The RSA Authentication
Decision Tree: Selecting the
Best Authentication Solution
The Need for Strong Authentication
Protecting access to information and assuring the identities of users requesting that access is a core element of any security initiative. While the primary driver for user authen-tication has been to secure remote access to enterprise information, today, there are a number of reasons for the increasing demand for strong authentication across the organization.
Movement of new business applications online. Recognizing
the new business opportunities and cost efficiencies associated with providing access to information online, many organizations are starting to offer more Web-based business applications.
Increased demand for remote access. The global nature
of business and employee mobility has forced many organizations to provide anytime, anywhere access to enable employee productivity.
Access privileges to new user populations. Contractors,
partners and suppliers now require on-demand access to proprietary information such as sales forecasts, competitive intelligence, pricing charts, inventory, and customer data.
Increase in customer-facing portals. There is an increased
demand by customers to provide real-time access and the ability to manage account information online.
Regulatory compliance. Numerous regulations have been
issued in the last few years requiring organizations to enact security measures that prevent unauthorized access to information.
Advanced threats. Depending on the user and the nature of
information, a number of threats exist that require strong authentication to mitigate risk. For enterprise users, organizations must provide strong authentication to protect against unauthorized access to critical business informa-tion and to combat the risk of the insider threat. For cus-tomers, organizations must provide proactive measures to protect against the threat of phishing, Trojans and other forms of malware.
The State of User Authentication
Despite the fact that “password-only” authentication is recognized for providing relatively weak security, the use of a single password as a means of assuring user identities continues to dominate. However, the authentication method once viewed as “free” has actually become expen-sive in terms of ongoing management and support costs. According to Forrester Research, the average help desk labor cost for a single password reset is about $70.
This is a recurring question being asked by organi-zations around the globe. With the number of new and emerging security products being denoted by analysts as the “silver bullet” solution, it is critical to recognize that there are many authentication choices available on the market. Before making a final selection as to the authentication solution that will work best, organizations must consider their user authentication needs, the threats targeting their business, their business objectives, and the regulatory guidelines that impact their industry.
RSA has developed the Authentication Decision Tree— a comprehensive tool to help organizations understand, evaluate and select the most appropriate authentication solution to meet the needs of their users and their busi-ness. The RSA Authentication Decision Tree provides a framework to help narrow the selection of authentication solutions based on five critical factors. This white paper provides an overview of the Authentication Decision Tree, examines the five factors critical to selecting an authentication solution, and offers a clear guide to selecting the right solution that effectively balances risk, cost and end user convenience.
New authentication methods continue to appear on the market making the selection even more challenging for organizations looking to implement a strong authentication strategy. In the enterprise, hardware authenticators still dominate for securing access to corporate resources. Yet, employee mobility and the use of mobile phones and PDAs has caused an increase in demand for software authentica-tors. For consumer-facing portals, risk-based authentication and knowledge-based authentication are common security mechanisms because of their ease-of-use and their scala-bility to a mass user base.
With so many authentication options available on the market, organizations are finding it difficult to establish an authentication strategy. For many organizations, multiple authentication options can be selected based on factors such as the user population, the value of information being protected, portability, and user experience. RSA developed the Authentication Decision Tree to help organizations objec-tively weigh the assorted options and align the needs of their users and their business to make the optimum choice.
Critical Factors to Consider in Developing
an Authentication Strategy
There are five critical factors to consider in developing an appropriate authentication strategy. These five factors are: – The value of the information being protected
– The strength of user authentication to apply – Planned usage
– Needs of the end user population – Technical environment
The value of protected information
The first factor to consider is the value of the information to be protected and the cost of unauthorized access to that information. Proprietary business data, bank account and credit card details, health records or personally identifiable information (PII) are all types of information that could be considered high value. And unauthorized access to that information could be costly (i.e., a bank having to assume the costs of unauthorized fund transfers for customers) and
detrimental to a company’s brand and reputation. The high-er the value of the information is and the highhigh-er the risk to the organization if the data is accessed by an unauthorized user, the stronger the authentication solution that is needed to protect it.
