Vision 2014: Identity Authentication and Credentialing In Practice

  • 110 views
Uploaded on

Understand how clients today are leveraging best-in-class identity authentication in tandem with the issuance and management of online user access credentials. …

Understand how clients today are leveraging best-in-class identity authentication in tandem with the issuance and management of online user access credentials.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
110
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
8
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ©2014 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in any form or manner without the prior written permission of Experian. Experian Public. Identity authentication and credentialing in practice Peter McDonald Symantec Keir Breitenfeld Experian #vision2014 Ken Pruett Experian
  • 2. 2©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Introductions  Position: ► Robust authentication linked to ongoing credentialed identity management both mitigates risk and improves customer experience  Purpose: ► Understand how clients today are leveraging best-in-class identity authentication and the issuance and management of online user access credentials ► Consider identity proofing and credentialing options and decision criteria ► Discuss where you are in the process Introductions and session goals
  • 3. 3©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. By 2020  80% of digital access will be shaped by new mobile and non-PC architectures, up from 5% today  60% of all digital identities interacting with enterprises will come from external identity providers through a competitive marketplace, up from <10% today  80% of enterprises will allow unrestricted access to non-critical assets, up from <5% today, reducing spending on IAM by 25%  Overall IAM product and pricing will drop by 40% relative to today in real terms  70% of all businesses will use Attribute-based Access Control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today  Identity analytics and intelligence (IAI) tools will deliver direct business value* in 60% of enterprises, up from <5% today Why this session matters? Source: Gartner, 2013
  • 4. 4©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Trends, drivers and decision criteria  Experian identity proofing overview  Symantec credentialing overview  Market adoption and trending  Use cases  Lessons learned Agenda
  • 5. 5©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Cloud Mobile Social Information Key trends to consider Gartner’s nexus of forces Source: Decision Point for Selecting Authentication Credentials and Factors. Gartner.12 September 2013
  • 6. 6©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. What authentication methods, credentials and factors should organizations use to provide the appropriate level of identity assurance for resource access? Assessing options in the market Source: Decision Point for Selecting Authentication Credentials and Factors. Gartner.12 September 2013 Identity proofing Assessing depth of relationship Client platform Application interoperability Adaptive access Constraints
  • 7. 7©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. User experience and expectation Compliance NSTIC / federated identities / IAM / IDaaS Cost reduction and resource constraints Fraud prevention and detection – current and emerging channels Big Data analytics – authentication and identity/transaction monitoring Mobile device adoption and binding Identity authentication and credentialing Market and business drivers
  • 8. 8©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Customers access mobile and online services via a step up authentication with less risk and interoperable credentials Often ambiguous or shifting compliance requirements demand evolutionary services Multiple industries directionally migrating toward federated identities – embed higher-trust user authentication methods within identity services Reduce costly authentication fails and desperate processes Counter PII constraints and decline and username/password compromise Offer federated identities with ongoing and more effective identity risk assessment Leverage mobile environment for risk mitigation multi-factor authentication Identity authentication and credentialing Value propositions
  • 9. 9©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Sample authentication decision flow
  • 10. 10©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Experian’s expertise in information and data analytics provides companies with insight to manage fraud and compliance challenges across the customer life cycle, from prospecting and acquisition to customer management and collections Experian fraud and identity solutions What we do Fraud loss mitigation Compliance Customer experience Cost control
  • 11. 11©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Data  Demographic data aggregation and verification via Experian Precise Match architecture  Consumer credit oriented information related to demographics, risk conditions, and account information  Identity transaction information and link analysis beyond basic identity element verification and validation Detail  Consumer-centric summary and detailed results that portray the level of authentication achieved  Identity and identity element validation and verification  Link analysis and velocity checks  Related identity information appends and insight  Knowledge-based authentication questions and grading via Knowledge IQ Analytics  Scores designed to segment first and third party identity fraud risk  Risk attributes for use in sophisticated decisioning and custom model builds  Market and client specific models oriented toward unique addressable markets and process points Set-up and Decisioning  Flexibly designed object- oriented strategies that incorporate detailed results, scores, risk attributes, and knowledge-based authentication performance  Real-time or batch processing  XML/Web services or Web User Interface access options Precise IDSM Foundations Progressive and flexibly designed authentication across the customer life cycle
  • 12. 12©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Precise IDSM Meeting client and industry challenges Compliance Identity element validation and verification Tailored compliance oriented decisioning strategies Identity risk scores and attributes, identity transaction checks, knowledge based authentication Pointed and progressive use of various capabilities to mitigate risk unique to a client market or application Risk-based authentication Evolutionary platform that aggregates additional assets and delivers innovative services over time Device intelligence and risk assessment, positive and negative data assets, client data Emerging data and technology integration Adjust service configuration and strategies as fraud threats, compliance requirements, and applications change Detailed reporting and consultative resources Performance management and tuning
  • 13. 13©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Identity authentication Panoramic view Consumer or client initiated acquisition or account transaction Precise IDSM authentication Platform  PII data verification  Identity transactions and link analysis  Analytics  Knowledge- based authentication  Decisioning Ancillary data / services  Device  PII  Social  TXN  Account  Biometric  Credential Consortium data Identity, device and account data Identity proofing results and/or decision Identity, device and account data Identity, device and account data Consumer and client confirmation of fraud activity Client fraud alert triggers Consumer alert
