risk Engine to be high-risk or suspicious or when an organizational policy triggers it (e.g., Challenge all activities originating in Country X or Country Y ). In both scenarios, Adaptive Authentication challenges users to reconfirm that they are who they claim to be. The out-of-band solution, combining an automated phone call which references both the details of the online activity performed and requests the confirmation number that appears in the web browser, is a very effective defense. Even if it passes on the confirmation number on the screen to users for one of their legitimate activities, they will realize something is wrong when the details of the illegitimate activity are delivered during the out-of-band phone call. RSA White Paper 5
RSA s site-to-user authentication is used by nearly 50 million end users worldwide and has resulted in increased online activity in many areas. An end user satisfaction survey of 10,000 online users conducted by Alliance & Leicester in the UK supports this claim. 90% rated the security measures provided as good or excellent 92% stated that they clearly understand the purpose of the new authentication system 83% confirmed that they would not enter their password or PIN into the website without their personal security image and caption being displayed Site-to-user Authentication Site-to-user authentication provides a visible security reminder at each login that assures users they are transacting with a legitimate website by displaying a personal security image and caption that has been pre-selected at login (selected during a previous enrollment session). Users are instructed to only enter their password after the website they are accessing has proven its authenticity by displaying their personal security image and caption. Site-to-user technology offers a number of benefits including: Provides end users with a sense of security and confidence that electronic communications are genuine by displaying their unique personal security image and caption Involves end users in their own online security Presents a clear and concise message to end users to never enter their password until the website has proved its authenticity by displaying their image and caption Increases the adoption rates and usage of the online channel Remote Access (SSL VPN) & Portal Applications (WAM) As more organizations extend access to enterprise applications to new users and provide more external-facing portals, the need for protection of valuable corporate information is essential. As a result, organizations require a wide range of user authentication options to help positively identify users before they interact with mission-critical data and applications through SSL VPNs. Organizations use web access management (WAM) and single sign-on (SSO) solutions to enable users to easily and securely access portals, networks, and web applications. In order to avoid managing security in silos or investing resources in integrating a number of security solutions across multiple applications, organizations are requiring security to be centrally integrated into WAM products to protect multiple web applications and portals. Adaptive Authentication works with leading SSL VPN and WAM providers for both hosted and on-premise deployments to enable strong authentication for enterprise applications across a wide user base. Adaptive Authentication provides a web services (SOAP) interface performing transparent devicebased and behavior-based authentication of users attempting to access protected applications. After this process occurs, the protected application makes a decision that allows the user to gain access or challenges the user with additional authentication in order to gain access. Choice in Deployment Understanding that no two organizations share the same business requirements or IT infrastructure, RSA provides a host of deployment and configuration options to meet their unique needs. RSA Adaptive Authentication can currently be deployed in two ways as an on-premise installation that uses existing IT infrastructure or as a Software-as-a- Service/hosted authentication service that helps to manage the end user lifecycle. RSA has one of the world s largest Software-as-a-Service (SaaS) practices, with more than seven years of experience offering SaaS products in the areas of card authentication, web authentication, and identity verification. RSA Adaptive Authentication is currently deployed in a SaaS delivery model by more than 2,200 organizations in the United States, Venezuela, Columbia, India, the UK, and Australia in the healthcare, pharmaceutical, insurance, and financial services industries. 6 RSA White Paper
Multiple Configuration Options Adaptive Authentication can be configured in a number of ways to balance security and risk without compromising the user experience. Many organizations currently provide Risk- Based Authentication for their entire user base and allow the RSA Risk Engine to determine those individuals that require additional protection. Other organizations choose an appropriate supplemental form factor based on a user s preference or the types of activities they conduct. Benefits of Adaptive Authentication RSA is expanding its leadership in enterprise authentication by providing flexible Risk-Based Authentication for new use case and verticals. Organizations now have a solution that is capable of providing strong authentication for large distributed user populations that is cost-effective, easy to manage and offers a convenient user experience. The benefits of deploying RSA Adaptive Authentication and a risk-based technology approach are numerous: Low Total Cost of Ownership (TCO). RSA Adaptive Authentication provides significant cost advantages over traditional authentication solutions. With Adaptive Authentication, there is no need to deploy physical devices and users can self-enroll to the system. In addition, Adaptive Authentication can be delivered as a SaaS offering for organizations looking to further reduce IT administration and maintenance costs. Strong Protection. Organizations can protect tens of thousands, or even millions, of users with multi-factor authentication by leveraging device profiling and user behavioral profiling. In addition, Adaptive Authentication enables organizations to share in the RSA efraudnetwork community and gain insight into emerging threats and fraud patterns. End User Convenience. Adaptive Authentication is widely recognized and already familiar to many online banking users that have adopted the technology over the past few years. Proven. Adaptive Authentication has been in use for several years and protects nearly a quarter of a billion (225 million) online users worldwide. It is currently deployed at over 8,000 organizations in the healthcare, financial services, government, insurance, automotive, real estate, manufacturing, and pharmaceutical industries. Accelerating innovation relies on our network of external partners and suppliers having instant, secure access to our business-critical systems. By enabling single sign-on, risk-based authentication and a centralized security policy, RSA Access Manager and RSA Adaptive Authentication are helping us keep administration costs low and remain competitive. Eddie Garcia, IT Architect, AMD Transaction Protection: Built-In Detection for Suspicious Activity Transaction Protection refers to the capabilities of Adaptive Authentication to monitor and identify suspicious post-login activities. Many organizations, in a wide range of industries, have placed additional protection on the login process only, thereby being unable to detect or understand the patterns and risks associated with individual transactions or activities occurring on their website or portal after login has occurred. Multiple data items are collected on users and their online activity including the user s access device, the user s IP address, and the requested transaction. This information is then analyzed within the context of their activities. The more information that is gathered and analyzed, the more comprehensive the risk assessment will be. For example, Adaptive Authentication analyzes the risk factors of an incoming request by looking at information such as: Device identification: Have we seen this device before? Device forensics: Are the device characteristics consistent? RSA efraudnetwork matching: Are there any known fraudulent characteristics here? Network forensics: What is the IP address, ISP, and connection type? User behavior profile: Is this normal behavior for this user? Session analysis: Is this activity suspicious or high-risk? Typical examples of activities which can be protected by implementing Adaptive Authentication include changing a PIN or password, changing a user s Personally Identifiable Information (PII), ordering a new credential (e.g. a health insurance card), or transferring large sums of money. RSA White Paper 7
Conclusion Whether an organization is looking to extend authentication to a broader user base, is threatened by or susceptible to fraud, or needs to comply with government regulations, Adaptive Authentication offers a wide array of cost-effective authentication choices and deployment options to meet organizational and end user needs. RSA Adaptive Authentication achieves the right balance of authentication without compromising the user experience, throwing out existing authentication tools, or impacting the bottom line. About RSA RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to costeffectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. RSA offers industry-leading solutions in identity assurance and access control, encryption and key management, compliance and security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. RSA and RSA Security are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products or services mentioned are trademarks of their respective owners. 2009 RSA Security Inc. All rights reserved. AAVPN WP 0409