The strength of user authentication to apply
Considering the user population and the information being accessed by those users can help organizations determine the level of user authentication to apply. For example, organizations cannot force authentication on their cus-tomers so considerations in selecting a solution for this user base might be convenience and willingness to adopt. For employees and partners, however, organizations have more control over the types of authentication to deploy and will more likely consider features such as portability, total cost of ownership and overall management.
Planned usage
When organizations deploy an authentication solution, there is often more than one business objective to be met. In other words, depending on the user and the types of activities performed, an organization might determine that additional layers of authentication are needed beyond just assuring user identities. For example, a financial institution seeking to decrease their fraud losses might implement a transaction monitoring solution to monitor high-risk money transfers. Another example to consider would be for enter-prise users. An organization might require certain users that work with and exchange highly sensitive information—such as HR, payroll, and finance—to have an authentication solution that enables file and email encryption. End user population
Technical environment
Finally, the technical environment where the solution will be deployed is important in helping to determine factors such as what level of authentication strength to apply. For example, in an environment where desktops are more controlled and anti-virus software is likely to be up-to-date, security requirements may not be as rigorous compared to a scenario where the user environment is not as controlled and a large percentage of the user population is accessing the network from remote locations around the world. Another technical consideration would be the range of end user devices being used for access. For both corporate and customer-facing applications, the end user base is likely to be accessing information from devices ranging from laptops and desktops to PDAs and mobile phones to kiosks. The types of access devices are important in determining the authentication form factors offered to end users.
The Authentication Decision Tree
In light of the number of new authentication methods and technologies, the increasing value of information, new user populations requiring access to networks and applications, the proliferation of advanced threats and a complex regula-tory environment, organizations are being driven to re-evaluate their existing authentication strategy.
There are many existing authentication solutions to evaluate and market buzz about certain authentication technologies make the assessment difficult for many organizations. Biometric solutions, for example, enjoy a disproportionate share of media coverage compared to their actual deployment in the market. These solutions require expensive and cumber-some readers, making it an impractical solution for mobile or remote access or adoption by a mass consumer audience. The RSA Authentication Decision Tree was designed for organizations to objectively evaluate their user and busi-ness needs against the readily available authentication technologies on the market in order to ease the decision making process. As the market has yet to come up with a
universal solution that will meet every business require-ment and address the security needs for all users and all scenarios, the RSA Authentication Decision Tree can be used to help organizations select the most appropriate authentication solution, or combination of solutions, while balancing risk, cost and end user convenience.
How to Use the Authentication Decision Tree
In determining what solution(s) will work best for an organi-zation, the RSA Authentication Tree examines the following criteria:
– Control over the end user environment – Access methods to be used
– The demand for anywhere, anytime access – The need for disk, file or email encryption – Fraud prevention
Control over the end user environment
Control over the end user environment is critical in determining the appropriate authentication method. Considerations include things such as whether the organization is allowed to install software on the end user’s system and whether they can dictate the operating system platform an end user is required to work on.
Access methods to be used
Access methods are very important in determining an authentication strategy. Some authentication methods only work for accessing web-based applications while others can be used to authenticate to multiple, non-web based appli-cations. Therefore, taking into account the user, their access rights, and their planned usage will have a direct effect on the authentication methods selected.
The demand for anytime, anywhere access
The global nature of business and increased employee mobility has created a demand for anytime, anywhere access. Providing the option for users to securely access information is critical to the continuation of business. For employees or partners, providing the option of anytime, anywhere access is critical to sustaining productivity; for customers, it is important for maintaining customer satisfaction. Factors to weigh include:
– Do you need to accommodate user access from varying remote locations?
– Do you need to accommodate user access from unknown systems such as kiosks, hotel systems or shared work-stations?
– Do you need to accommodate user access from varying devices such as PDAs and mobile phones?
Disk, file or email encryption
When evaluating an authentication strategy, organizations should consider the other business purposes that it may want the authentication method to address. For example, a healthcare organization might have the need to encrypt protected health information (PHI) or other personally iden-tifiable information (PII) of a patient as it is transmitted between departments and facilities in order to meet HIPAA regulations. In this instance, the healthcare organization might require individuals with access rights to PHI and PII to access the data only from trusted machines.
Fraud prevention
Some authentication methods are required to monitor transactions and activities that are performed by a user after initial authentication at login in order to prevent fraud. While this scenario is mostly relevant for financial services applications, other industries are beginning to experience targeted attacks, such as phishing and malware, by fraud-sters for the sole purpose of collecting personal data to be used in the commission of identity theft.
