Just Enough Authentication

Just Enough

AuthenticationMaking the authentication journey frictionless

Diane JoyceMatakite

A bit about me

Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/

Solution/ Enterprise

Identity ConsultantDiane Joyce - Matakite 2

Just enough authentication

With Big Data, smart devices and the rapid evolution of biometrics, the current

one size fits all authentication model should be dead.

In today's digital world the customer has high expectations and low brand loyalty,

the winner is always the organisation that makes it easy but retains the security.

Some times referred to as Frictionless or Zero Touch authentication, I think of it as

‘just enough authentication’ to avoid risk whilst retaining the customer , it could

also be referred to as Just in Time Authentication

Remove or minimise the inputs a customer needs to provide to authenticate

themselves

Apply a risk based model to determine when to apply additional authentication

Authentication now become a key part of the UX journey and not a bolt-on at the

front

Diane Joyce - Matakite 3

Risk Based Authentication Principles

Aim for as little customer input as possible

Throw away the concept of one size authentication fits all

Determine the risk model on a transactional basis

We own cyber security not the customer

Redesign your transactions to be flexible

Use the same model for internal and external authentications


As little data input as possible

Aim to have the customer only provide credential information as and when

needed

The less provided the less is able to be compromised

Don’t always use the same credential sets

Have lots of options and mix them up

Use point and click as much as possible


Categorise the risk

Could be data, could be value

If steal my name and address from a website, not so great but this data is pretty

freely available

If you steal my name, address, dob, I’m a bit more concerned but this data is still

quite freely available

If you steal my ALL login credentials and like 80% of people I used the same

passwords on various sites then I’m concerned

If you lock me out of my account when I need it, I’m annoyed

If you steal my money, now I’m unhappy


Create multifactor authentication

tokens at registration

Don’t restrict this to 2 factor, capture as much as possible

Some is provided by the customer

Password

Memorable word/picture

Device for OTP or authenticator app

Fingerprint

Voice

Facial recognition

Ear print

Signature

Some we can capture with customer consent but without customer input

Device information including UID, virus status, security apps

Location

Typing pattern analysis

Pointing device pattern analysis

Gait analysis

Device location history

Device usage history

Device proximity

Network connectivity


We own cyber security

We are the experts

Expecting customer to be aware of and up-to-date with cyber security is not

feasible

We can guide them to a more secure experience

BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need

to secure from endpoint thru to data sources

Big data offers a valuable resource for identifying threats in both real time

and post event analysis

Understanding device vulnerability is critical


Make the transaction digital

The risk model dictates

The authentication required

The data shown on the screen

The transactions available

The action to take

Risk Models change, Products Change, Security Models change and

need to be designed flexibly

Use rules based workflow

Use dynamic screens to show only the data applicable to the risk model

AND the authentication level

Its not standalone design, include it in both the UX and security

design.


Let’s step through some examples


Registration

Enter

personal

details

Create

username

Create

Password

Create multi-

factor

Validate and

verify

personal

details

Validate

username

Validate

Password

Create multi-

factor

Create

baseline

credentials


Authentication to view a balance

Enter

UsernameValidate

Username

Validate

Credentials

View balance Assess Risk

Select View

Balance

Valid

Credentia

ls ?

Invalid

credential

process


One size fits all

Authentication to view a balance -

comparison

Enter

UsernameValidate

Username

Validate

Credentials

View balance Assess Risk

Select View

Balance

Valid

Credentia

ls ?

Invalid

credential

process

Enter

Username

Enter

password

Enter 2nd

Factor

Select View

Balance


Authentication to view a balance – new

device

Enter

UsernameValidate

Username

Validate

Credentials

View

balance

Request

Additional

Credential

Enter

additional

credential

Valid

Credenti

al?

Assess Risk

Select

Balance

Validate

Credentials


Authentication to pay an existing payee

Enter

UsernameValidate

Username

Validate

Credentials

Enter

Payment

details

Request

Additional

Credential

Enter

additional

credential

Valid

Credential

?

Assess Risk

Select

Payment

Validate

Credential

Confirm

PaymentRisk Process

Credentials

process

Risk

Acceptable

?


Authentication to pay a new payee

Enter

UsernameValidate

Username

Validate

Credentials

Enter

Payment

details

Request

Additional

Credential

Enter

additional

credential

Valid

Credential

?

Assess Risk

Select

Payment

Validate

Credential

Confirm

Payment

Credentials

process

Risk

Acceptable?

Enter

additional

credential

Validate

CredentialDiane Joyce - Matakite 16

In summary

Throw away the one size fits all authentication

Take the burden from the customer

Use risk based rules to determine how and when to authenticate

Authentication can take place anywhere in the customer journey

Authenticate internal and external users in the same way

Own the cyber security responsibility


Questions?

[email protected]

@kiwiIDgal


mailto:[email protected]

Just Enough Authentication

Technology

Transcript of Just Enough Authentication