• No results found

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication."

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

Polling Question

Briefly describe the #1 problem you have

encountered with implementing Multi-Factor

Authentication.

f

Please type in your response.

(2)

Getting the Facts on Multi-Factor Webinar

Donna Dodson

National Institute of Standards and Technology (NIST)

Kimberly Cahill, NBE, CISA

Bank Information Technology Analyst Comptroller of the Currency

Gary Greenwald

Managing Director, Cash Management Capabilities and Information Products

(3)

Getting the Facts on Multi-Factor Webinar

Donna Dodson

(4)

E-Authentication Guidance

f OMB 04-04, E-Authentication Guidance for Federal Agencies

ƒ Defines four levels of assurance in term of the consequences of

authentication errors and misuse of credentials

ƒ Risk assessment reviewing privacy, inconvenience, damage to

reputation, harm to agencies and programs, financial liability, crime, safety

f NIST Special Publication 800-63, Electronic Authentication Guideline

ƒ Establishes technical requirements to meet four levels of assurance

(5)

Authentication Model

f

Local or Remote

f

Players

ƒ Claimants ƒ Subscribers ƒ Registration Authorities

ƒ Credential Service Provider ƒ Verifiers

(6)

Authentication Elements

f

Token – something that the claimant possesses

and controls (typically a key or password) used

to authenticate the claimant’s identity

f

Credential – An object that authoritatively

binds an identity to a token possessed and

controlled by a person

f

Assertion - a statement from a verifier to a

(7)

Authentication Factors

f Something you know

ƒ Typically some kind of password

f Something you have

ƒ For local authentication typically an ID card

ƒ For remote authentication typically a cryptographic key „ “hard” & “soft” tokens

f Something you are

ƒ A biometric

„ Problematic without supervision

„ Capture can deter fraud even if not checked in authentication process

(8)

Tokens

ƒ Single-factor token – a token that utilizes one of the

three factors to achieve authentication. For

example, a password is something you know, and can be used to authenticate the holder to a remote system.

ƒ Multi-factor token – a token that utilizes two or more

(9)

Common Types of Tokens

f

Memorized secret token

f

Pre-registered knowledge token

f

Look-Up secret token

f

Out of band token

f

One time password device

(10)

Token Selection Considerations

f

Security considerations

ƒ Single factor vs multifactor vs multitoken ƒ Hardware vs software

ƒ Protocol Associations

f

Costs

(11)

Polling Question

Have you fully implemented

a Multi-Factor Authentication program

per the FFIEC guideline?

(12)

Getting the Facts on Multi-Factor Webinar

Kimberly Cahill, NBE, CISA

Bank Information Technology Analyst Comptroller of the Currency

(13)

Disclaimer

The views and opinions expressed are not

official positions of the FFIEC or the

(14)

Agenda

‰

What Prompted Guidance

‰

Guidance

(15)

What Prompted the Guidance?

f “Cybercrime yielding more cash than drugs”

f TJX data breach info used to make fraudulent purchases. f In 2006, there were in excess of 315 publicized breaches

affecting nearly 20 million individuals.

(16)

Common Threats

f

Losing

Data

f

Hacking

f

Phishing

f

Pharming

f

Spying

Disgruntled

(17)

Consumer Concern

f

67% are very concerned about identity theft.

f

73% worried about fraudulent use

f

25% say stopped buying online

(18)
(19)

Guidance

“The level of authentication used by the FI should be

appropriate to the risks associated with those products and services. FIs should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other controls

reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control

(20)
(21)

Key Steps for Conformance

f Risk Assessment

f Implement Risk Mitigation

Strategy

(22)

Risk Assessment

f Identify and rank “high risk” Internet transactions

f Describe specific customer information viewable during Internet sessions

f Evaluate current

authentication procedures

(23)

Acceptable Risk

Mitigation Techniques

f

Where risk assessments indicate that the use of

single-factor authentication is inadequate,

financial institutions should implement:

ƒ multifactor authentication, ƒ layered security, or

ƒ other controls reasonably calculated to mitigate those

(24)
(25)

Other Risk Controls

f

Content

ƒ Minimize (mask) confidential information

f

Segregate access

ƒ Separate basic info, bill payment, funds transfer

f

Accessibility

(26)

Monitoring and Reporting

f Audit Features - Behavior Patterns

f Service Provider’s Reports f Independent Audit Review

(27)