A Myriad of Authentication Possibilities
Passwords
Passwords provide single-factor authentication for assuring user identities. While initial acquisition is free, there are ongoing management and support costs (password resets, for example) which can wind up being expensive in the long-term. The level of security provided is very low and pass-words are prone to hackers and sharing among individuals. Knowledge-based authentication (KBA)
Knowledge-based authentication is a method used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive ques-tion and answer process. The quesques-tions presented to a user are gleaned from scanning public record databases, are random and previously unknown or unasked to the user. Risk-based authentication
Challenge questions
Challenge questions (sometimes called “shared secrets” ) are questions which an online user enrolls in and is then prompted to answer when additional authentication is required based on the risk of the transaction or activity being performed. Challenge questions are different from knowledge-based authentication in that users select ques-tions to answer from a pool of pre-determined quesques-tions and provide the answers to those questions.
Out-of-band phone authentication
Out-of-band phone authentication involves the generation of an automated call to a phone number previously record-ed during enrollment. The call informs the actual user of the activity details and prompts them to enter the confirmation number (a one-time password (OTP)) displayed on the web browser into the keypad on the phone. Provided it is the correct number, the online activity is confirmed to be gen-uine and the user can continue without disruption. Out-of-band phone authentication is typically used as a secondary factor of authentication to protect high-risk activities such as a change in personal information or a high-value money transfer.
One-time password authentication
One-time password (OTP) authentication is a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator generates a new OTP code every 60 seconds, making it difficult for anyone other than the genuine user to input the correct code at any given time. To access information or resources protected by
one-time password technology, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to positively assure a user’s identity.
One-time password technology is available in many form factors including:
– Hardware authenticators: Traditional hardware authenti-cators (sometimes referred to as “key fobs”) are portable devices that are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations. – Software authenticators (for PCs, USB drives, or mobile
devices): Software authenticators are typically offered as an application or in a toolbar format that is securely placed on a user’s desktop, laptop, or mobile device. – On-demand: On-demand authentication involves delivery
of a unique OTP “on demand” via SMS (text message) to a mobile device or a user’s registered email address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application. Invisible user authentication
Invisible user authentication involves actively introducing additional identifiers with the simple addition of a cookie and/or a flash shared object (also referred to as “flash cookie”) which can then serve as a more unique identifier of a user’s device. Invisible user authentication can also track characteristics that are a natural part of any device such as HTTP headers, operating system versions, browser version, languages, and time zone.
Analyzing the Authentication Attributes
Once an organization assesses the needs of their business and their users, selecting the appropriate authentication strategy based on the available choices is ultimately a tradeoff among a number of variables:
– Strength of security – Typical use case – Client side requirements – Portability – Multiple uses – User challenges – Distribution requirements – System requirements – Cost
The RSA Authentication Decision Tree can help organizations make the relevant comparisons among the authentication methods that are designed to meet their requirements. By using this simple framework, organizations are provided with an objective assessment among the leading authentication solutions.
While cost is an important consideration, organizations must consider a number of other elements in determining what is most suitable to their needs. Too often, the focus is on acquisition cost alone, but in considering that as a priority factor, one only needs to look to password-only authentication to prove that cost should never be the only consideration. Passwords are essentially “free” in terms of acquisition cost, however, they are surprisingly expensive in terms of ongoing management and support costs. The chart on page 8 and 9 compares and examines each authentication choice in terms of these nine attributes.
An Authentication Decision Tree Scenario
Company profile
A large healthcare organization representing several regional hospitals and specialty health centers that serves more than 1.5 million patients.
User groups
Physicians, payers and insurers, patients, healthcare administrators
Business and user needs
Physicians are constantly on the go, moving between multiple facilities, and stay connected to healthcare and patient records through a Blackberry or other mobile device. This enables instant, secure access to pertinent health records to ensure the highest quality of patient care.
Payers and insurers need access to patient records and medical history and services performed in order to settle or adjust claims.
Healthcare administrators are always in need of access to protected health information (PII) and personally identifiable information (PII) of patients. From case workers to billing specialists, access to patient infor-mation is critical to their job performance.
