2
As more organizations look to migrate customers, members, and partners to the cost-effective online channel, the need to instill confidence and implement stronger security measures becomes critical. In addition, online threats such as phishing, Man-in-the-middle attacks, and Trojans are constantly evolving so organizations need to be concerned about deploying a long-term solution that can readily adapt to changes.
Achieving the right balance of authentication security without compromising the user experience or straining the budget is a challenge for many organizations. Even so, strong authentication is key to protecting sensitive data and increasing adoption of the online channel. And as most users now experience the implementation of stronger authentication when banking online, they have come to expect that same level of protection when access-ing sensitive information at any online site.
The Right Choice for Authentication
RSA®Adaptive Authentication is a comprehensive
authentication and risk management platform providing cost-effective protection for an entire user base. Adaptive Authentication monitors and authenticates user activities based on risk levels, institutional policies, and customer segmentation and can be implemented with most existing authentication methods including: – Invisible authentication. Device identification
and profiling
– Site-to-user authentication. Site-to-user authentication assures users they are transacting with a legitimate website by displaying a personal security image and caption that has been pre-selected by the user at login. – Out-of-band authentication. Phone call, SMS, or e-mail – Challenge questions. Challenge questions or
knowledge-based authentication (KBA) – One-time passwords. Hardware tokens, software
tokens and toolbars, display card tokens, transac-tion signing tokens or CAP/EMV
RSA Solution Brief
By having the ability to intelligently support most existing authentication technologies, organizations that use Adaptive Authentication can be flexible in: – How strongly they authenticate end users – How they distinguish between new and existing
end users
– What areas of the business to protect with strong authentication
– How to comply with changing regulations – What they are willing to accept in terms of risk levels – How to comply with the various requirements
of the regions and countries where they operate
The Dynamics of Risk-based
Authentication
Adaptive Authentication is powered by RSA’s risk-based authentication (RBA) technology, a sophisticat-ed system that measures a series of risk indicators behind-the-scenes to assure user identities. This transparent authentication provides for a superior user experience as users are only challenged in the highest risk scenarios or when an institutional policy has been violated. In addition, risk-based authentica-tion is self-learning to help protect against Trojans, Man-in-the-middle attacks and other forms of mal-ware threats.
RSA’s risk-based authentication is powered by a series of core technologies – RSA®Device Identification, the
RSA®Risk Engine, the RSA®eFraudNetwork™, the RSA®
Policy Manager, and the RSA Multi-credential Framework.
RSA Device Identification
RSA Device Identification enables transparent authen-tication for the vast majority of users by analyzing the device profile (the device where the user accesses from) and the behavioral profile (what activities the user typically performs) and matching the current activity against these profiles.
RSA Risk Engine
The RSA®Risk Engine is a proven, self-learning
technology that evaluates each online activity in real-time, tracking over one hundred indicators in order to detect fraudulent activity. A unique risk score, between 0 – 1000, is generated for each activity. The higher the risk score, the greater the likelihood is that an activity is fraudulent.
RSA Policy Manager
The RSA®Policy Manager enables organizations to
instantly react to emerging localized fraud patterns and effectively investigate activities flagged as high-risk. The Policy Manager is used to translate organiza-tional risk policy into decisions and actions through the use of a comprehensive rules framework that can be configured in real-time. Continue Low risk (majority) High risk (minority) Phone call Secondary authentication KBA Exisiting credentials
Real-time risk assessment
Existing phone
credentials & fraud patternsWeb activities
Manual review
Policy settings
4
RSA eFraudNetwork
The RSA®eFraudNetwork™is a cross-organization
data-base of fraud patterns gleaned from RSA’s extensive network of customers, ISPs, and third party contributors across the globe. When a fraud pattern is identified, the fraud data, transaction profile, and device finger-prints are moved to a shared data repository. The eFraudNetwork provides direct feeds to the Risk Engine so that when a transaction or activity is attempted from a device or IP that appears in the eFraudNetwork data repository, it will be deemed high-risk and prompt a request for additional authentication.
RSA Multi-credential Framework
The RSA Multi-credential Framework (MCF) provides an abstraction layer that enables one software platform to support multiple authentication methods (based on end user segment and risk assessment) in a single deployment. With the Multi-credential Framework, different authentication methods are leveraged through policy settings to accommodate different end user populations, different online products, and different risk levels.
A Myriad of Authentication Possibilities
Adaptive Authentication is a flexible solution offering a wide array of authentication options that enables organizations to customize risk and authentication policies by user and activity. Risk policies are the adjustable risk thresholds for suspicious activities established by an organization when they want to trigger an authentication challenge to a user. Authentication policies refer to how an organization selects the type of authentication method it wishes to invoke in the event that additional authentication is warranted. Following are several of those methods that Adaptive Authentication supports:
Invisible Authentication: Device Identification and Profiling
Adaptive Authentication uses an “invisible” authentication credential that is based on sophisti-cated device tracking and profiling techniques. RSA developed these technologies in order to fingerprint user devices in a non-intrusive manner. Device identification enables the vast majority of users to be authenticated transparently by analyzing the device profile (the device where the user accesses from) and the behavioral profile (what activities the user typically performs) and matching the current activity against these profiles.
