If your online site, service or app authenticates large groups of external consumers, you face a daunting challenge: First, provide enough security at the right time in the user’s journey to stop account takeovers and exploits; Second, provide a rewarding, friction-free user experience. We'll discuss how device intelligence provides risk insight that drives the “right” adaptive multifactor authentication at the right time with examples of customers in retail, finance and gaming achieving this balance today.
Gartner IAM Summit 2017 | Critical Insight: How Device Insight Drives Dynamic MFA
1. CRITICAL INSIGHT
HOW “DEVICE RISK” DRIVES DYNAMIC MFA
GARTNER IAM SUMMIT, 2017
MICHAEL THELANDER / SR DIRECTOR PRODUCT MARKETING
2. 2
MICHAEL THELANDER
S E N I O R D I R E C T O R P R O D U C T M A R K E T I N G ,
I O V A T I O N
CISSP-trained through SANS with experience in
configuration security and authentication
25 years in product management and product marketing, with
the last 10 focused on cyber security
Articles have appeared in IT Professional Magazine, ITSP
Magazine, CyberDefense Magazine, and SoftwareCEO.com
Currently drives go to market initiatives at iovation
3. 3
A form of ocean-
going rainbow trout
Moves between
fresh water and
sea water
Adapts chemically
and physiologically
several times
Faces different
risks at different
times
4. A STORY
4
THE PROMISED LAND OF MFA
ADAPTING TO DEVICE RISK
ADAPTING TO ACCESS RISK
TAKEAWAYS (AND A FREE BOOK)
8. 8
MOBILE MULTIFACTOR AUTHENTICATION
S T R O N G A N D F L E X I B L E A U T H E N T I C A T I O N
Something you
KNOW
Something
you ARE
Identity
verified
9. 9
MOBILE MULTIFACTOR AUTHENTICATION
S T R O N G A N D F L E X I B L E A U T H E N T I C A T I O N
Something you
KNOW
Something you
ARE
Something
you HAVE
13. 13
THE DNA OF A DEVICE
( A N O T E O N “ M F A O M N I C H A N N E L ”
14. 14
THE DNA OF A DEVICE
HUNDREDS OF DEVICE ATTRIBUTES COMBINE TO CREATE A DIGITAL FINGERPRINT
15. 15
WiFi (or Bluetooth) MAC Address
Network configuration
iOS Device Model
Battery level / AC mode
Device orientation
File system size
Physical memory
Number attached accessories
Has proximity sensor?
Screen brightness and resolution
System uptime
iOS Device Name (MD5 Hash)
OS Name and/or version
Device advertising UUID
Kernel version
iCloud Ubiquity Token
Application Vendor UUID /name/vers
Is Simulator?
THE DNA OF A DEVICE
HUNDREDS OF DEVICE ATTRIBUTES COMBINE TO CREATE A DIGITAL FINGERPRINT
Locale language / currency code
WiFi MAC Address
Bluetooth MAC Address
Network configuration
Is plugged in?
Device orientation
File system size
Physical memory
CPU Type
CPU count
CPU Speed
Screen brightness
Screen resolution
System uptime
iOS Device Name (MD5 Hash)
Device advertising UUID
Current latitude
Current longitude
Current altitude
Application Vendor UUID
Bundle ID
Application Version
Application name
Process name
Executable name
Application orientation
Locale language code
Locale currency code
Are location services enabled?
Time zone
Currently registered radio
technology
Carrier name
Carrier ISO country code
Carrier mobile country code
Carrier mobile network code
Does carrier allow VOIP?The attributes that let us recognize a device also allow us to see and respond to risk
16. 16
RISK INSIGHT FROM THE USER’S DEVICE
EvidenceDevice & Age Risk Profile
Geo-
location
Anomaly Watch ListsVelocity
ISP Watch List
Transactions per
Account
Timezone / Geo
Mismatch
Subscriber
Evidence Exists
Transaction
Amount Range
Geolocation
Mismatch
Device new to
Subscriber
IP Address Range
List
Global Trans
Device Velocity
Device Not
Provided
Evidence Exists
Billing/Shipping
Mismatch
Proxy In Use
New Device,
Existing Acct
Email Domain List
Countries Per Acct
or Device
Suspect Device
Data
IP Address RiskCountry List
Age of the
Association
Browser Language
Trans per
IP/Device/Acct
TOR Exit Node IP
Device Risk
(Local or Global)
Mobile Carrier
Country List
Registered
Acct/Dev Pair
ISP Organization
List
$S Value per
Device or Acct
VM in Use
Language and
Country Risk
IP Address
Distance
Device Type List
Devices per
Account
Mobile Emulator
Detected
Jailbreak/Root
Detected
IP Address
Mismatch
Accts (Created)
per Device
ISP Mismatch
POSITIVE RULES TRIGGERED
NEGATIVE RULES TRIGGERED
17. 17
RISK INSIGHT FROM THE USER’S DEVICE
EvidenceDevice & Age Risk Profile
Geo-
location
Anomaly Watch ListsVelocity
ISP Watch List
Transactions per
Account
Timezone / Geo
Mismatch
Subscriber
Evidence Exists
Transaction
Amount Range
Geolocation
Mismatch
Device new to
Subscriber
IP Address Range
List
Global Trans
Device Velocity
Device Not
Provided
Evidence Exists
Billing/Shipping
Mismatch
Proxy In Use
New Device,
Existing Acct
Email Domain List
Countries Per Acct
or Device
Suspect Device
Data
IP Address RiskCountry List
Age of the
