SlideShare a Scribd company logo

Just Enough Authentication

F
ForgeRock Identity Tech Talks

Diane Joyce London Identity Tech Talk - October 2016

Technology
1 of 18
Download to read offline
Just Enough Authentication Making the authentication journey frictionless Diane Joyce Matakite
A bit about me Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/ Solution/ Enterprise Identity Consultant Diane Joyce - Matakite 2
Just enough authentication  With Big Data, smart devices and the rapid evolution of biometrics, the current one size fits all authentication model should be dead.  In today's digital world the customer has high expectations and low brand loyalty, the winner is always the organisation that makes it easy but retains the security.  Some times referred to as Frictionless or Zero Touch authentication, I think of it as ‘just enough authentication’ to avoid risk whilst retaining the customer , it could also be referred to as Just in Time Authentication  Remove or minimise the inputs a customer needs to provide to authenticate themselves  Apply a risk based model to determine when to apply additional authentication  Authentication now become a key part of the UX journey and not a bolt-on at the front Diane Joyce - Matakite 3
Risk Based Authentication Principles  Aim for as little customer input as possible  Throw away the concept of one size authentication fits all  Determine the risk model on a transactional basis  We own cyber security not the customer  Redesign your transactions to be flexible  Use the same model for internal and external authentications Diane Joyce - Matakite 4
As little data input as possible  Aim to have the customer only provide credential information as and when needed  The less provided the less is able to be compromised  Don’t always use the same credential sets  Have lots of options and mix them up  Use point and click as much as possible Diane Joyce - Matakite 5
Categorise the risk  Could be data, could be value  If steal my name and address from a website, not so great but this data is pretty freely available  If you steal my name, address, dob, I’m a bit more concerned but this data is still quite freely available  If you steal my ALL login credentials and like 80% of people I used the same passwords on various sites then I’m concerned  If you lock me out of my account when I need it, I’m annoyed  If you steal my money, now I’m unhappy Diane Joyce - Matakite 6
Create multifactor authentication tokens at registration  Don’t restrict this to 2 factor, capture as much as possible  Some is provided by the customer  Password  Memorable word/picture  Device for OTP or authenticator app  Fingerprint  Voice  Facial recognition  Ear print  Signature  Some we can capture with customer consent but without customer input  Device information including UID, virus status, security apps  Location  Typing pattern analysis  Pointing device pattern analysis  Gait analysis  Device location history  Device usage history  Device proximity  Network connectivity Diane Joyce - Matakite 7
We own cyber security  We are the experts  Expecting customer to be aware of and up-to-date with cyber security is not feasible  We can guide them to a more secure experience  BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need to secure from endpoint thru to data sources  Big data offers a valuable resource for identifying threats in both real time and post event analysis  Understanding device vulnerability is critical Diane Joyce - Matakite 8
Make the transaction digital  The risk model dictates  The authentication required  The data shown on the screen  The transactions available  The action to take  Risk Models change, Products Change, Security Models change and need to be designed flexibly  Use rules based workflow  Use dynamic screens to show only the data applicable to the risk model AND the authentication level  Its not standalone design, include it in both the UX and security design. Diane Joyce - Matakite 9
Let’s step through some examples Diane Joyce - Matakite 10
Registration Enter personal details Create username Create Password Create multi- factor Validate and verify personal details Validate username Validate Password Create multi- factor Create baseline credentials Diane Joyce - Matakite 11
Authentication to view a balance Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Diane Joyce - Matakite 12
One size fits all Authentication to view a balance - comparison Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Enter Username Enter password Enter 2nd Factor Select View Balance Diane Joyce - Matakite 13
Authentication to view a balance – new device Enter Username Validate Username Validate Credentials View balance Request Additional Credential Enter additional credential Valid Credenti al? Assess Risk Select Balance Validate Credentials Diane Joyce - Matakite 14
Authentication to pay an existing payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Risk Process Credentials process Risk Acceptable ? Diane Joyce - Matakite 15
Authentication to pay a new payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Credentials process Risk Acceptable? Enter additional credential Validate CredentialDiane Joyce - Matakite 16
In summary  Throw away the one size fits all authentication  Take the burden from the customer  Use risk based rules to determine how and when to authenticate  Authentication can take place anywhere in the customer journey  Authenticate internal and external users in the same way  Own the cyber security responsibility Diane Joyce - Matakite 17
Questions? Diane.Joyce@matakitegroup.com @kiwiIDgal Diane Joyce - Matakite 18

Recommended

When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures Steven Aiello
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
Portal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationPortal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationSecureAuth
 

Recommended

When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures Steven Aiello
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
Portal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationPortal Protection Using Adaptive Authentication
Portal Protection Using Adaptive AuthenticationSecureAuth
 
IT security
IT securityIT security
IT securitySteven Aiello
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceXenith Document Systems Ltd
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliabilitycaca1009
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramMatt Moneypenny
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataTyler Hannan
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Issp for Uadigitals 2019
Issp for Uadigitals 2019Issp for Uadigitals 2019
Issp for Uadigitals 2019Elena Peday
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldForte Advisory, Inc.
 
