just enough authentication
TRANSCRIPT
Just Enough
AuthenticationMaking the authentication journey frictionless
Diane JoyceMatakite
A bit about me
Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/
Solution/ Enterprise
Identity ConsultantDiane Joyce - Matakite 2
Just enough authentication
With Big Data, smart devices and the rapid evolution of biometrics, the current
one size fits all authentication model should be dead.
In today's digital world the customer has high expectations and low brand loyalty,
the winner is always the organisation that makes it easy but retains the security.
Some times referred to as Frictionless or Zero Touch authentication, I think of it as
‘just enough authentication’ to avoid risk whilst retaining the customer , it could
also be referred to as Just in Time Authentication
Remove or minimise the inputs a customer needs to provide to authenticate
themselves
Apply a risk based model to determine when to apply additional authentication
Authentication now become a key part of the UX journey and not a bolt-on at the
front
Diane Joyce - Matakite 3
Risk Based Authentication Principles
Aim for as little customer input as possible
Throw away the concept of one size authentication fits all
Determine the risk model on a transactional basis
We own cyber security not the customer
Redesign your transactions to be flexible
Use the same model for internal and external authentications
Diane Joyce - Matakite 4
As little data input as possible
Aim to have the customer only provide credential information as and when
needed
The less provided the less is able to be compromised
Don’t always use the same credential sets
Have lots of options and mix them up
Use point and click as much as possible
Diane Joyce - Matakite 5
Categorise the risk
Could be data, could be value
If steal my name and address from a website, not so great but this data is pretty
freely available
If you steal my name, address, dob, I’m a bit more concerned but this data is still
quite freely available
If you steal my ALL login credentials and like 80% of people I used the same
passwords on various sites then I’m concerned
If you lock me out of my account when I need it, I’m annoyed
If you steal my money, now I’m unhappy
Diane Joyce - Matakite 6
Create multifactor authentication
tokens at registration
Don’t restrict this to 2 factor, capture as much as possible
Some is provided by the customer
Password
Memorable word/picture
Device for OTP or authenticator app
Fingerprint
Voice
Facial recognition
Ear print
Signature
Some we can capture with customer consent but without customer input
Device information including UID, virus status, security apps
Location
Typing pattern analysis
Pointing device pattern analysis
Gait analysis
Device location history
Device usage history
Device proximity
Network connectivity
Diane Joyce - Matakite 7
We own cyber security
We are the experts
Expecting customer to be aware of and up-to-date with cyber security is not
feasible
We can guide them to a more secure experience
BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need
to secure from endpoint thru to data sources
Big data offers a valuable resource for identifying threats in both real time
and post event analysis
Understanding device vulnerability is critical
Diane Joyce - Matakite 8
Make the transaction digital
The risk model dictates
The authentication required
The data shown on the screen
The transactions available
The action to take
Risk Models change, Products Change, Security Models change and
need to be designed flexibly
Use rules based workflow
Use dynamic screens to show only the data applicable to the risk model
AND the authentication level
Its not standalone design, include it in both the UX and security
design.
Diane Joyce - Matakite 9
Let’s step through some examples
Diane Joyce - Matakite 10
Registration
Enter
personal
details
Create
username
Create
Password
Create multi-
factor
Validate and
verify
personal
details
Validate
username
Validate
Password
Create multi-
factor
Create
baseline
credentials
Diane Joyce - Matakite 11
Authentication to view a balance
Enter
UsernameValidate
Username
Validate
Credentials
View balance Assess Risk
Select View
Balance
Valid
Credentia
ls ?
Invalid
credential
process
Diane Joyce - Matakite 12
One size fits all
Authentication to view a balance -
comparison
Enter
UsernameValidate
Username
Validate
Credentials
View balance Assess Risk
Select View
Balance
Valid
Credentia
ls ?
Invalid
credential
process
Enter
Username
Enter
password
Enter 2nd
Factor
Select View
Balance
Diane Joyce - Matakite 13
Authentication to view a balance – new
device
Enter
UsernameValidate
Username
Validate
Credentials
View
balance
Request
Additional
Credential
Enter
additional
credential
Valid
Credenti
al?
Assess Risk
Select
Balance
Validate
Credentials
Diane Joyce - Matakite 14
Authentication to pay an existing payee
Enter
UsernameValidate
Username
Validate
Credentials
Enter
Payment
details
Request
Additional
Credential
Enter
additional
credential
Valid
Credential
?
Assess Risk
Select
Payment
Validate
Credential
Confirm
PaymentRisk Process
Credentials
process
Risk
Acceptable
?
Diane Joyce - Matakite 15
Authentication to pay a new payee
Enter
UsernameValidate
Username
Validate
Credentials
Enter
Payment
details
Request
Additional
Credential
Enter
additional
credential
Valid
Credential
?
Assess Risk
Select
Payment
Validate
Credential
Confirm
Payment
Credentials
process
Risk
Acceptable?
Enter
additional
credential
Validate
CredentialDiane Joyce - Matakite 16
In summary
Throw away the one size fits all authentication
Take the burden from the customer
Use risk based rules to determine how and when to authenticate
Authentication can take place anywhere in the customer journey
Authenticate internal and external users in the same way
Own the cyber security responsibility
Diane Joyce - Matakite 17