9697 aatf sb_0808


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

9697 aatf sb_0808

  1. 1. RSA Adaptive AuthenticationOffering Multiple Ways to Provide StrongTwo-Factor Authentication to End UsersRSA Solution Brief
  2. 2. 2The state of passwords today is similar to that of the horse and buggy at the turn of the 19thcentury. With the advent of the automobile, the reliable and ubiquitous horse and buggysoon became obsolete. Today, the environment is such that organizations are realizing thatpasswords must also give way to stronger, more effective solutions. In its place, strongauthentication is becoming the de facto standard for assuring user identities in the onlineworld. RSA®Adaptive Authentication is at the forefront of this trend by offering a strongauthentication solution that not only adds a layer of security on top of existing usernameand password systems, but does so in a way that is convenient for the end user.The Basics of Strong AuthenticationStrong authentication is also commonly referred to astwo-factor authentication or multi-factorauthentication. This alludes to the fact that there ismore than one factor, or proof, needed in order for anauthentication to be made. Some factors include:– What a user knows (i.e., a password or challengequestion)– What a user has (i.e., a security token or mobilephone)– What a user is (i.e., a biometric device)– What a user does (i.e., patterns of behavior)When only one factor is utilized to authenticate auser, it is considered to be a weak form ofauthentication. Multi-factor authentication mayinclude multiple types of the same authenticationmethod (for example, two static passwords) but wouldnot necessarily be considered strong authentication.The Basics of RSA Adaptive AuthenticationRSA Adaptive Authentication is a comprehensiveauthentication and risk management platform offeringnumerous authentication options and providing cost-effective protection for entire groups of users. At itscore, Adaptive Authentication is designed todetermine when to visibly authenticate users andwhat type of authentication method to use. Thesedecisions are based on risk levels, institutionalpolicies, and customer segmentation.Adaptive Authentication combats existing andemerging fraud trends by analyzing deviceidentification data, behavioral profiles, activitypatterns, RSA eFraudNetwork™feeds, multi-channelthreat indicators, and fraud intelligence, all integratedinto a single platform that is constantly evolving toreflect ongoing changes in the fraud landscape.Adaptive Authentication is currently deployed at over8,000 organizations worldwide and has processedand protected over 20 billion activities to date.The key benefits of Adaptive Authentication include:– Superior user experience (lowest impact on genuineusers and highest fraud detection rates)– Numerous authentication methods with customiz-able risk and authentication policies– Strong and convenient protection against malwarethat can be deployed invisibly and flexibly– The ability to protect across multiple channelsincluding the online and mobile channels and theIVR/Call Center– A proven solution deployed at over 8,000 organiza-tions and protecting more than 150 million usersworldwideRSA Solution BriefRSA Adaptive Authentication:Multi-factor Authentication– Something you have:Device identification– Something you are/do:Behavioral profile– Something you know:Username and password(not managed by RSAAdaptive Authentication)
  3. 3. 3Adaptive Authentication Meets theRequirement for Multi-factor AuthenticationTraditionally, security solutions meet the requirementfor two-factor authentication by requiring users toprovide a username and password and an additionalcredential, such as a one-time password or smartcard, every time they access their account informationonline. However, when using Adaptive Authentication,organizations utilize a risk-based approach that onlyvisibly authenticates users when they exceed a givenrisk threshold (pre-determined by the organization). Ifmost users are being authenticated behind-the-scenes, does that still meet the standard of strongauthentication? The answers is yes.Something the User HasRSA Adaptive Authentication always uses a secondfactor even though the initial authentication isperformed transparent to the user. When necessary,RSA performs several authentication proceduresbehind-the-scenes, including invisible deviceidentification. If a user’s device is positively identifiedand associated with the user (and not with fraudulentuse), then the user is considered authenticated. Inthis case, the device being used to request access isthe second factor in strong authentication –“something you have.”RSA Solution BriefAdaptive Authentication can conduct deviceidentification by fingerprinting the user’s device.Device fingerprinting consists of tracking devicecharacteristics that are a natural part of any devicesuch as http headers, operating system versions,browser version, languages, and time zone.Furthermore, device fingerprinting actively introducesadditional identifiers with the simple addition of acookie and/or a flash shared object (also referred toas “flash cookie”) which can then serve as a moreunique identifier of the device.When a user’s identity is not positively assured viadevice authentication, they are challenged using avariety of methods including:– Challenge questions: Something the user knows– Knowledge-based questions: Out-of-wallet versionsof something the user knows– Out-of-band phone authentication: Something theuser has– One-time passwords (via SMS, e-mail, token):Something the user hasBy authenticating a user with one of these othermethods, the device will be established as a “trusted”device in the future.Out-of-band Knowledge-basedOne-timepasswordHigh risk (minority)Low risk (majority)Real-time riskassessmentPolicy SettingsContinueThe RSA Adaptive Authentication solutionoffers sophisticated risk analytics to ensure alow challenge rate and years of fine tuningand experience help create a high completionrate and an excellent user experience.
  4. 4. 4Something the User DoesWhen thinking about the factor “something you are,”one usually thinks of biometrical measurements, suchas a fingerprint or iris scan, as the authenticationmethod. However, a user’s behavioral pattern – whatthey typically do – can also be considered a version of“something the user is” or in this case, “somethingthe user does.”Examining factors such as the type of transaction oronline activity, login time, IP-geo location, andtransaction volume can help establish a typicalbehavioral profile for a given user. If somethingappears to be out of the user’s normal pattern ofbehavior based on the established profile of pastactivities, then they can be challenged visibly withmethods such as challenge questions or out-of-bandphone authentication. However, if the user’s patternof behavior and device fingerprint match, thenauthentication will continue behind-the-scenes andthe user will continue uninterrupted.Something the User KnowsAdaptive Authentication is designed to allow forcomplete anonymity and protect the privacy amongthe end users being authenticated by the system. Thesystem does not ever know the user’s name orpassword; this should be asked for and stored by thedeploying organization. The username and passwordcombination is the first factor – “what you know” –and becomes multi-factor when combined withAdaptive Authentication.RSA Solution BriefConclusionRSA Adaptive Authentication offers strongauthentication by providing a layer of security inaddition to something the user knows – theirusername and password. Even though a majority ofauthentication requests are conducted transparentlyto the user, Adaptive Authentication still providesstrong multi-factor authentication. Invisible deviceidentification determines what the user has – theirdevice – while behavior analysis determines what auser is or does. The combination of these factorscreates a solution that offers strong authenticationand maximum convenience to the end user.RSA is your trusted partnerRSA, The Security Division of EMC, is the premierprovider of security solutions for business acceleration,helping the world’s leading organizations succeed bysolving their most complex and sensitive securitychallenges. RSA’s information-centric approach tosecurity guards the integrity and confidentiality ofinformation throughout its lifecycle – no matter whereit moves, who accesses it or how it is used.RSA offers industry-leading solutions in identityassurance & access control, data loss prevention,encryption & key management, compliance & securityinformation management and fraud protection. Thesesolutions bring trust to millions of user identities, thetransactions that they perform and the data that isgenerated. For more information, please visitwww.RSA.com and www.EMC.com.©2008 RSA Security Inc. All Rights Reserved.RSA, RSA Security, eFraudNetwork and the RSA logo are eitherregistered trademarks or trademarks of RSA Security Inc. in the UnitedStates and/or other countries. EMC is a registered trademark of EMCCorporation. All other products and services mentioned are trademarksof their respective companies.AATF SB 0808