  • 14. 14©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Symantec Leader in online trust and cloud authentication Online Trust Cloud identity mgmt • User devices • PKI authentication • Two-Factor (VIP) Authentication • Norton Secure Login Identity Symantec cloud identity customers • Federal • State • Healthcare • Financial Services Largest big data security analytics • 1.5 billion security events • Lower online fraud processing 100 million URLs and 3.6 billion files every six hours Trusted name  Symantec protects the world’s people and information  50+ million customers  Leader in securing and managing information and identities Trusted cloud identity and authentication leader Cloud authentication • 4 billion daily authentications • 650 million daily impressions • #1 SSL provider • 93% top 100 banks • 90% top 50 retailers
  • 15. 15©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. USAA  Pin access  Embedded Symantec Two-Factor (VIP) Authentication Charles Schwab  Charles Schwab Branded Token  Symantec Two-Factor (VIP) Authentication Preventing fraud in finance Customer specific authentication user experiences
  • 16. 16©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. E*TRADE  Digital security ID  Symantec Two-Factor (VIP) Authentication Others  Better user experience with push authentication Preventing fraud in finance Customer specific authentication user experiences
  • 17. 17©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Symantec Validation and ID Protection (VIP) Intelligence within authentication Evaluate…  Do we know this device?  Is it still the same device?  Is this device trustworthy?  Is it acting as expected? …and respond Device ID Device fingerprint Device reputation User behavior Actionable risk score Low risk: Grant access without an additional challenge High risk: Challenge user via Out-Of- Band authentication process
  • 18. 18©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Average person has five unique passwords ► Passwords alone are poor  Breaches in consumer sites are password trolling exercises  Greater adoption of two-factor and other advanced authentication ► HSBC to launch OTP hard or soft token ► LinkedIn, Evernote, Twitter  Mobile device becoming the authentication device ► Smartphones are an extension of ourselves Identity authentication and credentialing Industry research and market adoption 90% – the estimated percentage of people, worldwide, who have mobile phones and keep them within three feet of themselves 24-hours a day. “ – Eric Schmidt, The New Digital Age
  • 19. 19©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Precise IDSM Experian ID proofing + Symantec Two-Factor (VIP) Authentication ► ID Proofing ► Two-Factor (VIP) Authentication ► User intelligence ► Device intelligence ► Certification as full solution  Implementation for advanced and step-up authentication Identity authentication and credentialing Market adoption and trending
  • 20. 20©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Poll: Credentialing adoption Does your organization currently provide customers with application access credentials beyond user name and password today?
  • 21. 21©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Poll: Credentialing adoption Do you anticipate your organization adopting or expanding use of access credentials over the next 12 months?
  • 22. 22©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Use cases to consider
  • 23. 23©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. 1. NIST Level 3 Remote Identity Proofing using Experian Precise IDSM 2. Multiple form-factors for OTP tokens for multiple platforms (PC, workstation, and mobile) 3. Two-factor authentication with PIN, OTP and in-the-cloud validation service supporting authentication of prescribers at time of prescription approval 4. Symantec PKI for organizational digital signing of e-Prescriptions Identity authentication and credentialing Use case – client hub – e-Prescribe Experian Precise IDSM (NIST 800-63-1 Level 3) Symantec VIP OTP Authentication Service Symantec PKI (Cross-Certified Federal Bridge) Symantec VIP Token Pharmacy Clearinghouse e-Prescribing application Prescriber
  • 24. 24©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Identity authentication and credentialing What the user sees
  • 25. 25©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Identity authentication and credentialing Use case – Symantec hub – Federal Agency Symantec IdP application / workflow Password management User registration/ login / support Experian® API Symantec API RP registration / SAML 2.0 assertion Relying party OTP token management / validation VIP ID proofing Precise ID / knowledge IQ postal mailing Relying party management User Subscriber directory Name Email Password OTP serial # Transaction ID
  • 26. 26©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Gaining access to high value accounts ► Provide a high degree of security for key clients ► Improve customer experience for authentication and credential issuance  Utilize score and questions to provide a secure level of authentication ► Overall pass-rates close to 80% ► Strong performance when questions are answered ► Well accepted by client ● Working now to fine tune the process Identity authentication and credentialing Use case – financial services (brokerage)
  • 27. 27©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Identity authentication and credentialing Use case – financial services (deposit/card) Push notification service User Smartphone VPN, VDI… 1) Displaying login page 2) Request the push auth through AJAX 3) Request push notification 4) Push notification (just trigger) 6) Return the authentication results as a 6 - character code 7) Submit ID/PWD/code Enterprise Push Java script APNS, GCM VIP Enterprise Gateway 5) Contents download and approve/deny User Directory 8) Verify ID/code 9) Grant access
  • 28. 28©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Consumer clarity – education around purpose and process of identity proofing ► PII, KBA, etc. ► Set the stage…don’t jump right in  Client engagement around: ► Process flow ► Business drivers ► API review and settings options  Identity proofing performance monitoring and adjustment ► Levels of assurance, risk-based, input element variations and change ► Question performance ► Evaluate abandons = opportunity  Multi-factor options  Identity proofing and credential binding  Support processes for identity proofing and/or credential fails Lessons learned
  • 29. 29©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Home stretch… Kool & the Gang is warming up as we speak
  • 30. 30©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public.  Identity authentication with effective credentialing works across multiple industries  Adoption is expected to grow substantially over coming years  Strategies such as NSTIC will likely drive Identity as a Service via commercial opportunity for service providers and users  Options and use cases are varied – a pragmatic approach to evaluation of services is critical  Consider process points managed by your organization vs. service providers  Education is ongoing… Conclusions Summary and a look forward
  • 31. 31©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Questions? Thank you!
  • 32. 32©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. For additional information, please contact: Keir.Breitenfeld@experian.com Ken.Pruett@experian.com Hear the latest from Vision 2014 in the Daily Roundup: www.experian.com/vision/blog @ExperianVision | #vision2014 Follow us on Twitter
  • 33. 33©2014 Experian Information Solutions, Inc. All rights reserved. Experian Public. Visit the Experian Expert Bar to learn more about the topics and products covered in this presentation.