CIS14: Continuous Authentication: Don’t Even Think about It

917 views
680 views

Published on

Mance Harmon, Ping Identity
A look at how new product offerings in the smartphone and IoT markets offer the promise of enabling widespread adoption of continuous authentication solutions which, when combined with a smart authentication policy, could improve both user experience and system security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
917
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS14: Continuous Authentication: Don’t Even Think about It

  1. 1. Scaling   Authen.ca.on   Policy   Persistent   Authen.ca.on   Mobile  AuthN   Pla7orm   Mance  Harmon   Head  of  Labs   Josh  Alexander   CEO   Karl  Mar.n   CEO  
  2. 2. CONTINUOUS AUTHENTICATION DON’T EVEN THINK ABOUT IT! Copyright © 2013 Ping Identity Corp.All rights reserved. 2 Mance Harmon Head of Labs
  3. 3. The Smartphone: An Authentication Platform Copyright © 2014 Ping Identity Corp.All rights reserved. 3 What  You  Know   What  You  Know   What  You  Have   Biometrics   What  You  Have   Biometrics   TREND  
  4. 4. The Smartphone: An Authentication Platform Copyright © 2014 Ping Identity Corp.All rights reserved. 4 What  You  Know   What  You  Have   Biometrics   Addi.onal  Iden.fying  Data  Items   •  Geoloca.on   •  IP  address   •  Opera.ng  System   •  User  Agent  Model  /  Version   •  Session  Cookie   •  User  Data:   •  Contacts  List   •  Music  Library   •  Usage  PaSerns:     •  Time  of  Day   •  Frequency  of  Access   •  100s  more  ….  
  5. 5. Copyright © 2014 Ping Identity Corp.All rights reserved. 5 The Smartphone: An Authentication Platform
  6. 6. PASSIVE   An Authentication TaxonomyACTIVE   Passwords   KBA   OTP   Physical   Keys   USB  Token   Fingerprint   PIN   CONTINUOUS   CONTEXT   DIRECT   INDIRECT   Copyright © 2014 Ping Identity Corp.All rights reserved. 6 EKG  Monitoring   Keystroke   Dynamics   Voice  Print  Walking  Gait   GeolocaJon   User-­‐Agent  Version   IP  Address   UID   Session   Cookie   -­‐  Time  of  Day   -­‐  Frequency   Behavioral  Stats  Face   Scan  
  7. 7. User Authentication: Reducing Risk Copyright © 2014 Ping Identity Corp.All rights reserved. 7 Time   Risk   IniJal   Login   Cookie   Expiry:   3  hours   Resource  Threshold   Re-­‐AuthN   8am   0   100   40   11am   2pm   5pm  
  8. 8. Continuous Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 8 Time   Risk   IniJal   Login   Resource  Threshold   Repeated  sampling  of  Passive  factors  (Context  and  ConJnuous)   0   100   40   GOAL:  Improve  Security  AND  Convenience  
  9. 9. AuthN Policy: The Traditional Approach Copyright © 2014 Ping Identity Corp.All rights reserved. 9 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version  
  10. 10. AuthN Policy: Risk-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 10 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Risk   Score  
  11. 11. AuthN Policy: Threat-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 11 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Threat   Cat  -­‐  A   Threat   Cat  -­‐  B   Threat   Cat  -­‐  C   Threat   Cat  -­‐  D   Threat   Cat  -­‐  E   Vulnerability  Mi.ga.on  
  12. 12. AuthN Policy: Threat-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 12 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Threat   Cat  -­‐  A   Threat   Cat  -­‐  B   Threat   Cat  -­‐  C   Threat   Cat  -­‐  D   Threat   Cat  -­‐  E   Vulnerability  Mi.ga.on  
  13. 13. Risk-Based Authentication •  “Risk Score” –  Assumes a broad, general THREAT – the world is generally antagonistic –  The “Risk Score” is the same for all ASSETS –  For a given ASSET, there is coarse-grain expression of VULNERABILITY to the general threat (“Risk”Threshold) Copyright © 2014 Ping Identity Corp.All rights reserved. 13 Calculating Risk Threat-Based Authentication •  Risk is calculated based on –  A specific ASSET –  A specific THREAT –  How VULNERABLE the ASSET is to a specific THREAT –  To what degree the AuthN methods reduce probability of success for the specific THREAT Risk  =  AuthN  Results  +  Asset  +  Threat  +  Vulnerability  “Risk”  =    AuthN  Results  
  14. 14. Threat-Based Authentication: Benefits Copyright © 2014 Ping Identity Corp.All rights reserved. 14 • SCALE – easy to add new Resources and Authentication Methods • SECURITY – directly addresses known Threats, chooses authN methods appropriately • CONVENIENCE – minimizes Active authentication

×