Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO Authentication Opportunities in Healthcare


Published on

A case study for healthcare leader, Aetna on how they are developing a digital competitive advantage. As part of their strategy to improve user experience and protect members, they have deployed FIDO Authentication.

Published in: Healthcare
  • Be the first to comment

FIDO Authentication Opportunities in Healthcare

  1. 1. Quality health plans & benefits Healthier living Financial well-being Intelligent solutions Abbie Barbir, Aetna Global Security FIDO Opportunities in Healthcare May 2017
  2. 2. © 2017 Aetna Inc. Allow Aetna to establish a digital competitive advantage by equipping Aetna web and mobile applications with an unparalleled set of behavioral and biometric authentication technologies in a manner that empowers a world-class user experience and assures the integrity and confidentiality of member data. Our Mission Improved User Experience Reduced Risk Reduced Cost 2
  3. 3. © 2017 Aetna Inc. What is Next Generation Authentication? 3 The Objective Implement world-class capabilities to reduce risk and enable a frictionless user experience. Key Features • Password elimination/reduced reliance • Multimodal user authentication • Context aware access control • Real-time behavior analysis • Continuous authentication • Dynamic Authentication Assurance Levels (LOA) • User across application and devices NGA is driving a paradigm shift in mobile & web authentication
  4. 4. © 2017 Aetna Inc. Key Drivers: Evolving user experience 4 Identity & Access Management is Evolving From: Providing the right access to legitimate users at the right time To: Providing the best user experience to legitimate users and their things at the right location & time Binary Authentication Creates a Poor User Experience • User frustration • Forgotten passwords interrupt interactions • Reuse & abandonment • Difficult to remember • Provide a conduit to member account compromise 2FA and Other Mechanisms are Imperfect, Provide Poor User Experience and Suffer from Low Consumer Adoption
  5. 5. © 2017 Aetna Inc. Key Drivers: Member protection & fraud prevention 5 Phishing is Incredibly Effective • Phishing is a component of 95% of incidents involving nation- state threat actors • 100 million phishing messages distributed everyday • Median time-to-first-click: 1 minute 22 seconds across all campaigns • $2B in business impact annually Healthcare Organizations & Consumers are an Increasing Target for Fraud • Sophisticated & targeted attacks from nation-state & crime syndicates • Account takeover • Fraudulent registration • Payment Account Fraud • Claims Fraud PHI & PII Have Value on the Dark Web • 2016 – $.50->$1.00 per record • Readily available records provide a conduit for account takeover • Increasing market value drives threat actors to target individual accounts for PII/PHI harvesting *Source: EY
  6. 6. © 2017 Aetna Inc. Authentication is no longer an event… it is integrated into the application 6 The way you use an application is a better indicator of who you are than knowledge of a password Moving forward, authentication is continuous and integrated natively into application interactions Continuous Behavioral Authentication Biometric Authentication Continuous Contextual AuthenticationIn the past, authentication has been a single event, taking place only when an application is launched
  7. 7. © 2017 Aetna Inc. Breaches that made the headlines 7
  8. 8. © 2017 Aetna Inc. Backend Analytics & Risk Engine LOA Real-Time (RT) Authorization ControlMonitor Prevent @ Inception Cognitive & Device Biometrics Decentralized Authentication Aetna NGA’s core building blocks 11 Aetna Authentication Hub Device stores biometric and validates it locally (no central database) Examples: Swipe speed, geolocation, typical application usage patterns Integrate authentication events into the user experience (not binary) Big data analytics create a risk score for that user/device combination • Adaptive • Continuous • Behavioral • Analytics
  9. 9. © 2017 Aetna Inc. NGA: Design principles 9 • Based on Open Specifications (i.e. FIDO) • Easy SDK integration for web and mobile • NGA’s centralized authentication hub provides centralized analysis and decision making across all NGA applications • API-based architecture • Lightweight and efficient • Device and platform portability • Flows and interactions designed to reduce friction and improve user experience • Eliminate fraud through increased friction for threat actor interactions • Support for dynamic authentication through LOA
  10. 10. © 2017 Aetna Inc. NGA: Mobile offering 10 NGA’s mobile integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Transparently and continuously authenticates the device and user • Improves security and reduces the risk of fraud • Removes barriers to application access …while improving the user experience Reduced reliance on passwords through enhanced user & device authentication Continuous Behavioral Authentication (i.e. swipe attributes) Continuous Contextual Authentication (i.e. geolocation) Biometric Integration Designed in alignment with FIDO Standards
  11. 11. © 2017 Aetna Inc. NGA: Mobile user experience example 11 Enrollment Subsequent App Usage • Behavioral & contextual attributes collected continuously • Centralized authentication hub makes ongoing authentication decisions
  12. 12. © 2017 Aetna Inc. NGA: Web offering 12 Reduced reliance on passwords through enhanced user & device authentication Browser & System Fingerprinting for each session improves security & usability Associate members & their devices through Device Binding to improve user experience & security Eliminates risk of impersonation, account takeover, and registration fraud NGA’s web integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: • Improves member data security • Reduces the risk of fraud …while improving the user experience
  13. 13. © 2017 Aetna Inc. NGA: Web user experience example 13 Let’s follow Aetna Member Pam as she uses an Aetna web application with NGA Pam accesses her online Aetna account for the first time Pam is using this system for the first time, so she completes an easy verification processes via SMS or email Following validation, the NGA Authentication Hub adds her computer is to her profile, along with the other devices she uses. She will not be prompted again from this computer Hacker Harold later tries to gain access to Pam’s account Hacker Harold is unable to gain access to the account, as the NGA Authentication Hub identified that his system is not part of Pam’s profile he does not have access to Pam’s email or cell phone Pam is comfortable with this process, as it is similar to what she is used to for the Financial Services organizations she has accounts with, and aligns with her data protection expectations
  14. 14. © 2017 Aetna Inc. FIDO modern authentication 14 IMPLICIT AUTHENTICATION EXPLICIT AUTHENTICATION • MUST eliminate symmetric shared secrets • Address poor user experiences and friction • FIDO is a building block − complements federation solutions Impact • Identity binding is essential • Strong identity proofing a must Source FIDO
  15. 15. © 2017 Aetna Inc. Federation 15 Second Mile FEDERATION SAML OAuth OpenID Connect Complicated Authentication NO PASSWORDS First Mile • Standards are catching up on mile one • Mile two is getting more mature • Federation need improvement • No prior relationship • SAML: Dynamic AuthN/Z • OAuth, OIC dynamic end point • Blockchain Opportunity • How about identity assurance? − Poorly deploying strong authentication is the same as weak authentication • FIDO solves the PW problem but mandates better identity binding at the relaying part • Proper Identity vetting/proofing becomes essential
  16. 16. © 2017 Aetna Inc. Issue to consider 16 Identity proofing and account recovery Account Login Current Pain Points • I forgot my password • I cannot find/lost my phone • I am locked out of my account Account Recovery Options • KBA (static and/or dynamic) • Email account (compromised) − Password reset link − Or a new password − Enrolling back in FIDO Identity Proofing • Binding a FIDO authenticator to a user account on relying party requires performing an Identity vetting step − Trust anchor (aka Bootstrapping problem) • Currently pre-established Authenticators are used as anchors of Trust (such as passwords) Online identity proofing is challenging and still relies on something “you know”
  17. 17. © 2017 Aetna Inc. Questions Thank you