Intelligent Authentication

Intelligent Authentication

The Value of Combining Strong & Risk-based Authentication

Carole Gunst and Charley Chell, CA Technologies

2

© 2014 CA. All rights reserved.

Business challenges

Protect user identity from online attacks– In 2013, there was a 91% increase in targeted attacks1

– In 2013, there was a 62% increase in data breaches1

Provide security for mobile devices– In 2008, the number of Internet-connected devices first outnumbered

the human population.2

Comply with industry regulations– Sarbanes Oxley Act (SOX)

– Health Insurance Portability and Accountability Act (HIPAA)

– Federal Financial Institutions Examination Council (FFIEC)

– Payment Card Industry (PCI)

1 2014 Internet Threat Security Report, Symantec2 The Internet of Things Will Thrive by 2025, Pew Research, 2014

http://www.symantec.com/security_response/publications/threatreport.jsp

http://www.pewinternet.org/2014/03/11/digital-life-in-2025/

Strong Authentication

4


Challenges with traditional credentials

Passwords are weak

• Susceptible to phishing

• Often guessable

• Can be reused

• Available for sale

Questions & Answers are easy to figure

out

• Information becoming readily available

Hardware tokens

• Easy to lose

• Expensive to administer

Top 10 Most Used Passwords of 2013

1. 1234562. password3. 123456784. qwerty5. abc1236. 1234567897. 1111118. 12345679. iloveyou10. adobe123

Source: SplashData

http://www.splashdata.com/

5


You use strong authentication today

6


What is strong authentication?

• Strong authentication is a method that makes it more difficult to impersonate an actual user because multiple disjointed information needs to be assembled in order to be successful.

• Strong authentication is also called two-factor authentication or multi-factor authentication

• Factors are commonly categorized as:

Something you know (examples: password, PIN, Q&A)

Something you have (examples: mobile phone, key fob)

Something you are (examples: fingerprint, retina scan)

7


What (else) is strong authentication?

There are a number of emerging categories as well:

Where you are (example: IP or satellite geo-location)

Who you know (example: social network)

What you’re doing (example: behavioral profiling)

Risk-based Authentication

9


What is risk-based authentication?

Risk-based authentication:

Judges whether the user is who they say they are

Determines the correct (or minimum) credential

requirements based on assessment of the user and

request in the context of the available history

Is typically is coupled with a portfolio of credentials

10 © 2014 CA. ALL RIGHTS RESERVED.

Risk-based authenticationContext provides key data for judging identity

Where is the user?

Is the location inherently suspect?

Is the connection consistent with device type?

Is the IP a known anonymizer?

Which system or device is being used?

What kind of device is it?

Has this device been used before?

Has the device changed since it was last used?

What is the user trying to do?

Is this a requested action?

Is the action inherently risky?

Have similar actions taken place before?

Is behavior consistent?

Is this a normal time of day?

Is frequency of login abnormal?

Is current behavior consistent with prior behavior?

CA Advanced Authentication


CA Advanced Authentication

Strong Authentication

• Supports wide variety of credentials • Integrates with SAML, API, and RADIUS • Allows for OCRA standard transaction signing• Provides OOB authentication using one-timepasswords (OTPs) delivered via text,voice, or e-mail • Integrates tightly with web-accessmanagement systems

Risk-based Authentication

• Assesses risk using DeviceDNA™fingerprinting to identify devices• Captures and analyzes data in real timebased on geo-location/velocity checks• Flags and reports on cases of suspiciousactivity using a policy-based system

CA Advanced Authentication Combines strong and risk-based authentication

Offers multi-channel protection

Secures on-premise, cloud and mobile applications

13


Advantages of strong, risk-based authentication together

• Provides the appropriate credential for each time and place

• Reduces potential for data breaches

• Helps comply with industry regulations

14


CA positioned in Leaders’ Quadrant of Gartner 2013 Magic Quadrant for User Authentication*

Gartner Research, “Magic Quadrant for User Authentication,” by Ant Allen, December 9, 2013.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those

vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed

as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability

or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the

context of the entire document. The Gartner document is available upon request from CA Technologies.

15


CA Technologies named a leader in the Forrester Wave™: Risk-Based Authentication, Q1 2012*

* The Forrester Wave™: Risk-based Authentication, Q1 2012; Forrester Research, Inc.; February 22, 2012.

The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The

Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores,

weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based

on best available resources. Opinions reflect judgment at the time and are subject to change.


17


Legal Notice

© CA 2014. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only, and does not form any type of warranty.

@casecurity

slideshare.net/CAinc

linkedin.com/company/ca-technologies

ca.com

For more information

Technology

Intelligent Authentication