Customer Awareness

f Key defense, but

not a control

f Continue efforts

f Track your efforts (Call center, clicks on alert and disclosure links, type of marketing, trends in losses)

New FTC Education Website

(28)

Acct Origination &

Verification

Reliable identity verification at origination is critical for:

ƒ Negative confirmation ƒ Positive confirmation ƒ Out-of-wallet questions X Compliance w/ USA Patriot Act

(29)

Bottom-Line

X An acceptable solution today might not be acceptable tomorrow….the bad guys are just as smart as the

good guys developing the solution

(30)

Bank Supervision Policy

f

FFIEC Information Security Booklet

f

12 CFR 30, Appendix B

f

OCC 2005-35: Online Authentication

f

OCC 2005-24: Website Spoofing

f

OCC 2005-13: Customer Notification

(31)

Polling Question

Implementing Multi-Factor Authentication

has met my expectations.

f

Strongly Agree

f

Agree

f

Agree Somewhat

f

Disagree

(32)

Getting the Facts on Multi-Factor Webinar

Gary Greenwald

Managing Director, Cash Management Capabilities and Information Products

(33)

The Opportunity

f Look beyond website access control

f Paperless workflows

f Legally binding electronic signatures

(34)

Case Study: Pharmaceutical

f Electronic submissions to the FDA

ƒ Costs are rising

ƒ Time to market is long ƒ Paper intensive

f What are we providing?

ƒ Identity issuance

(35)

Case Study:

Managing Corporate Bank Accounts

f Need for better process

ƒ Visibility ƒ Control ƒ Efficiency

f What are we providing?

ƒ Standard for account opening

and managing corporate bank accounts, working with

industry groups

ƒ A single digital identity across

banks

(36)

Case Study: Corporate Payment Files

f Improved process for straight through

processing (STP) of payment files

f Driven by Industry move to STP and even corporate SWIFT connectivity

f Issue: What individual has released the payment file? Is he/she entitled?

f Use of digital signatures to confirm

(37)

Role of Banks

f Sit above technology layer

f Focus on high assurance

ƒ Using multi factor tools for strong

authentication

ƒ Positions banks as leaders f Focus on what banks do well

ƒ KYC

ƒ Trusted parties

ƒ Subject to regulatory oversight

ƒ Know and understand the importance of

strong policies and legal structures

ƒ Integral part of the global payment and trade

infrastructure

ƒ Extensions into public sector, consumers and

(38)

Q&A

References

Download now ( PDF - 38 Page - 798.28 KB )

Related documents

how can I provide strong authentication for VPN access in a user convenient and cost effective manner?

Two-factor software-based authentication can be combined with risk-based authentication to provide a powerful layered security approach that can significantly reduce the risk

Visualizing Sustainability of Selective Mountain Farming Systems from Far-eastern Himalayas to Support Decision Making

(a) Comparative farm performance scores of eight types of farming systems against 21 PIFs within each of seven Sustainability Space Components; MLR = Management of local resources;

icr3600 icr3600m VertX idr Film Digitizers Clarity PACS Innovative Medical Imaging

A high resolution mammography phosphor reader utilizing IP high quality imaging plates.. Scans 70 14x17 (35x43cm) phosphor plates

Security Assessment of briidge.net TM 2-Step verification for banking customers in a multichannel delivery environment that is FFIEC compliant

Authentication in an Internet Banking Environment” are to ensure that institutions are: (1) executing a periodic risk assessment and (2) implementing a layered security approach to

Multi-factor Authentication Security Enhancement

Your PASSWORD is used to access the FirstMerc.com Investment Consultant or Administrator website while a Security Code is used during the login process if logging in from

Two factor strong authentication. Complex solution for two factor strong authentication

 Two-factor authentication is used to increase security by requiring you to provide strong authentication “something you know” (a password, PIN) and?. “something you

DATE: November 5, 2012 REPORT NO. CS Chair and Members Committee of the Whole - Operations and Administration

 Cloud based option only, does not provide an option to host the system in-house  25 gigabytes of Email account per user / includes Contacts, Notes & Calendaring 

Improving Quality Management Systems of Laboratories in Developing Countries An Innovative Training Approach to Accelerate Laboratory Accreditation

1.8 Maintain and update personnel records (training, certification, competency assessment) 1.9 Create a work plan and budget based on personnel, test, facility, and equipment needs