Patients are provided access to their personal infor-mation and medical history through a Web-enabled portal. In addition to making updates to their per-sonal information, they are provided a number of other convenient online services such as the ability to schedule appointments, submit prescription renewal requests and pay medical bills.
Authentication choices
With a diverse user base that all require access to various systems and for different needs, this health-care organization would likely need to consider a myriad of authentication solutions including: Physicians: Software-based OTP for mobile devices Payers and insurers: Hardware tokens
Strength of Security
Typical Use Case
Client side requirements Portability Multiple Use User Challenges Distribution Requirements System Requirements Cost Passwords Single-factor prone to crackers, sharing, etc. Non-regulated Low value applications None Works anywhere No Easily forgotten and often written down
None
User directory
Low acquisition but high help desk costs
Knowledge-based Authentication Stronger (Single-factor) Uncommon knowledge New user enroll-ment, Emergency access, PIN reset
None Works anywhere No Minimal None Subscription service Moderate Risk-based Authentication
Two or more factors depending on risk assessment High volume consumer facing deployments None Browser-based applications
Platform for transac-tion monitoring and fraud detection Minimal to difficult None Authentication server Custom agents Web-based applications Subscription service option Low cost with some application integration
Challenge Questions
Weak if used stand-alone (Single-factor) Public knowledge
Emergency access, PIN reset, Secondary method to RBA or IDA None Works anywhere No Remembering initial answers (fuzzy logic) None Custom agents Low acquisition but high help desk costs Out-of-band Phone Authentication Strong – Two-factor Consumer facing deployments Transaction verification Secondary method to RBA None Any telephone or mobile phone No Moderate User enrollment RBA server Custom agents Web-based applications
Low cost with some application integration
OTP: Hardware Tokens
Strong two-factor – PIN plus token code Mobile employee access None Works anywhere No Mimimal
Assign and deliver tokens
Authentication server
Application agents
OTP and Digital Certificate Hybrid
Strong two-factor – PIN plus token code or certificate
Internal users and traveling employees
Middleware for connected features
OTP feature works anywhere File/email encryption Digital signing Remote access Mimimal Client software Certificate Token Certificate authority Authentication server Higher infrastructure and management expenses OTP: Software Tokens on PCs Strong two-factor – PIN plus token
Mobile employee access Compatible PC Works only on assigned system No Minimal
Assign and deliver software and seeds
Authentication server
Application agents
Less than hardware tokens
OTP: Software Tokens on USB Drives Strong two-factor (can be biometric protected) Mobile employee access Compatible USB device
Works anywhere but needs USB port avail-ability
File storage
Minimal
Assign and deliver software and seeds
Authentication server Application agents
High – device plus token
OTP: Software Tokens on Mobile Devices
Strong two-factor – PIN plus software token code Mobile employee access Compatible platform Works anywhere No Minimal
Assign and deliver software and seeds
Authentication server
Application agents
Less than hardware tokens
OTP code delivered On-demand
Strong two-factor – PIN plus code delivered to phone
Occasional or temp users
Emergency Access Second factor to IDA
Any email or SMS capable device Dependent on service coverage No Two-step process None Authentication server Application agents SMS delivery method
Less than either hardware or software tokens Choices: Invisible User Authentication Strong two-factor – PIN or password plus registered device SSL VPN access only – all sized deployments None Restricted to registered system(s) No None - invisible None Authentication server Custom agents SSL VPN
RSA Solutions
RSA has been a leading provider of strong two-factor authentication solutions to businesses of all sizes for more than 20 years. RSA offers a variety of solutions to help organizations provide strong authentication while balancing risk, cost and end user convenience.
RSA
®Identity Verification
RSA Identity Verification utilizes knowledge-based authenti-cation (KBA) to assures user identities in real-time. RSA Identity Verification presents a user with a series of “top of mind” questions utilizing information on the individual that is obtained by scanning dozens of public record databases. Within seconds, RSA Identity Verification delivers a confir-mation of identity, without requiring any prior relationship with the user.
RSA Identity Verification also provides improved accuracy in authenticating users with the Identity Event Module. The Identity Event Module improves security by measuring the level of risk associated with an identity and allowing the configuration of the system to automatically adjust the difficulty of the questions during the authentication process in order to meet the specific nature of the risk. Some of the identity events that are measured include:
– Public record searches. Suspicious access to a user’s public record reports.
