Pay Forum Conference

1,125 views
1,093 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,125
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pay Forum Conference

  1. 1. Best practices to achieverisk-appropriate authentication Per Hägerö CTO
  2. 2. #1 Security through Simplicity
  3. 3. 2
  4. 4. Define Risk-Appropriate Authentication 3
  5. 5. What are your options?Something only you know (hopefully) Something you holdKBA: Lexical Token: OTPKBA: Graphical Token: PKISomething your are Token: OOBBiometrics: BiologicalBiometrics: Behavioral 4
  6. 6. Risk levels (NIST SP 800-63-1) HighMedium LowMinimal 5
  7. 7. Risk levels (NIST SP 800-63-1) High PKIMedium OTP OOB Low LexicalMinimal 6
  8. 8. is it that easy? 7
  9. 9. NO! 8
  10. 10. 9
  11. 11. There are a number of needs andconstraints you need to consider  Who are you authenticating?  Where are they?  What will they use it for?  What end-points are they using?  Are there any regulations?  What is the available budget?  What is the risk?  Others? 10
  12. 12. all set? 11
  13. 13. not yet… 12
  14. 14. consider the aspect of identity proofing 13
  15. 15. ≤ 100 % 14
  16. 16. IDENTITY PROOFINGAUTHENTICATION15
  17. 17. IDENTITY PROOFINGAUTHENTICATION16
  18. 18. IDENTITY PROOFING IDENTITY ASSURANCE AUTHENTICATION 17
  19. 19. 18
  20. 20. our approach… 19
  21. 21. AssuranceAdjacent needs Considerations Ease-of-use TCO 20
  22. 22. add additional protection with a layeredsecurity architecture and adaptive accesscontrol 21
  23. 23. The Nexus offeringPortWise Authentication Service 22
  24. 24. Customer Case:  Verylarge bank (> 1 million )  Requirement for a versatile authentication platform  Other requirements: –  Web Service Management –  Integrated Virtual Directory •  24
  25. 25. eBanking Framework ManagementOATH Cards PlatformOTP Software Policy Adaptive Access Authentication Token Enforcement Point Manager Manager Virtual Directory Web Token User User User DB DB DB 25
  26. 26. 26
  27. 27. 27
  28. 28. 28
  29. 29. Risk-Appropriate Authentication is whenan authentication method that best fits theuse case is used, a method that is just right,not too little or too much, at the right TCOand that can use adaptive access controlsto determine risk and confidence levels 29
  30. 30. Questions and AnswersE-mail: per.hagero@nexussafe.comTwitter: @hageroBlog: perhagero.wordpress.com
  31. 31. ABBREVATIONS  KBA – Knowledge-based Authentication  OOB – Out of Band  OTP – One Time Password 31

×