Usable Multi-Factor Authentication and Risk- Based Authorization



Similar documents
Usable Multi-Factor Authentication and Risk-Based Authorization

Role of Multi-biometrics in Usable Multi- Factor Authentication

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Powering Security and Easy Authentication in a Multi-Channel World

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Strengthen security with intelligent identity and access management

Improving Online Security with Strong, Personalized User Authentication

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Closing the Biggest Security Hole in Web Application Delivery

STRONGER AUTHENTICATION for CA SiteMinder

Experiences with Studying Usability of Two-Factor Authentication Technologies. Emiliano De Cristofaro

Multi-factor authentication

WHITE PAPER Usher Mobile Identity Platform

Guide to Evaluating Multi-Factor Authentication Solutions

Chapter 1: Introduction

Biometrics and Cyber Security

Device-Centric Authentication and WebCrypto

Building Secure Multi-Factor Authentication

Authentication Tokens

IBM Security X-Force Threat Intelligence

A Security Survey of Strong Authentication Technologies

Trust Elevation Using Risk-Based Multifactor Authentication. Cathy Tilton

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Enhancing Organizational Security Through the Use of Virtual Smart Cards

ADDING STRONGER AUTHENTICATION for VPN Access Control

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

Progressive Authentication on Mobile Devices. They are typically restricted to a single security signal in the form of a PIN, password, or unlock

Protected Cash Withdrawal in Atm Using Mobile Phone

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

Entrust IdentityGuard

NFC & Biometrics. Christophe Rosenberger

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Digital identity: Toward more convenient, more secure online authentication

Securing Office 365 with Symantec

IBM WebSphere Application Server

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

Securing Virtual Desktop Infrastructures with Strong Authentication

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Advanced Authentication Methods: Software vs. Hardware

Two-Factor Authentication and Swivel

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Selecting the right cybercrime-prevention solution

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

MCU Online and MFA (Multi Factor Authentication)

Cloud Security Who do you trust?

Microsoft Enterprise Mobility Suite

CARRIOTS TECHNICAL PRESENTATION

Section 12 MUST BE COMPLETED BY: 4/22

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

IBM Tivoli Federated Identity Manager

Securing end-user mobile devices in the enterprise

3rd International Symposium on Big Data and Cloud Computing Challenges (ISBCC-2016) March 10-11, 2016 VIT University, Chennai, India

Ensuring the security of your mobile business intelligence

SECUDROID - A Secured Authentication in Android Phones Using 3D Password

IBM Security QRadar Vulnerability Manager

Authentication Solutions

When enterprise mobility strategies are discussed, security is usually one of the first topics

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Article. Electronic Notary Practices. Copyright Topaz Systems Inc. All rights reserved.

Security Levels for Web Authentication using Mobile Phones

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

API-Security Gateway Dirk Krafzig

3M Cogent, Inc. White Paper. Facial Recognition. Biometric Technology. a 3M Company

IBM Content Analytics adds value to Cognos BI

The Convergence of IT Security and Physical Access Control

Comparing Mobile VPN Technologies WHITE PAPER

How CA Arcot Solutions Protect Against Internet Threats

Automatic Speaker Verification (ASV) System Can Slash Helpdesk Costs

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

HARDENED MULTI-FACTOR AUTHENTICATION INCREASES ENTERPRISE PC SECURITY

Why Digital Certificates Are Essential for Managing Mobile Devices

IBM Cognos Enterprise: Powerful and scalable business intelligence and performance management

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Apache Milagro (incubating) An Introduction ApacheCon North America

User Authentication Guidance for IT Systems

IBM Tealeaf CX. A leading data capture for online Customer Behavior Analytics. Advantages. IBM Software Data Sheet

About Sectra Communications

IBM Security SiteProtector System Migration Utility Guide

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Biometric SSO Authentication Using Java Enterprise System

The Convergence of IT Security and Physical Access Control

Transcription:

CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Usable Multi-Factor Authentication and Risk- Based Authorization IBM T.J. Watson Research Center Larry Koved December 18, 2014

Team Profile IBM T.J. Watson Research Center, Yorktown Heights, NY A multi-disciplinary research facility Security research on a broad range of topics, including: hardware, information, operating systems, cloud, cryptography and network IBM has a world wide research team on security and privacy topics Dr. Pau Chen Cheng Risk Based Access Control Larry Koved Identity & Data Security Dr. Nalini Ratha Multi Factor Biometrics Dr. Kapil Singh Cal Swart Dr. Shari Trewin Diogo Marques Mobile & Web Security HCI &Risk Perception HCI &Risk Perception Intern, Risk Perception 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 1

Customer Need: Mobile Authentication Who is stealing your $$$ and data??? Valuable information and assets are at risk! IDC: Tablet purchases to exceed total PC purchases by YE 2015 Mobile devices == identity? App caches user credentials User interaction time < 1 minute 15%+ time spent on authentication User frustration with strong passwords eweek: 40% of organizations lost critical business data from mobile devices! AlixPartners: Mobile banking adoption to reach 50% in 2016. Is a key factor when switching banks. 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 2

Approach: Mobile Context Awareness, Risk Assessment and Multi-Factor Authentication Expected Time & Location: customized to your schedule Context aware in your car Recognize unfamiliar environment other people present Senses loss of device control session lockout 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 3

