Scaling	
  
Authen.ca.on	
  
Policy	
  
Persistent	
  
Authen.ca.on	
  
Mobile	
  AuthN	
  
Pla7orm	
  
Mance	
  Harmon	
 ...
CONTINUOUS AUTHENTICATION
DON’T EVEN THINK ABOUT IT!
Copyright © 2013 Ping Identity Corp.All rights reserved. 2
Mance Harm...
The Smartphone: An Authentication Platform
Copyright © 2014 Ping Identity Corp.All rights reserved. 3
What	
  You	
  Know	...
The Smartphone: An Authentication Platform
Copyright © 2014 Ping Identity Corp.All rights reserved. 4
What	
  You	
  Know	...
Copyright © 2014 Ping Identity Corp.All rights reserved. 5
The Smartphone: An Authentication Platform
PASSIVE	
   An Authentication TaxonomyACTIVE	
  
Passwords	
  
KBA	
  
OTP	
  
Physical	
  
Keys	
  
USB	
  Token	
  
Fing...
User Authentication: Reducing Risk
Copyright © 2014 Ping Identity Corp.All rights reserved. 7
Time	
  
Risk	
  
IniJal	
  ...
Continuous Authentication
Copyright © 2014 Ping Identity Corp.All rights reserved. 8
Time	
  
Risk	
  
IniJal	
  
Login	
 ...
AuthN Policy: The Traditional Approach
Copyright © 2014 Ping Identity Corp.All rights reserved. 9
AuthN	
  Methods	
   Res...
AuthN Policy: Risk-Based Authentication
Copyright © 2014 Ping Identity Corp.All rights reserved. 10
AuthN	
  Methods	
   R...
AuthN Policy: Threat-Based Authentication
Copyright © 2014 Ping Identity Corp.All rights reserved. 11
AuthN	
  Methods	
  ...
AuthN Policy: Threat-Based Authentication
Copyright © 2014 Ping Identity Corp.All rights reserved. 12
AuthN	
  Methods	
  ...
Risk-Based Authentication
•  “Risk Score”
–  Assumes a broad, general
THREAT – the world is generally
antagonistic
–  The ...
Threat-Based Authentication: Benefits
Copyright © 2014 Ping Identity Corp.All rights reserved. 14
• SCALE – easy to add ne...
Upcoming SlideShare
Loading in …5
×

CIS14: Continuous Authentication: Don’t Even Think about It

1,134 views

Published on

Mance Harmon, Ping Identity
A look at how new product offerings in the smartphone and IoT markets offer the promise of enabling widespread adoption of continuous authentication solutions which, when combined with a smart authentication policy, could improve both user experience and system security.

Published in: Technology
  • Be the first to comment

CIS14: Continuous Authentication: Don’t Even Think about It

  1. 1. Scaling   Authen.ca.on   Policy   Persistent   Authen.ca.on   Mobile  AuthN   Pla7orm   Mance  Harmon   Head  of  Labs   Josh  Alexander   CEO   Karl  Mar.n   CEO  
  2. 2. CONTINUOUS AUTHENTICATION DON’T EVEN THINK ABOUT IT! Copyright © 2013 Ping Identity Corp.All rights reserved. 2 Mance Harmon Head of Labs
  3. 3. The Smartphone: An Authentication Platform Copyright © 2014 Ping Identity Corp.All rights reserved. 3 What  You  Know   What  You  Know   What  You  Have   Biometrics   What  You  Have   Biometrics   TREND  
  4. 4. The Smartphone: An Authentication Platform Copyright © 2014 Ping Identity Corp.All rights reserved. 4 What  You  Know   What  You  Have   Biometrics   Addi.onal  Iden.fying  Data  Items   •  Geoloca.on   •  IP  address   •  Opera.ng  System   •  User  Agent  Model  /  Version   •  Session  Cookie   •  User  Data:   •  Contacts  List   •  Music  Library   •  Usage  PaSerns:     •  Time  of  Day   •  Frequency  of  Access   •  100s  more  ….  
  5. 5. Copyright © 2014 Ping Identity Corp.All rights reserved. 5 The Smartphone: An Authentication Platform
  6. 6. PASSIVE   An Authentication TaxonomyACTIVE   Passwords   KBA   OTP   Physical   Keys   USB  Token   Fingerprint   PIN   CONTINUOUS   CONTEXT   DIRECT   INDIRECT   Copyright © 2014 Ping Identity Corp.All rights reserved. 6 EKG  Monitoring   Keystroke   Dynamics   Voice  Print  Walking  Gait   GeolocaJon   User-­‐Agent  Version   IP  Address   UID   Session   Cookie   -­‐  Time  of  Day   -­‐  Frequency   Behavioral  Stats  Face   Scan  
  7. 7. User Authentication: Reducing Risk Copyright © 2014 Ping Identity Corp.All rights reserved. 7 Time   Risk   IniJal   Login   Cookie   Expiry:   3  hours   Resource  Threshold   Re-­‐AuthN   8am   0   100   40   11am   2pm   5pm  
  8. 8. Continuous Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 8 Time   Risk   IniJal   Login   Resource  Threshold   Repeated  sampling  of  Passive  factors  (Context  and  ConJnuous)   0   100   40   GOAL:  Improve  Security  AND  Convenience  
  9. 9. AuthN Policy: The Traditional Approach Copyright © 2014 Ping Identity Corp.All rights reserved. 9 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version  
  10. 10. AuthN Policy: Risk-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 10 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Risk   Score  
  11. 11. AuthN Policy: Threat-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 11 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Threat   Cat  -­‐  A   Threat   Cat  -­‐  B   Threat   Cat  -­‐  C   Threat   Cat  -­‐  D   Threat   Cat  -­‐  E   Vulnerability  Mi.ga.on  
  12. 12. AuthN Policy: Threat-Based Authentication Copyright © 2014 Ping Identity Corp.All rights reserved. 12 AuthN  Methods   Resources   Gmail   Box   Concur   SalesForce   Splunk   Basecamp   VPN   Finance  DB   Password   Hard  Token   Fingerprint   Geoloca.on   IP  address   Session  Cookie   UID   User  Agent  Version   Time  of  Day   Login  Frequency   OS  Version   Threat   Cat  -­‐  A   Threat   Cat  -­‐  B   Threat   Cat  -­‐  C   Threat   Cat  -­‐  D   Threat   Cat  -­‐  E   Vulnerability  Mi.ga.on  
  13. 13. Risk-Based Authentication •  “Risk Score” –  Assumes a broad, general THREAT – the world is generally antagonistic –  The “Risk Score” is the same for all ASSETS –  For a given ASSET, there is coarse-grain expression of VULNERABILITY to the general threat (“Risk”Threshold) Copyright © 2014 Ping Identity Corp.All rights reserved. 13 Calculating Risk Threat-Based Authentication •  Risk is calculated based on –  A specific ASSET –  A specific THREAT –  How VULNERABLE the ASSET is to a specific THREAT –  To what degree the AuthN methods reduce probability of success for the specific THREAT Risk  =  AuthN  Results  +  Asset  +  Threat  +  Vulnerability  “Risk”  =    AuthN  Results  
  14. 14. Threat-Based Authentication: Benefits Copyright © 2014 Ping Identity Corp.All rights reserved. 14 • SCALE – easy to add new Resources and Authentication Methods • SECURITY – directly addresses known Threats, chooses authN methods appropriately • CONVENIENCE – minimizes Active authentication

×