Just Enough Authentication
- 1. Just Enough Authentication Making the authentication journey frictionless Diane Joyce Matakite
- 2. A bit about me Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/ Solution/ Enterprise Identity Consultant Diane Joyce - Matakite 2
- 3. Just enough authentication With Big Data, smart devices and the rapid evolution of biometrics, the current one size fits all authentication model should be dead. In today's digital world the customer has high expectations and low brand loyalty, the winner is always the organisation that makes it easy but retains the security. Some times referred to as Frictionless or Zero Touch authentication, I think of it as ‘just enough authentication’ to avoid risk whilst retaining the customer , it could also be referred to as Just in Time Authentication Remove or minimise the inputs a customer needs to provide to authenticate themselves Apply a risk based model to determine when to apply additional authentication Authentication now become a key part of the UX journey and not a bolt-on at the front Diane Joyce - Matakite 3
- 4. Risk Based Authentication Principles Aim for as little customer input as possible Throw away the concept of one size authentication fits all Determine the risk model on a transactional basis We own cyber security not the customer Redesign your transactions to be flexible Use the same model for internal and external authentications Diane Joyce - Matakite 4
- 5. As little data input as possible Aim to have the customer only provide credential information as and when needed The less provided the less is able to be compromised Don’t always use the same credential sets Have lots of options and mix them up Use point and click as much as possible Diane Joyce - Matakite 5
- 6. Categorise the risk Could be data, could be value If steal my name and address from a website, not so great but this data is pretty freely available If you steal my name, address, dob, I’m a bit more concerned but this data is still quite freely available If you steal my ALL login credentials and like 80% of people I used the same passwords on various sites then I’m concerned If you lock me out of my account when I need it, I’m annoyed If you steal my money, now I’m unhappy Diane Joyce - Matakite 6
- 7. Create multifactor authentication tokens at registration Don’t restrict this to 2 factor, capture as much as possible Some is provided by the customer Password Memorable word/picture Device for OTP or authenticator app Fingerprint Voice Facial recognition Ear print Signature Some we can capture with customer consent but without customer input Device information including UID, virus status, security apps Location Typing pattern analysis Pointing device pattern analysis Gait analysis Device location history Device usage history Device proximity Network connectivity Diane Joyce - Matakite 7
- 8. We own cyber security We are the experts Expecting customer to be aware of and up-to-date with cyber security is not feasible We can guide them to a more secure experience BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need to secure from endpoint thru to data sources Big data offers a valuable resource for identifying threats in both real time and post event analysis Understanding device vulnerability is critical Diane Joyce - Matakite 8
- 9. Make the transaction digital The risk model dictates The authentication required The data shown on the screen The transactions available The action to take Risk Models change, Products Change, Security Models change and need to be designed flexibly Use rules based workflow Use dynamic screens to show only the data applicable to the risk model AND the authentication level Its not standalone design, include it in both the UX and security design. Diane Joyce - Matakite 9
- 10. Let’s step through some examples Diane Joyce - Matakite 10
- 11. Registration Enter personal details Create username Create Password Create multi- factor Validate and verify personal details Validate username Validate Password Create multi- factor Create baseline credentials Diane Joyce - Matakite 11
- 12. Authentication to view a balance Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Diane Joyce - Matakite 12
- 13. One size fits all Authentication to view a balance - comparison Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Enter Username Enter password Enter 2nd Factor Select View Balance Diane Joyce - Matakite 13
- 14. Authentication to view a balance – new device Enter Username Validate Username Validate Credentials View balance Request Additional Credential Enter additional credential Valid Credenti al? Assess Risk Select Balance Validate Credentials Diane Joyce - Matakite 14
- 15. Authentication to pay an existing payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Risk Process Credentials process Risk Acceptable ? Diane Joyce - Matakite 15
- 16. Authentication to pay a new payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Credentials process Risk Acceptable? Enter additional credential Validate CredentialDiane Joyce - Matakite 16
- 17. In summary Throw away the one size fits all authentication Take the burden from the customer Use risk based rules to determine how and when to authenticate Authentication can take place anywhere in the customer journey Authenticate internal and external users in the same way Own the cyber security responsibility Diane Joyce - Matakite 17