XYPRO Technology Brief: Stronger User Security with Device-centric Authentication



Similar documents
Guide to Evaluating Multi-Factor Authentication Solutions

ACI Response to FFIEC Guidance

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Entrust IdentityGuard

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Multi-factor authentication

A brief on Two-Factor Authentication

Strong Authentication for Secure VPN Access

IDRBT Working Paper No. 11 Authentication factors for Internet banking

A Security Survey of Strong Authentication Technologies

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Two-Factor Authentication and Swivel

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS

RSA Solution Brief. RSA Adaptive Authentication. Balancing Risk, Cost and Convenience

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

White Paper: Multi-Factor Authentication Platform

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Using Entrust certificates with VPN

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

How To Comply With Ffiec

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

FFIEC CONSUMER GUIDANCE

How CA Arcot Solutions Protect Against Internet Threats

Supplement to Authentication in an Internet Banking Environment

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Adding Stronger Authentication to your Portal and Cloud Apps

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

VoiceTrust Whitepaper. Employee Password Reset for the Enterprise IT Helpdesk

WHITE PAPER Usher Mobile Identity Platform

EBA STRONG AUTHENTICATION REQUIREMENTS

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Jim Bray, Cyber Security Adviser InfoSight, Inc.

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Building Secure Multi-Factor Authentication

How To Protect Your Online Banking From Fraud

Swivel Multi-factor Authentication

Multi Factor Authentication API

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

Citrix Ready Solutions Brief. CA Single Sign-On and Citrix NetScaler: Quickly Adapt to Your Dynamic Authentication Demands. citrix.

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Enhancing Organizational Security Through the Use of Virtual Smart Cards

What the Future of Online Banking Authentication Could Be

STRONGER AUTHENTICATION for CA SiteMinder

CA SiteMinder SSO Agents for ERP Systems

Remote Access Securing Your Employees Out of the Office

Authentication Levels. White Paper April 23, 2014

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

A Feasible and Cost Effective Two-Factor Authentication for Online Transactions

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

The Current and Future Direction of Identity Assurance. A critical foundation for identity and access management solutions

Authentication Solutions Buyer's Guide

Advanced Biometric Technology

Chapter 1: Introduction

Out-Of-Band Authentication Using a Real-time, Multi-factor Service Model

Multi-Factor Authentication of Online Transactions

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

The Key to Secure Online Financial Transactions

Contextual Authentication: A Multi-factor Approach

French Justice Portal. Authentication methods and technologies. Page n 1

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Securing Virtual Desktop Infrastructures with Strong Authentication

Security Considerations for DirectAccess Deployments. Whitepaper

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Online Banking Risks efraud: Hands off my Account!

Case Study SMS Two Factor Authentication. Contact us Infracast Ltd, Merlin House Brunel Road, Theale, Berkshire, RG7 4AB

Multi-Factor Authentication Core User Policy and Procedures

How To Choose An Authentication Solution From The Rsa Decision Tree

ADVANCE AUTHENTICATION TECHNIQUES

Virtual Code Authentication User s Guide. June 25, 2015

Tranform Multi-Factor Authentication from "Something You Have" to "Something You Already Have"

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Advanced Service Desk Security

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Business Banking Customer Login Experience for Enhanced Login Security

Citrix GoToAssist Service Desk Security

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Advanced Authentication

SOLUTION BRIEF CA ADVANCED AUTHENTICATION. How can I provide effective authentication for employees in a convenient and cost-effective manner?

Transcription:

Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication Introduction The internet provides a massive threat surface for all things that are connected to it. Cybercrime and cyber warfare-related security breaches are becoming common news events, increasing in both frequency and sophistication. Recent research reports from RSA and other security vendors illustrate the alarming increase of social media-based phishing and malware-based attacks which are systematically defeating a wide variety of user authentication solutions. The internet provides a massive threat surface for all things that are connected to it. The fundamental vulnerability of most online applications is that they do not meaningfully reduce this threat surface when challenging user access. Online user credentials the things that a user has, knows or does cannot actually identify the person behind the connection. This brief will highlight some of the common multi-factor authentication approaches used to strengthen user security and discuss the pros and cons of each method. It will also introduce a new type of device-centric authentication that addresses the major challenges of the existing technologies: reliability, cost, scalability and user-experience. Usernames and passwords alone do not provide sufficiently strong authentication. Moving beyond Username and Password It is widely accepted that usernames and passwords alone do not provide sufficiently strong authentication to prevent security breaches. In response, a number of multi-factor authentication solutions have been developed to provide additional certainty that the person attempting to login is the authorized user. Multi-factor authentication works by requiring additional authentication credentials to be presented in addition to username and password. There are three broad types of multi-factor authentication: 1. Something the user knows (e.g., password, PIN, pattern) 2. Something the user has (e.g., ATM card, smart card, mobile phone) 3. Something the user is (e.g., biometric characteristic, such as a fingerprint)