Approach: Multi-Factor Authentication and Risk-Based Authorization Multi Factor Authentication Reference Architecture Overview Objective: Based on context, "authenticate just enough" to accommodate user preference and (situational) impairments 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 4

Benefits Authenticate the user, not the device Authenticate just enough, based on context and risk, to accommodate situational impairments and user preferences Use what you are (biometrics), what you know, and what you have (mobile device) Estimate loss of possession / device control log out the user / device Force re-authentication to reduce risk and increase security Crowded Location Daily Commute Home Risk? Office Loss of physical control Public Location Reduce authentication burden when behavior is normal More authentication when risk is higher, including under abnormal conditions Usability Security 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 5

Competition: Current Mobile Authentication Passwords & PINs Memory recall Entry on small / tiny keyboards, weaker password rules Interrupts short term memory Contextual factors are ignored The environment in which the activity is taking place Unattended device can be misused Mobile device centric solutions Built-in fingerprint / face / voice Network-based authenticators Biometrics single / multi modal Single factor can be relatively weak Non-zero false accept rate Situational impairments Niche vendors Usually device-centric Complete trust in the device Ignores the location of the sensitive assets the cloud! 2-Factor authentication Entry on small / tiny keyboards Subject to social engineering Another object to lose SMS eavesdropping 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 6

Status: System Proof of Concept Mobile Device Mobile Apps Mobile Apps Reverse Proxy Mobile Services Mobile Authentication Services Client Authentication Services Customizable User Interfaces Multi-User / Multi-Device Coordination Services and Administration Risk-Based Authorization Client Framework Security Lib Bio Lib Context Lib OOBAC Lib Presence Lib Content Sensitivity/Value Biometric Services Enrollment & Verification and Fusion Biometric Fusion Risk Assessment Context Evaluation User Presence Detection 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 7

Status: Risk-Based Authorization Incremental learning based Time & Location Anomaly Scoring Framework for fuzzy composition of anomaly scores and risk assessment 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 8

Status: Mobile Security Risk Perception and Communication Risk indicator. Tap for explanation Prompt with risk communication Anti-phishing: User-selected image Insider threat awareness 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 9

Status: Multi-Factor Biometrics Strong Biometric Authentication Preventing Replay Attacks Through Information Hiding Commercial Biometric Engines Enrollment & Verification Face Voice Fingerprint Biometric Fusion Scoring Identity Confidence Score Mobile Client 1 2 3 4 Resource Request Biometric Authentication Challenge with Random Token Biometric signal with hidden Random Token Authentication & Authorization Return requested resource if Random Token successfully extracted. Otherwise flag as replay or impersonation attack. 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 10

Status: Academic Activities, Patents Workshops organized WAY 2014 Who Are You? Adventures in Authentication at the Symposium On Usable Privacy and Security RP-IT 2013 Risk Perception in Information Technology at the Symposium On Usable Privacy and Security MoST 2013 & 2014 - Mobile Security Technologies at the IEEE Symposium on Security & Privacy W2SP 2013 & 2014 Web 2.0 Security & Privacy at the IEEE Symposium on Security & Privacy SPSM 2014 - Security and Privacy in Smartphones and Mobile Devices at ACM Computer and Communication Security 2014 Invited Talks and Panels University College London Risk Perception Cornell Tech Risk Perception Global Identity Summit Biometric Fusion Voice Biometrics Conference SF multi-factor authentication Papers Practical Context-Aware Permission Control for Hybrid Mobile Applications, RAID 2013 Perceived Security Risks in Mobile Interaction, RP-IT 2013 Practical Out-of-Band Authentication for Mobile Applications, Middleware 2013 Improving Usability of Complex Authentication Schemes Via Queue Management and Load Shedding, WAY 2013 Perceptions of Risk in Mobile Transactions. In preparation. Cui Bono? An Experiment in Re-Framing Authentication Decisions. In submission. Patents and Inventions 3 patents applications filed 6 invention disclosures filed 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 11

Transition Activities Collaborating with IBM Software Group to bring a commercial offering to market Four use cases targeted: Single mobile app bundled with integrated multi-factor authentication, allowing the adopter to fully control the user experience Separate authentication app, allowing the adopter to secure both mobile & non-mobile apps without or minimal app mods (security unaware) Authentication app launched via PushNotification (unaware) Web and Internet of Things (IoT) authentication (unaware) Authentication app launched by the business app (minimal mods) Ongoing discussion with customers in multiple business sectors Strong interest in all of the above use cases Currently validating through two customer proof of concepts engagements 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 12

Lessons Learned Integration with existing authentication services: Three constituencies: End Users, Programmers, Administrators Ease of use for all three are critical success factors Four use cases of importance supporting mobile, web and Internet of Things Real network security services have very complex integration requirements Substantial legacy systems support requirements Communication of the benefits of authentication did not increase user acceptance Business development personnel essential for identifying and working with prospective customers. 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 13

Contact Information Larry Koved koved at us.ibm.com IBM T. J. Watson Research Center P.O. Box 218 Yorktown Heights, NY 10598 http://researcher.watson.ibm.com/researcher/view.php?person=us-koved 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 14

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Images in this presentation may be owned by 3 rd parties. 15 12/12/2014 CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information