Association
Browser Language
Trans per
IP/Device/Acct
TOR Exit Node IP
Device Risk
(Local or Global)
Mobile Carrier
Country List
Registered
Acct/Dev Pair
ISP Organization
List
$S Value per
Device or Acct
VM in Use
Language and
Country Risk
IP Address
Distance
Device Type List
Devices per
Account
Mobile Emulator
Detected
Jailbreak/Root
Detected
IP Address
Mismatch
Accts (Created)
per Device
ISP Mismatch
+1000
POSITIVE RULES TRIGGERED
NEGATIVE RULES TRIGGERED
18. 18
RISK INSIGHT FROM THE USER’S DEVICE
EvidenceDevice & Age Risk Profile
Geo-
location
Anomaly Watch ListsVelocity
ISP Watch List
Transactions per
Account
Timezone / Geo
Mismatch
Subscriber
Evidence Exists
Transaction
Amount Range
Geolocation
Mismatch
Device new to
Subscriber
IP Address Range
List
Global Trans
Device Velocity
Device Not
Provided
Evidence Exists
Billing/Shipping
Mismatch
Proxy In Use
New Device,
Existing Acct
Email Domain List
Countries Per Acct
or Device
Suspect Device
Data
IP Address RiskCountry List
Age of the
Association
Browser Language
Trans per
IP/Device/Acct
TOR Exit Node IP
Device Risk
(Local or Global)
Mobile Carrier
Country List
Registered
Acct/Dev Pair
ISP Organization
List
$S Value per
Device or Acct
VM in Use
Language and
Country Risk
IP Address
Distance
Device Type List
Devices per
Account
Mobile Emulator
Detected
Jailbreak/Root
Detected
IP Address
Mismatch
Accts (Created)
per Device
ISP Mismatch
POSITIVE RULES TRIGGERED
NEGATIVE RULES TRIGGERED
+200
Watch ListsVelocity
ISP Watch List
Transactions per
Account
IP Address Range
List
Global Trans
Device Velocity
Email Domain List
Countries Per Acct
or Device
Browser Language
Trans per
IP/Device/Acct
ISP Organization
List
$S Value per
Device or Acct
Device Type List
Devices per
Account
19. 19
RISK INSIGHT FROM THE USER’S DEVICE
EvidenceDevice & Age Risk Profile
Geo-
location
Anomaly Watch ListsVelocity
ISP Watch List
Transactions per
Account
Timezone / Geo
Mismatch
Subscriber
Evidence Exists
Transaction
Amount Range
Geolocation
Mismatch
Device new to
Subscriber
IP Address Range
List
Global Trans
Device Velocity
Device Not
Provided
Evidence Exists
Billing/Shipping
Mismatch
Proxy In Use
New Device,
Existing Acct
Email Domain List
Countries Per Acct
or Device
Suspect Device
Data
IP Address RiskCountry List
Age of the
Association
Browser Language
Trans per
IP/Device/Acct
TOR Exit Node IP
Device Risk
(Local or Global)
Mobile Carrier
Country List
Registered
Acct/Dev Pair
ISP Organization
List
$S Value per
Device or Acct
VM in Use
Language and
Country Risk
IP Address
Distance
Device Type List
Devices per
Account
Mobile Emulator
Detected
Jailbreak/Root
Detected
IP Address
Mismatch
Accts (Created)
per Device
ISP Mismatch
POSITIVE RULES TRIGGERED
NEGATIVE RULES TRIGGERED
0
Watch ListsVelocity
ISP Watch List
Transactions per
Account
IP Address Range
List
Global Trans
Device Velocity
Email Domain List
Countries Per Acct
or Device
Browser Language
Trans per
IP/Device/Acct
ISP Organization
List
$S Value per
Device or Acct
Device Type List
Devices per
Account
Watch Lists
ISP Watch List
IP Address Range
List
Email Domain List
Browser Language
ISP Organization
List
Device Type List
PIN +
20. 20
RISK INSIGHT FROM THE USER’S DEVICE
EvidenceDevice & Age Risk Profile
Geo-
location
Anomaly Watch ListsVelocity
ISP Watch List
Transactions per
Account
Timezone / Geo
Mismatch
Subscriber
Evidence Exists
Transaction
Amount Range
Geolocation
Mismatch
Device new to
Subscriber
IP Address Range
List
Global Trans
Device Velocity
Device Not
Provided
Evidence Exists
Billing/Shipping
Mismatch
Proxy In Use
New Device,
Existing Acct
Email Domain List
Countries Per Acct
or Device
Suspect Device
Data
IP Address RiskCountry List
Age of the
Association
Browser Language
Trans per
IP/Device/Acct
TOR Exit Node IP
Device Risk
(Local or Global)
Mobile Carrier
Country List
Registered
Acct/Dev Pair
ISP Organization
List
$S Value per
Device or Acct
VM in Use
Language and
Country Risk
IP Address
Distance
Device Type List
Devices per
Account
Mobile Emulator
Detected
Jailbreak/Root
Detected
IP Address
Mismatch
Accts (Created)
per Device
ISP Mismatch
POSITIVE RULES TRIGGERED
NEGATIVE RULES TRIGGERED
-1000
Watch ListsVelocity
ISP Watch List
Transactions per
Account
IP Address Range
List
Global Trans
Device Velocity
Email Domain List
Countries Per Acct
or Device
Browser Language
Trans per
IP/Device/Acct
ISP Organization
List
$S Value per
Device or Acct
Device Type List
Devices per
Account
Watch Lists
ISP Watch List
IP Address Range
List
Email Domain List
Browser Language
ISP Organization
List
Device Type List
Watch Lists
Device Type List
Call
Customer
Service
22. 22
The Customer Journey
NAVIGATION AND INTERACTION POINTS
RISK
1 2 4 5
Where the “risk bar”
bar is typically set
Where the
majority of
interactions
occur
3 6