CIS14: Continuous Authentication: Don’t Even Think about It

Scaling Authen.ca.on

Policy

Persistent Authen.ca.on

Mobile AuthN Pla7orm

Mance Harmon Head of Labs

Josh Alexander CEO

Karl Mar.n CEO

CONTINUOUS AUTHENTICATION DON’T EVEN THINK ABOUT IT!

Copyright © 2013 Ping Identity Corp. All rights reserved. 2

Mance Harmon Head of Labs

The Smartphone: An Authentication Platform


What You Know

What You Know

What You Have

Biometrics

What You Have

Biometrics

TREND



What You Know

What You Have

Biometrics Addi.onal Iden.fying Data Items •  Geoloca.on •  IP address •  Opera.ng System •  User Agent Model / Version •  Session Cookie •  User Data:

•  Contacts List •  Music Library

•  Usage PaSerns: •  Time of Day •  Frequency of Access

•  100s more ….



PASSIVE

An Authentication Taxonomy AC

TIVE

Passwords

KBA OTP

Physical Keys

USB Token

Fingerprint

PIN

CONTINUOUS CONTEXT

DIRECT INDIRECT


EKG Monitoring

Keystroke Dynamics

Voice Print Walking Gait GeolocaJon

User-‐Agent Version

IP Address

UID

Session Cookie

-‐ Time of Day -‐ Frequency

Behavioral Stats Face Scan

User Authentication: Reducing Risk


Time

Risk

IniJal Login

Cookie Expiry: 3 hours

Resource Threshold

Re-‐AuthN

8am

0

100

40

11am 2pm 5pm

Continuous Authentication


Time

Risk

IniJal Login

Resource Threshold

Repeated sampling of Passive factors (Context and ConJnuous)

0

100

40

GOAL: Improve Security AND Convenience

AuthN Policy: The Traditional Approach


AuthN Methods Resources Gmail

Box

Concur

SalesForce

Splunk

Basecamp

VPN

Finance DB

Password Hard Token

Fingerprint

Geoloca.on IP address

Session Cookie

UID

User Agent Version

Time of Day

Login Frequency

OS Version

AuthN Policy: Risk-Based Authentication



Box

Concur

SalesForce

Splunk

Basecamp

VPN

Finance DB

Password Hard Token

Fingerprint


Session Cookie

UID

User Agent Version

Time of Day

Login Frequency

OS Version

Risk Score

AuthN Policy: Threat-Based Authentication



Box

Concur

SalesForce

Splunk

Basecamp

VPN

Finance DB

Password Hard Token

Fingerprint


Session Cookie

UID

User Agent Version

Time of Day

Login Frequency

OS Version

Threat Cat -‐ A

Threat Cat -‐ B

Threat Cat -‐ C

Threat Cat -‐ D

Threat Cat -‐ E

Vulnerability Mi.ga.on

AuthN Policy: Threat-Based Authentication



Box

Concur

SalesForce

Splunk

Basecamp

VPN

Finance DB

Password Hard Token

Fingerprint


Session Cookie

UID

User Agent Version

Time of Day

Login Frequency

OS Version

Threat Cat -‐ A

Threat Cat -‐ B

Threat Cat -‐ C

Threat Cat -‐ D

Threat Cat -‐ E

Vulnerability Mi.ga.on

Risk-Based Authentication •  “Risk Score”

–  Assumes a broad, general THREAT – the world is generally antagonistic

–  The “Risk Score” is the same for all ASSETS

–  For a given ASSET, there is coarse-grain expression of VULNERABILITY to the general threat (“Risk” Threshold)


Calculating Risk

Threat-Based Authentication •  Risk is calculated based on

–  A specific ASSET –  A specific THREAT –  How VULNERABLE the ASSET is

to a specific THREAT

–  To what degree the AuthN methods reduce probability of success for the specific THREAT

Risk = AuthN Results + Asset + Threat + Vulnerability “Risk” = AuthN Results

Threat-Based Authentication: Benefits


• SCALE – easy to add new Resources and Authentication Methods

• SECURITY – directly addresses known Threats, chooses authN methods appropriately

• CONVENIENCE – minimizes Active authentication

Technology

CIS14: Continuous Authentication: Don’t Even Think about It