The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021CIO Look Magazine
 
Identity Verification
Identity VerificationIdentity Verification
Identity VerificationIDology, Inc
 
5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docxSameerShaik43
 
A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!Caroline Johnson
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?Lucy Zeniffer
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
 

More Related Content

What's hot

Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceXenith Document Systems Ltd
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliabilitycaca1009
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramMatt Moneypenny
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataTyler Hannan
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Issp for Uadigitals 2019
Issp for Uadigitals 2019Issp for Uadigitals 2019
Issp for Uadigitals 2019Elena Peday
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 

What's hot (15)

IT security
IT securityIT security
IT security
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive Action
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A
 
Digital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – FinanceDigital Transformation and Security for the Modern Business Part 1 – Finance
Digital Transformation and Security for the Modern Business Part 1 – Finance
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
The Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card DataThe Easy WAy to Accept & Protect Credit Card Data
The Easy WAy to Accept & Protect Credit Card Data
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Issp for Uadigitals 2019
Issp for Uadigitals 2019Issp for Uadigitals 2019
Issp for Uadigitals 2019
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 

Similar to Just Enough Authentication

Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldForte Advisory, Inc.
 
The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021CIO Look Magazine
 
Identity Verification
Identity VerificationIdentity Verification
Identity VerificationIDology, Inc
 
5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docxSameerShaik43
 
A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!Caroline Johnson
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?Lucy Zeniffer
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
 
AY - Adaptive Access Control
AY - Adaptive Access ControlAY - Adaptive Access Control
AY - Adaptive Access ControlAdrian Young
 
What Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdfWhat Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdfHost It Smart
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!Caroline Johnson
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Core Security
 
Security and Privacy
Security and PrivacySecurity and Privacy
Security and PrivacyJenny Nixon
 
Fraud Prevention - Experian
Fraud Prevention - ExperianFraud Prevention - Experian
Fraud Prevention - ExperianAlex Robbins
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...Jean-François LOMBARDO
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreindragantiSaiHiranma
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 

Similar to Just Enough Authentication (20)

Risk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure WorldRisk Aware IAM for an Insecure World
Risk Aware IAM for an Insecure World
 
The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021The 10 most trusted authentication solution providers of 2021
The 10 most trusted authentication solution providers of 2021
 
Identity Verification
Identity VerificationIdentity Verification
Identity Verification
 
5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx5 Best Identity Verification Software to Look Into in 2022.docx
5 Best Identity Verification Software to Look Into in 2022.docx
 
A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!A Simplified Guide to the Evolution of Authentication!
A Simplified Guide to the Evolution of Authentication!
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online Transactions
 
AY - Adaptive Access Control
AY - Adaptive Access ControlAY - Adaptive Access Control
AY - Adaptive Access Control
 
What Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdfWhat Types Of Information ECommerce Sites Need To.pdf
What Types Of Information ECommerce Sites Need To.pdf
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert ...
 
Security and Privacy
Security and PrivacySecurity and Privacy
Security and Privacy
 
Fraud Prevention - Experian
Fraud Prevention - ExperianFraud Prevention - Experian
Fraud Prevention - Experian
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
 

More from ForgeRock Identity Tech Talks

Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 

More from ForgeRock Identity Tech Talks (16)

Deep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flowsDeep dive into the Open Banking payments flows
Deep dive into the Open Banking payments flows
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
Authentication
AuthenticationAuthentication
Authentication
 
Anonymity, Trust, Accountability
Anonymity, Trust, AccountabilityAnonymity, Trust, Accountability
Anonymity, Trust, Accountability
 
Gov.uk Verify - The Journey So Far
Gov.uk Verify - The Journey So FarGov.uk Verify - The Journey So Far
Gov.uk Verify - The Journey So Far
 
EU Single Digital Market - eIDAS To The Rescue
EU Single Digital Market - eIDAS To The RescueEU Single Digital Market - eIDAS To The Rescue
EU Single Digital Market - eIDAS To The Rescue
 
Delivering Identity at Internet Scale
Delivering Identity at Internet ScaleDelivering Identity at Internet Scale
Delivering Identity at Internet Scale
 
The Slow Death of Passwords
The Slow Death of PasswordsThe Slow Death of Passwords
The Slow Death of Passwords
 
Steak and OAuth Pi
Steak and OAuth PiSteak and OAuth Pi
Steak and OAuth Pi
 
Share All The Things With UMA
Share All The Things With UMAShare All The Things With UMA
Share All The Things With UMA
 
A Deep Dive Into Identity Work Flow
A Deep Dive Into Identity Work FlowA Deep Dive Into Identity Work Flow
A Deep Dive Into Identity Work Flow
 