Traditionally, companies have had to manage a trade-off between security and user experience. Within the three categories of multi-factor authentication, a large number of solutions have been developed with varying degrees of security, cost and impact on user-experience. Traditionally, companies have had to manage a trade-off between security and user experience. The Security-Usability Trade-off Traditional user authentication is inversely proportional to user experience Security measures Increased security can result in impared user experience and customer dissatification User experience Decreased security may improve user authentication experience but results in more fraud and losses Let s look at a few of the more common solution types: KBA Challenge. This approach uses an interactive challenge-response session whereby users attempting to login are prompted to correctly answer questions that only they could know. KBA Challenge requires the user to previously set-up two or more challenge questions (either from a standard list or user-created) and also to provide the user-specific answers (for example, Question: What is your mother s maiden name Answer: Smith ). Pros: KBA is relatively low cost and easily scalable. Cons: Reliability is a key concern with KBA Challenge. Social engineering and the large amount of personal data that is public and easily discoverable make this approach vulnerable especially since the challenge-response secrets are often static. Further reducing the value of this approach is the negative impact on usability the challenge-response session adds another step in the user login process and requires the user to remember specific challenge responses. Page 2

Increased security can result in impaired user experience and customer dissatisfaction. Browser Cookies. A browser cookie is a small piece of data that is given to a web browser by a web server. The data sent from a website is stored as a text file in a user s web browser. Each time the user s browser requests a new web page, the cookie is sent to the web server and can be used to identify the user, prepopulate information and to notify the website of the user s previous activity. Cookies can also store data that a user has entered (such as passwords, credit card numbers, and form data). There are several types of cookies including authentication cookies (to determine logon status) and tracking cookies (to record browsing history). Pros: Browser cookies are inexpensive to deploy and do not impact user experience. Cons: Cookies provide a low level of reliability and security. They are typically static, easy to capture/steal and can be replayed. Cookies also create an unreliable association with a device and, when they are absent, there is no difference between a condition of not recognizing a valid device and attempted access from another device which requires a fallback to another authentication factor (usually KBA) to provide a new cookie. HW OTP Tokens. This approach uses a hardware token to generate a one-time password (OTP) for logging into an account. Since a specific username and OTP combination cannot be re-used, account access through stolen credentials is prevented. Pros: HW OTP Tokens provide strong security. Cons: Relatively high cost, difficulty to manage and usability are major drawbacks of HW OTP Tokens. Since physical token devices must be procured, distributed and managed for each user, there is an inherent scalability challenge with large user groups. Furthermore, adding another device and multiple steps into the login process significantly impacts user experience. OTP Messaging. This approach uses an out-of-band messaging system (such as SMS or email) to send the user an OTP during the login process. Typically, the user will initiate a login session which will trigger the OTP being sent. The user then accesses the alternate messaging system, retrieves the OTP and uses it to continue with the original login process. Since a specific username and one-time password combination cannot be re-used, account access through stolen credentials is prevented. Pros: OTP Messaging is relatively low cost and scalable. Cons: Ease of use is negatively impacted multiple login steps are added and there is a potential delay of the alternate messaging system. OTP messaging is vulnerable to re-direction and man-in-the-middle (MitM) replay attacks. Page 3

Biometrics. Biometrics involve identifying a user through a set of physiological parameters (such as voice, fingerprint, and keystroke patterns). Decreased security may improve user authentication experience but results in more fraud and losses. Pros: Biometrics authentication is difficult to fake which makes it relatively more secure than traditional methods like tokens or certificates. Cons: Biometrics can be expensive and intrusive on the user experience. Depending on the physiological parameters being captured, biometrics may require additional physical devices for user to have and manage (e.g., fingerprint reader). Certificates. Certificates are digital credentials, valid for a specific period of time, used to identify an entity and support public key encryption. Certificates are issued by a Certification Authority (CA) which guarantees the authenticity and validity of information in the certificate. Pros: Certificates are standards based and relatively easy to deploy. Certificates mitigate transmission weak points and are more secure than just credentials alone. Cons: Can be expensive to setup and messy to distribute and manage. Higher likelihood of false positives. Like browser cookies, certificates also create an unreliable association with the device and can be stolen and used from another device. They have the added issue of being very difficult to manage from a Certificate Authority perspective and there are numerous attack scenarios which undermine their reliability. Multi-factor Authentication Methods Solution Pros Cons KBA Challenge HW OTP Tokens OTP Messaging Browser Cookies Certificates Biometrics Cost, scalability Security strength Scalability, cost Ease-of-use Ease-of-use Security strength Reliability, public/discoverable data vulnerabilities, ease-of-use, static secrets Cost, provisioning and management, ease-of-use, vulnerability of static keys Ease-of-use, vulnerable to redirection and MitM replay attacks Unreliable, static, capture and replay vulnerabilities, transportable Cost, management overhead, static keys, transportable, CA redirection capabilities Cost, requires presence and secure/controlled input devices, static secrets Page 4

