Knowledge-Based Authentication Challenge Response System

(1)

Knowledge

-

Based Authentication

Challenge Response System

Kevin Trilli

Director, Product Management

VeriSign, Inc.

Bill Andrews

Sr. Manager, Product Management

Lightbridge, Inc.

(2)

Purpose and Agenda

X

Purpose

–

Explain deployment example for KBA

–

Cover challenges of quantifying Challenge/Response (C/R)

X

Agenda

–

Overview of VeriSign Authentication Service Bureau

–

Challenge/Response in Action: On

-

Line Auction Site

–

(3)

3

VeriSign Security Services

Provide Critical Security and

Payment Infrastructures that

Maximize Efficiency, Remove

Complexity, and Reduce Risk

380,000+

secure sites & serverssecure sites & servers

4,000+

enterprise customersenterprise customers

90,000

merchantsmerchants

~25%

of N. America E-of N. America E-CommerceCommerce

90,000+

consumers verifiedconsumers verified

30,000+

certificates issued certificates issued

~5M

payment transactionspayment transactions

$500M

(4)

VeriSign Intelligence and

Control

SMSM

Solutions

Atlas, 24*7 redundancy, secure operations, PKI roots

Delivered from Solid

Infrastructure Infrastructure

Technology Data Intelligence/

Expertise

(Internet health monitoring, event correlation, fraud

detection engine) (enterprise event data, 9 billion

DNS transactions, 25% N. American payment volume, SSL

certificate validation) (Managed Security Services,

DNS, PKI, Trust Gateway, SSL, Payment Gateway) Leveraging

Leveraging

World

World--ClassClass Assets Assets

Business ContinuityBusiness

Continuity ComplianceComplianceRegulatory Regulatory Business PartnerBusiness PartnerIntegrationIntegration EnablementEnablementCommerce Commerce Provide targeted

Provide targeted

Solutions Solutions to to business needs

business needs Infrastructure Network

Continuity HIPAA, FDA

Secure

Extranets PaymentsSecurity, Commerce Security Network Security Strong Authentication With flexibly With flexibly deployed deployed Offerings

Offerings Secure Access_{To Networks} Monitoring &Intelligent Management Fraud Protection Secure Web Services Application Security

(5)

VeriSign set of Offerings:

Credentialing and ID Proofing Services

X

Credentialing Systems

–

Managed Strong

Authentication Service

Platform

–

PKI, Strong

Authentication

–

Commercial and Public

Sector Offerings

f

f FIPSFIPS--140140

f

f Federal Bridge _{Federal Bridge} Compliant

Compliant

f

f Mortgage Banker’s Mortgage Banker’s Association

X

ID Proofing Services

–

Physician Authentication

using

VeriSign’s

AMA

Database

–

Consumer Authentication

using Lightbridge Services

–

Business Authentication

using D&B Database

–

In

-

Person Proofing

Services

f f Notary Notary f f _{Postal Service} Association Postal Service

(6)

Consumer Authentication Service

Various levels of customer authentication

Non intrusive _X_X _{Tier 1: Identity Verification}_{Tier 1: Identity Verification}

–

– Based on application dataBased on application data –

– Name, Address, PhoneName, Address, Phone –

– Optional: email, date of birth, drivers licenseOptional: email, date of birth, drivers license –

– Custom Risk ScoreCustom Risk Score

X

X Tier 2: Interactive Query_{Tier 2: Interactive Query}

–

– Based on credit reportBased on credit report –

– Dynamic “out of wallet” questionnaireDynamic “out of wallet” questionnaire

X

X Manual ReviewManual Review

–

– For exception handling and support For exception handling and support –

– 24x7 live person in call center24x7 live person in call center

X

X Physical ProofPhysical Proof

–

– Faxing in passport, drivers license, utility billingFaxing in passport, drivers license, utility billing

(7)

VeriSign/Lightbridge Online Identity Management: Authentication in Seconds A consumer initiates a transaction online.

Before completing the transaction the merchant or institution

submits the consumer data to VeriSign/Lightbridge for validation, verification and authentication.

CAS Tier 1 validates and verifies consumer data using a unique online fraud model and returns a numeric score indicating the consumer’s relative level of risk.

CAS Tier 2 compares the consumer data to multiple consumer databases, creates a customer profile, and formulates a unique set of “out of wallet”

questions which are sent back to the consumer through the

merchant web server.

After receiving the consumer’s answers, the CAS decision engine scores the answers and returns an authentication decision to the merchant web server.

CAS Decisioning System Internet SSL Client Authentication E-commerce Web Server Online Consumer Firewall Consumer Databases Decision Engine VeriSign/ Lightbridge Web Server

(8)

eBay Deployment Example

(9)

Deployment example

Name & Address Public Records Proprietary Blacklists Higher Risk Data Credit Bureaus DMV and SSN End Users Consumer Portal / Application VeriSign CAS XML XML Real time Transaction XML Interface 24x7x365 support Guaranteed SLA Audit Trail Reporting Custom Configuration

(10)

Case Study: Online Marketplace

f

f Provide a safe and secure marketplace for both buyers and sellerProvide a safe and secure marketplace for both buyers and sellerss

f

f Track and screen out fraudulent usersTrack and screen out fraudulent users

f

f NonNon--intrusive process that is private and confidentialintrusive process that is private and confidential

Business Challenge

VeriSign Solution Results

f

f Identity verification methods that cross verify Identity verification methods that cross verify

identity information using 50+ data sources

f

f 24x7 call support to handle exceptions24x7 call support to handle exceptions

f

f Leverage VeriSign brand to build consumer Leverage VeriSign brand to build consumer

confidence

f Instant account verificationaccount verification of all usersof all users f

f Custom risk scoreCustom risk scoreto flag accounts to flag accounts requiring additional monitoring

requiring additional monitoring

f

f Tier based authenticationTier based authenticationapproach to approach to managing risks

(11)

Be prepared to provide

specific information

about your financial data.

(12)

CAS gathers data about

the individual and

creates a challenge only

(13)

(14)

Ebay User is now ID

Verified!

(15)

C/R

(16)

C/R

–

Authentication Questions (Automated)

X

Credit Card Questions

X

Previous Address

X

Payment Questions

X

(17)

C/R

–

Authentication Questions

(Manual Review)

X

Unanswered Automated Questions

X

Bank/Institution Questions

X

(18)

C/R

–

Configuration Settings

X

X Allowable Visits: Number of allowable authentication attempts Allowable Visits: Number of allowable authentication attempts

per user in a specified period of time.

X

X Allowable Visits Counter: Period by which authentication Allowable Visits Counter: Period by which authentication

attempts counter is reset.

X

X Question Sets: Number of potential automated question sets in a Question Sets: Number of potential automated question sets in a

given session

X

X Min./Max: Questions per set: Minimum and Maximum number Min./Max: Questions per set: Minimum and Maximum number

of automated authentication questions per question set.

X

X Passing Score Passing Score –– Questions Correct: Number of correct answers Questions Correct: Number of correct answers

required for passing automated process.

X

X Passing Score Passing Score –– Percentage Correct: Percentage of correct answers Percentage Correct: Percentage of correct answers

required for passing automated process.

X

X Borderline Score Borderline Score –– Questions Correct: Number of correct Questions Correct: Number of correct

questions required for Borderline Score.

X

X Borderline Score Borderline Score –– Percentage Correct: Percentage of correct Percentage Correct: Percentage of correct