Rethinking The Policy Agent
Rethinking The Policy AgentRethinking The Policy Agent
Rethinking The Policy Agent
 
Authorization Using JWTs
Authorization Using JWTsAuthorization Using JWTs
Authorization Using JWTs
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
Blockchain
BlockchainBlockchain
Blockchain
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 

Recently uploaded

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Just Enough Authentication

  • 1. Just Enough Authentication Making the authentication journey frictionless Diane Joyce Matakite
  • 2. A bit about me Programmer Analyst/Programmer Project Manager System Designer Architect – Integration/ Solution/ Enterprise Identity Consultant Diane Joyce - Matakite 2
  • 3. Just enough authentication  With Big Data, smart devices and the rapid evolution of biometrics, the current one size fits all authentication model should be dead.  In today's digital world the customer has high expectations and low brand loyalty, the winner is always the organisation that makes it easy but retains the security.  Some times referred to as Frictionless or Zero Touch authentication, I think of it as ‘just enough authentication’ to avoid risk whilst retaining the customer , it could also be referred to as Just in Time Authentication  Remove or minimise the inputs a customer needs to provide to authenticate themselves  Apply a risk based model to determine when to apply additional authentication  Authentication now become a key part of the UX journey and not a bolt-on at the front Diane Joyce - Matakite 3
  • 4. Risk Based Authentication Principles  Aim for as little customer input as possible  Throw away the concept of one size authentication fits all  Determine the risk model on a transactional basis  We own cyber security not the customer  Redesign your transactions to be flexible  Use the same model for internal and external authentications Diane Joyce - Matakite 4
  • 5. As little data input as possible  Aim to have the customer only provide credential information as and when needed  The less provided the less is able to be compromised  Don’t always use the same credential sets  Have lots of options and mix them up  Use point and click as much as possible Diane Joyce - Matakite 5
  • 6. Categorise the risk  Could be data, could be value  If steal my name and address from a website, not so great but this data is pretty freely available  If you steal my name, address, dob, I’m a bit more concerned but this data is still quite freely available  If you steal my ALL login credentials and like 80% of people I used the same passwords on various sites then I’m concerned  If you lock me out of my account when I need it, I’m annoyed  If you steal my money, now I’m unhappy Diane Joyce - Matakite 6
  • 7. Create multifactor authentication tokens at registration  Don’t restrict this to 2 factor, capture as much as possible  Some is provided by the customer  Password  Memorable word/picture  Device for OTP or authenticator app  Fingerprint  Voice  Facial recognition  Ear print  Signature  Some we can capture with customer consent but without customer input  Device information including UID, virus status, security apps  Location  Typing pattern analysis  Pointing device pattern analysis  Gait analysis  Device location history  Device usage history  Device proximity  Network connectivity Diane Joyce - Matakite 7
  • 8. We own cyber security  We are the experts  Expecting customer to be aware of and up-to-date with cyber security is not feasible  We can guide them to a more secure experience  BYOD, Cloud, SaaS, IDaaS changes the traditional security perimeter, we need to secure from endpoint thru to data sources  Big data offers a valuable resource for identifying threats in both real time and post event analysis  Understanding device vulnerability is critical Diane Joyce - Matakite 8
  • 9. Make the transaction digital  The risk model dictates  The authentication required  The data shown on the screen  The transactions available  The action to take  Risk Models change, Products Change, Security Models change and need to be designed flexibly  Use rules based workflow  Use dynamic screens to show only the data applicable to the risk model AND the authentication level  Its not standalone design, include it in both the UX and security design. Diane Joyce - Matakite 9
  • 10. Let’s step through some examples Diane Joyce - Matakite 10
  • 12. Authentication to view a balance Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Diane Joyce - Matakite 12
  • 13. One size fits all Authentication to view a balance - comparison Enter Username Validate Username Validate Credentials View balance Assess Risk Select View Balance Valid Credentia ls ? Invalid credential process Enter Username Enter password Enter 2nd Factor Select View Balance Diane Joyce - Matakite 13
  • 14. Authentication to view a balance – new device Enter Username Validate Username Validate Credentials View balance Request Additional Credential Enter additional credential Valid Credenti al? Assess Risk Select Balance Validate Credentials Diane Joyce - Matakite 14
  • 15. Authentication to pay an existing payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Risk Process Credentials process Risk Acceptable ? Diane Joyce - Matakite 15
  • 16. Authentication to pay a new payee Enter Username Validate Username Validate Credentials Enter Payment details Request Additional Credential Enter additional credential Valid Credential ? Assess Risk Select Payment Validate Credential Confirm Payment Credentials process Risk Acceptable? Enter additional credential Validate CredentialDiane Joyce - Matakite 16
  • 17. In summary  Throw away the one size fits all authentication  Take the burden from the customer  Use risk based rules to determine how and when to authenticate  Authentication can take place anywhere in the customer journey  Authenticate internal and external users in the same way  Own the cyber security responsibility Diane Joyce - Matakite 17