vision 2014: identity authentication and credentialing in practice

© 2014 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc.

Other product and company names mentioned herein are the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in

any form or manner without the prior written permission of Experian. Experian Public.

Identity authentication and credentialing in practice

Peter McDonald Symantec

Keir Breitenfeld Experian

#vision2014

Ken Pruett Experian

2 © 2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.

Introductions

Position:

► Robust authentication linked to ongoing credentialed identity management both mitigates risk and improves customer experience

Purpose:

► Understand how clients today are leveraging best-in-class identity authentication and the issuance and management of online user access credentials

► Consider identity proofing and credentialing options and decision criteria

► Discuss where you are in the process

Introductions and session goals


By 2020

80% of digital access will be shaped by new mobile and non-PC architectures, up from 5% today

60% of all digital identities interacting with enterprises will come from external identity providers through a competitive marketplace, up from <10% today

80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%

Overall IAM product and pricing will drop by 40% relative to today in real terms

70% of all businesses will use Attribute-based Access Control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today

Identity analytics and intelligence (IAI) tools will deliver direct business value* in 60% of enterprises, up from <5% today

Why this session matters?

Source: Gartner, 2013


Trends, drivers and decision criteria

Experian identity proofing overview

Symantec credentialing overview

Market adoption and trending

Use cases

Lessons learned

Agenda


Cloud Mobile

Social Information

Key trends to consider Gartner’s nexus of forces

Source: Decision Point for Selecting Authentication Credentials and Factors. Gartner.12 September 2013


What authentication methods, credentials and factors should organizations use to provide the appropriate level of identity assurance for resource access?

Assessing options in the market

Source: Decision Point for Selecting Authentication Credentials and Factors. Gartner.12 September 2013

Identity proofing

Assessing depth of

relationship

Client platform

Application interoperability

Adaptive access

Constraints


User experience and expectation

Compliance

NSTIC / federated identities / IAM / IDaaS

Cost reduction and resource constraints

Fraud prevention and detection – current and emerging channels

Big Data analytics – authentication and identity/transaction monitoring

Mobile device adoption and binding

Identity authentication and credentialing Market and business drivers


Customers access mobile and online services via a step up authentication with less risk and interoperable credentials

Often ambiguous or shifting compliance requirements demand evolutionary services

Multiple industries directionally migrating toward federated identities – embed higher-trust user authentication methods within identity services

Reduce costly authentication fails and desperate processes

Counter PII constraints and decline and username/password compromise

Offer federated identities with ongoing and more effective identity risk assessment

Leverage mobile environment for risk mitigation multi-factor authentication

Identity authentication and credentialing Value propositions


Sample authentication decision flow


Experian’s expertise in information and data analytics provides companies with insight to manage fraud and compliance challenges across the customer life cycle, from prospecting and acquisition to customer management and collections

Experian fraud and identity solutions What we do

Fraud loss mitigation

Compliance

Customer experience

Cost control


Data

Demographic data aggregation and verification via Experian Precise Match architecture

Consumer credit oriented information related to demographics, risk conditions, and account information

Identity transaction information and link analysis beyond basic identity element verification and validation

Detail

Consumer-centric summary and detailed results that portray the level of authentication achieved

Identity and identity element validation and verification

Link analysis and velocity checks

Related identity information appends and insight

Knowledge-based authentication questions and grading via Knowledge IQ

Analytics

Scores designed to segment first and third party identity fraud risk

Risk attributes for use in sophisticated decisioning and custom model builds

Market and client specific models oriented toward unique addressable markets and process points

Set-up and Decisioning

Flexibly designed object-oriented strategies that incorporate detailed results, scores, risk attributes, and knowledge-based authentication performance

Real-time or batch processing

XML/Web services or Web User Interface access options

Precise IDSM Foundations

Progressive and flexibly designed authentication across the customer life cycle


Precise IDSM Meeting client and industry challenges

Compliance Identity element validation and

verification

Tailored compliance oriented

decisioning strategies

Identity risk scores and attributes,

identity transaction checks,

knowledge based authentication

Pointed and progressive use of

various capabilities to mitigate

risk unique to a client market or

application

Risk-based

authentication

Evolutionary platform that

aggregates additional assets and

delivers innovative services over

time

Device intelligence and risk

assessment, positive and

negative data assets, client data

Emerging data

and technology

integration

Adjust service configuration and

strategies as fraud threats,

compliance requirements, and

applications change

Detailed reporting and

consultative resources

Performance

management and

tuning


Identity authentication Panoramic view

Consumer or

client initiated

acquisition or

account

transaction

Precise IDSM

authentication

Platform

PII data

verification

Identity

transactions

and link

analysis

Analytics

Knowledge-

based

authentication

Decisioning

Ancillary data /

services

Device

PII

Social

TXN

Account

Biometric

Credential

Consortium data

Identity,

device and

account data

Identity proofing

results and/or

decision

Identity,

device and

account data

Identity,

device and

account data

Consumer and client confirmation of fraud activity

Client fraud alert triggers

Consumer alert


Symantec Leader in online trust and cloud authentication

Online Trust

Cloud identity mgmt • User devices • PKI authentication • Two-Factor (VIP)

Authentication • Norton Secure Login Identity

Symantec cloud identity customers

• Federal • State • Healthcare • Financial Services

Largest big data security analytics

• 1.5 billion security events • Lower online fraud processing

100 million URLs and 3.6 billion files every six hours

Trusted name Symantec protects the world’s

people and information 50+ million customers Leader in securing and

managing information and identities

Trusted cloud identity and

authentication leader

Cloud authentication • 4 billion daily authentications • 650 million daily impressions • #1 SSL provider • 93% top 100 banks • 90% top 50 retailers


USAA

Pin access

Embedded Symantec Two-Factor (VIP) Authentication

Charles Schwab

Charles Schwab Branded Token

Symantec Two-Factor (VIP) Authentication

Preventing fraud in finance Customer specific authentication user experiences


E*TRADE

Digital security ID

Symantec Two-Factor (VIP) Authentication

Others

Better user experience with push authentication

Preventing fraud in finance Customer specific authentication user experiences


Symantec Validation and ID Protection (VIP) Intelligence within authentication

Evaluate…

Do we know this device?