Caution! Traditional Authentication Does Not Protect the Transaction DeviceAuthority establishes which devices are authorized to access an account or system, dramatically reducing the threat surface and fundamentally changing the reliability of user credentials. It is important to note that none of the traditional user authentication solutions deal well with post-authentication attacks. Using a token, certificate, OTP, cookie, or even a biometric for login authentication will not protect against malware from being used to manipulate a transaction. Device authentication with input/transaction verification can provide this protection without requiring the user to go through additional transactional challenges. Device-centric Authentication Security, Scalability, and Usability Device identification solutions have been on the market for many years. In fact, it is quite easy to identify a device. The difficulty comes in authenticating the device s identity. Most solutions attempt to fingerprint or profile devices based on data that is discoverable, transportable and spoof-able. Because this information can be easily captured and impersonated, these systems typically use black listing, scoring, risk policies and analytical comparison to rule-out bad devices or trigger other forms of authentication. Other drawbacks include large investments in storage for historical analytics, false positives, and circumvented adaptive authentication. Recently, a Silicon Valley technology company, DeviceAuthority, Inc., delivered a new, more robust device-centric solution. DeviceAuthority s D-FACTOR is a device authentication solution that establishes which devices are authorized to access a given user account or communicate with another system, dramatically reducing the threat surface and fundamentally changing the reliability of user credentials. DeviceAuthority s patented device authentication technology provides a unique authentication challenge of the device s physical and environmental attributes for each authentication session, enabling reliable, sub-second, device identification and authentication of authorized devices without impairing the user authentication experience. Page 5

DeviceAuthority D-FACTOR The Device is the Key TM DeviceAuthority provides real-time transaction integrity verification to protect against post-authentication malware and automated man-in-the-browser based transaction fraud. D-FACTOR Authentication Engine Prevent security breaches from unauthorized devices Key loggers Stolen cookies and user credentials Phishing attacks Circumvented KBA Circumvented Fraud Detection Man in the middle attacks Man in the browser attacks Furthermore, the DeviceAuthority solution provides real-time transaction integrity verification to protect against post-authentication malware and automated man-in-the-browser based transaction fraud. Moving Forward with Stronger Authentication While a layered, multi-factor authentication strategy can increase online account security, many online and mobile application service providers are reluctant to implement stronger security measures due to concerns about impairing user experience and alienating customers. This Security-Usability compromise has historically been viewed as a necessary balancing act. For most security solutions, this is a valid paradigm. Adding anything more for the user to have, know or do will have a negative impact on the user s authentication experience. Additionally, while it has been clear for some time that usernames and passwords can be easily compromised, it is also becoming increasingly clear that attackers have rapidly evolved their skills and capabilities to quickly compromise or circumvent some of the broadly adopted multi-factor security solutions, including knowledge-based (KBA) authentication, one-time passwords, and certificates. Page 6

Device-centric authentication provides the opportunity to enable a deeper level of authentication and transaction security. While basic forms of device identification, like fingerprinting or simple profiling provide weak security benefits, DeviceAuthority s patented device-centric authentication solution, D-FACTOR, delivers irrefutable authentication that is scalable, cost effective and transparent to the end-user. About XYPRO Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, audit, compliance assessment and FIPS-validated encryption solutions. XYPRO solutions meet the strict requirements of companies who manage, access and transport sensitive data using heterogeneous hardware platforms and multiple communications media. XYPRO helps mission critical businesses manage their security risks, protect assets and gain a competitive edge through compliance, while improving efficiency. XYPRO Technology Corporation is a global reseller and system integrator for DeviceAuthority. For more information on DeviceAuthority s device-centric authentication solution, please contact your XYPRO representative. XYPRO Headquarters, USA 4100 Guardian St., Suite 100 Simi Valley, California 93063 USA +1 805 583 2874 XYPRO Technology Pty Ltd. Asia Pacific Sales & Support: +61 3 9008 4283 International Sales EMEA: +44 (0) 7967 662294 Ibero América: +52 55 5651 9052 / +52 1 44 9894 3724 Japan: 0066 33 821682 Professional Services Worldwide: +1 805 583 2874 ext. 203 www.xypro.com 2013 HP AllianceOne Partner of the Year Security Category Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information