RSA Adaptive AuthenticationOffering Multiple Ways to Provide StrongTwo-Factor Authentication to End UsersRSA Solution Brief
2The state of passwords today is similar to that of the horse and buggy at the turn of the 19thcentury. With the advent of the automobile, the reliable and ubiquitous horse and buggysoon became obsolete. Today, the environment is such that organizations are realizing thatpasswords must also give way to stronger, more effective solutions. In its place, strongauthentication is becoming the de facto standard for assuring user identities in the onlineworld. RSA®Adaptive Authentication is at the forefront of this trend by offering a strongauthentication solution that not only adds a layer of security on top of existing usernameand password systems, but does so in a way that is convenient for the end user.The Basics of Strong AuthenticationStrong authentication is also commonly referred to astwo-factor authentication or multi-factorauthentication. This alludes to the fact that there ismore than one factor, or proof, needed in order for anauthentication to be made. Some factors include:– What a user knows (i.e., a password or challengequestion)– What a user has (i.e., a security token or mobilephone)– What a user is (i.e., a biometric device)– What a user does (i.e., patterns of behavior)When only one factor is utilized to authenticate auser, it is considered to be a weak form ofauthentication. Multi-factor authentication mayinclude multiple types of the same authenticationmethod (for example, two static passwords) but wouldnot necessarily be considered strong authentication.The Basics of RSA Adaptive AuthenticationRSA Adaptive Authentication is a comprehensiveauthentication and risk management platform offeringnumerous authentication options and providing cost-effective protection for entire groups of users. At itscore, Adaptive Authentication is designed todetermine when to visibly authenticate users andwhat type of authentication method to use. Thesedecisions are based on risk levels, institutionalpolicies, and customer segmentation.Adaptive Authentication combats existing andemerging fraud trends by analyzing deviceidentification data, behavioral profiles, activitypatterns, RSA eFraudNetwork™feeds, multi-channelthreat indicators, and fraud intelligence, all integratedinto a single platform that is constantly evolving toreflect ongoing changes in the fraud landscape.Adaptive Authentication is currently deployed at over8,000 organizations worldwide and has processedand protected over 20 billion activities to date.The key benefits of Adaptive Authentication include:– Superior user experience (lowest impact on genuineusers and highest fraud detection rates)– Numerous authentication methods with customiz-able risk and authentication policies– Strong and convenient protection against malwarethat can be deployed invisibly and flexibly– The ability to protect across multiple channelsincluding the online and mobile channels and theIVR/Call Center– A proven solution deployed at over 8,000 organiza-tions and protecting more than 150 million usersworldwideRSA Solution BriefRSA Adaptive Authentication:Multi-factor Authentication– Something you have:Device identification– Something you are/do:Behavioral profile– Something you know:Username and password(not managed by RSAAdaptive Authentication)
3Adaptive Authentication Meets theRequirement for Multi-factor AuthenticationTraditionally, security solutions meet the requirementfor two-factor authentication by requiring users toprovide a username and password and an additionalcredential, such as a one-time password or smartcard, every time they access their account informationonline. However, when using Adaptive Authentication,organizations utilize a risk-based approach that onlyvisibly authenticates users when they exceed a givenrisk threshold (pre-determined by the organization). Ifmost users are being authenticated behind-the-scenes, does that still meet the standard of strongauthentication? The answers is yes.Something the User HasRSA Adaptive Authentication always uses a secondfactor even though the initial authentication isperformed transparent to the user. When necessary,RSA performs several authentication proceduresbehind-the-scenes, including invisible deviceidentification. If a user’s device is positively identifiedand associated with the user (and not with fraudulentuse), then the user is considered authenticated. Inthis case, the device being used to request access isthe second factor in strong authentication –“something you have.”RSA Solution BriefAdaptive Authentication can conduct deviceidentification by fingerprinting the user’s device.Device fingerprinting consists of tracking devicecharacteristics that are a natural part of any devicesuch as http headers, operating system versions,browser version, languages, and time zone.Furthermore, device fingerprinting actively introducesadditional identifiers with the simple addition of acookie and/or a flash shared object (also referred toas “flash cookie”) which can then serve as a moreunique identifier of the device.When a user’s identity is not positively assured viadevice authentication, they are challenged using avariety of methods including:– Challenge questions: Something the user knows– Knowledge-based questions: Out-of-wallet versionsof something the user knows– Out-of-band phone authentication: Something theuser has– One-time passwords (via SMS, e-mail, token):Something the user hasBy authenticating a user with one of these othermethods, the device will be established as a “trusted”device in the future.Out-of-band Knowledge-basedOne-timepasswordHigh risk (minority)Low risk (majority)Real-time riskassessmentPolicy SettingsContinueThe RSA Adaptive Authentication solutionoffers sophisticated risk analytics to ensure alow challenge rate and years of fine tuningand experience help create a high completionrate and an excellent user experience.