– Identity velocity. A high volume of activity associated with an individual at several businesses.
– IP velocity. Multiple authentication requests generated from the same IP.
RSA
®Adaptive Authentication
RSA®Adaptive Authentication is a multi-channel authenti-cation and fraud detection platform providing cost-effective protection for an entire user base. Adaptive Authentication provides strong and convenient protection by monitoring and authenticating user activities based on risk levels, institutional policies, and user segmentation. Powered by RSA’s risk-based authentication technology, Adaptive Authentication tracks over one hundred indicators to identify potential fraud including device identification, IP geo-location, and behavioral profiles. Each activity is assigned a unique risk score; the higher the score, the greater the likelihood is that an activity is fraudulent.
Adaptive Authentication offers behind-the-scenes monitoring that is invisible to the user. When an activity is deemed to be high-risk, a user is only then challenged to provide additional authentication, usually in the form of challenge questions or out-of-band phone authentication. With low challenge rates and high completion rates, Adaptive Authentication offers strong protection and superior usability and is an ideal solu-tion for deployment to a large user base.
RSA SecurID
®RSA SecurID®one-time password technology provides a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). RSA SecurID offers a unique symmetric key (or “seed record” ) that is combined with a proven algorithm to generate a new one-time password (OTP) every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security.
Windows desktops
The RSA SecurID Token for Windows Desktops is a conven-ient form factor that resides on a PC and enables automatic integration with leading remote access clients.
OTP token toolbar
The RSA SecurID Toolbar Token combines the convenience of auto-fill capabilities for web applications with the securi-ty of anti-phishing mechanisms.
Display Cards
The RSA SecurID Display Card is a flexible, wallet-sized card that displays a new OTP every time the user presses a but-ton. The RSA SecurID Display Card offers OTP-based strong security and greater portability by eliminating the need to carry an additional item on a keychain and by allowing end users to easily slip the card into a wallet or purse instead. On-demand (delivered via SMS or email)
RSA On-demand Authentication delivers a unique one-time password “on demand” via SMS (text message) to a mobile device or a user’s registered email address. Upon receipt of the unique OTP, a user simply enters it, along with their PIN when challenged, to gain access to their corporate network or an online application.
RSA Invisible User Authentication provides the ability to identify a user with an extremely high degree of accuracy. IUA identifies users by combining unique identifiers with statistical identifiers based on device forensic analysis and behavioral profiling. IUA authenticates users behind-the-scenes and does not require any preliminary distribution of physical authenticators or software.
RSA SecurID is available in the following form factors to meet the needs of organizations and their users: Hardware Authenticators
From a usability perspective, traditional hardware authenti-cators (sometimes referred to as “key fobs”) are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations.
Hybrid Authenticator with Digital Certificates
The RSA SecurID800 is a hybrid device that combines the simplicity and portability of SecurID with the power and flexibility of a smart card in one convenient USB form fac-tor. The SID800 offers standards-compliant digital certifi-cate support for disk and file encryption, authentication, signing, and other applications and strengthens simple password authentication by storing users’ domain creden-tials on a hardened security device. In combining multiple credentials and applications in a single device, the SID800 is a master key that enables strong authentication across a heterogeneous IT environment in a way that is both simple and seamless for the end user.
Software Authenticators
RSA SecurID software authenticators use the same algorithm as RSA SecurID hardware authenticators while eliminating the need for users to carry dedicated hardware devices. Instead of being stored in RSA SecurID hardware, the symmetric key is safeguarded securely on the user’s PC, smart phone or USB device.
Mobile devices
About RSA
RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. RSA’s information-centric approach to security guards the integrity and confiden-tiality of information throughout its lifecycle – no matter where it moves, who accesses it or how it is used.
RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information manage-ment and fraud protection. These solutions bring trust to millions of user identities, the transactions that they per-form and the data that is generated. For more inper-formation, please visit www.RSA.com and www.EMC.com.
RSA and the RSA logo are registered trademarks and/or trademarks of RSA Security Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and/or services mentioned are trademarks of their respective companies..
DECTR WP 0908