Is it still the same device?

Is this device trustworthy?

Is it acting as expected?

…and respond

Device ID

Device fingerprint

Device reputation

User behavior

Actionable risk score

Low risk: Grant access without an

additional challenge

High risk: Challenge user via Out-Of-

Band authentication process


Average person has five unique passwords

► Passwords alone are poor

Breaches in consumer sites are password trolling exercises

Greater adoption of two-factor and other advanced authentication

► HSBC to launch OTP hard or soft token

► LinkedIn, Evernote, Twitter

Mobile device becoming the authentication device

► Smartphones are an extension of ourselves

Identity authentication and credentialing Industry research and market adoption

90% – the estimated percentage of people, worldwide,

who have mobile phones and keep them within three feet

of themselves 24-hours a day. “

” – Eric Schmidt, The New Digital Age


Precise IDSM Experian ID proofing + Symantec Two-Factor (VIP) Authentication

► ID Proofing

► Two-Factor (VIP) Authentication

► User intelligence

► Device intelligence

► Certification as full solution

Implementation for advanced and step-up authentication

Identity authentication and credentialing Market adoption and trending


Poll: Credentialing adoption

Does your organization

currently provide customers

with application access

credentials beyond user name

and password today?


Poll: Credentialing adoption

Do you anticipate your

organization adopting or

expanding use of access

credentials over the next

12 months?


Use cases to consider


1. NIST Level 3 Remote Identity Proofing using Experian Precise IDSM

2. Multiple form-factors for OTP tokens for multiple platforms (PC, workstation, and mobile)

3. Two-factor authentication with PIN, OTP and in-the-cloud validation service supporting authentication of prescribers at time of prescription approval

4. Symantec PKI for organizational digital signing of e-Prescriptions

Identity authentication and credentialing Use case – client hub – e-Prescribe

Experian Precise IDSM

(NIST 800-63-1 Level 3)

Symantec VIP OTP Authentication

Service

Symantec PKI (Cross-Certified Federal

Bridge)

Symantec VIP Token

Pharmacy

Cle

arin

gh

ou

se

e-Prescribing application

Prescriber


Identity authentication and credentialing What the user sees


Identity authentication and credentialing Use case – Symantec hub – Federal Agency

Symantec

IdP

application /

workflow

Password

management User registration/

login / support

Experian® API

Symantec API

RP

registration /

SAML 2.0

assertion

Relying

party

OTP token management /

validation

VIP

ID proofing

Precise ID / knowledge IQ

postal mailing

Relying party

management

User

Subscriber

directory

Name Email Password OTP serial # Transaction ID


Gaining access to high value accounts

► Provide a high degree of security for key clients

► Improve customer experience for authentication and credential issuance

Utilize score and questions to provide a secure level of authentication

► Overall pass-rates close to 80%

► Strong performance when questions are answered

► Well accepted by client

● Working now to fine tune the process

Identity authentication and credentialing Use case – financial services (brokerage)


Identity authentication and credentialing Use case – financial services (deposit/card)

Push notification service

User

Smartphone

VPN, VDI…

1) Displaying login page

2) Request the push auth through AJAX

3) Request push notification

4) Push notification (just trigger)

6) Return the authentication results as a 6 -character code

7) Submit ID/PWD/code

Enterprise

Push

Java script

APNS, GCM

VIP Enterprise Gateway

5) Contents download and approve/deny

User Directory

8) Verify ID/code

9) Grant access


Consumer clarity – education around purpose and process of identity proofing

► PII, KBA, etc.

► Set the stage…don’t jump right in

Client engagement around:

► Process flow

► Business drivers

► API review and settings options

Identity proofing performance monitoring and adjustment

► Levels of assurance, risk-based, input element variations and change

► Question performance

► Evaluate abandons = opportunity

Multi-factor options

Identity proofing and credential binding

Support processes for identity proofing and/or credential fails

Lessons learned


Home stretch…

Kool & the Gang is warming up as we speak


Identity authentication with effective credentialing works across multiple industries

Adoption is expected to grow substantially over coming years

Strategies such as NSTIC will likely drive Identity as a Service via commercial opportunity for service providers and users

Options and use cases are varied – a pragmatic approach to evaluation of services is critical

Consider process points managed by your organization vs. service providers

Education is ongoing…

Conclusions Summary and a look forward


Questions?

Thank you!


For additional information, please contact:

[email protected]

[email protected]

Hear the latest from Vision 2014

in the Daily Roundup:

www.experian.com/vision/blog

@ExperianVision | #vision2014

Follow us on Twitter


Visit the Experian Expert Bar to learn more about

the topics and products covered in this presentation.

vision 2014: identity authentication and credentialing in practice

Technology

experian public

vision2014 ken pruett

identity proofing

class identity authentication

external identity providers

robust authentication

digital access

credentialing options