The device forensics are composed of two important elements: (1) device identification (identifying the device was previously used by this user) and (2) device authentication (considering known devices as automatically authenticated up to a certain risk level, and beyond that, requiring additional authentication in order to “trust” the device, as well as using authentication in order to “bind” a device to a user). Adaptive Authentication treats a device identifier as a second factor credential and, based on its existence and authenticity, invokes additional authentication if required.
With device identification (sometimes also referred to as device fingerprinting), information regarding specific attributes of the device provides a qualified distinction but not an entirely unique identification of the device. If a device is known for a long period of time, it means that the user performing the current activity is likely to be genuine. The techniques used in this group do not provide a unique identifier of the device, but this is not needed for positive identifica-tion. Device fingerprinting serves a similar role to that of a PIN number – by itself, it does not identify the user, but together with the Account ID, it provides a reasonable certainty of positively assuring identity. Also, since these techniques are used together with additional risk sensors, it is possible to be less strict than having a PIN.
Techniques used in this method provide unique device identification; however, they are more vulnerable to deletion by savvy users. This fingerprinting method is always attempted by default. Along with other impor-tant device identifying parameters, device fingerprint information is also fed to the RSA Risk Engine for risk assessment and user profile building. A device finger-print is a unique statistical fingerfinger-print of a device and is made up of a set of device parameters including: – Actively introducing additional identifiers by simple
addition of a cookie and/or a Flash Shared Object (also referred to as “Flash Cookie” ) which then serve as more unique identifiers of the device – Tracking the geo-location of the device based on
the IP address
– Tracking device characteristics that are a natural part of any device – HTTP headers, operating system versions, operating system patch levels, screen resolution, browser version, software versions, display parameters (size and color depth), languages, time zone settings, installed browser objects, installed software, regional and language settings, and PC Clock and Time Drift Adaptive Authentication maintains a history of the devices used by each user. The profile for the device and the profile for the user include information such as the first and last date they have been seen together,
what level of authentication was achieved on this device-user combination, and the number of times this combination has appeared.
Site-to-User Authentication
Adaptive Authentication offers a method called site-to-user authentication which provides organizations and their online users with a visible security reminder at each login. Site-to-user authentication assures users they are transacting with a legitimate website by dis-playing a personal security image and caption that has been pre-selected by the user at login (both are selected during a previous enrollment session). Users
Confirm security
image and caption passwordEnter online sessionProceed with Logon with username
Real-time risk assessment
Risk analysis
Device identification
Web site with site-to-user authentication
Site-to-user Authentication Increases Online Channel Usage
6 RSA Solution Brief
are instructed to only enter their password after the website they are accessing has proven its authenticity by displaying their personal security image and caption. Site-to-user technology offers a number of benefits including:
– Provides end users with a sense of security and confidence that electronic communications are genuine by displaying their unique personal security image and caption
– Involves end users in their own online security – Presents a clear and concise message to end users
to never enter their password at the website before the website has proved its authenticity by display-ing their image and caption
– Increases the adoption rates and usage of the online channel
RSA’s site-to-user authentication is used by over 50 million end users worldwide and has resulted in increased online activity in many areas. A recent end user satisfaction survey of 10,000 online users con-ducted by Alliance & Leicester in the UK supports this: 90% rated the security measures provided as good or excellent, 92% stated that they clearly under-stand the purpose of the new authentication system, and 83% confirmed that they would not enter their PIN into the website without their personal security image and caption being displayed.
Out-of-band Phone Authentication Module
The Adaptive Authentication Out-of-band (OOB) Phone Authentication module is one of the strongest alternative options organizations have against fraud because it leverages a means to communicate with the user that is outside of the online channel. One of the key benefits offered by out-of-band phone authentication is that it is simple to use. Also, it does not require the end user to purchase new hardware or software as it relies on any ordinary analog tele-phone, VoIP teletele-phone, or mobile phone. This meets the demand by end users for an authentication method that is easy-to-use and understand while maintaining the security inherent in an OOB solution. Out-of-band (OOB) communication methods are a powerful weapon against fraud because they circum-vent the communication channel(s) fraudsters typically use. Out-of-band (OOB) communication methods include the telephone, text messages (Short Messaging Service (SMS)), or e-mail.
Out-of-band phone authentication occurs either when a high-risk activity (identified as such by the RSA Risk Engine) occurs or when an institutional policy (e.g. “Challenge all activities originating in Country X or Country Y” ) triggers it. When either or both of these scenarios occur, Adaptive Authentication challenges
Login / transaction activity
Customer challenged with out-of-band (OOB) phone authentication
the end user to reconfirm that they are who they claim to be through an easy to understand automated phone call process.
First, the system will ask the user to select one of the phone numbers previously recorded during enrollment at which to receive a phone call. Next, the system generates an automated call informing the actual user of the activity details and prompting them to enter the confirmation number (a one-time pass-word (OTP)) displayed on the web browser into the keypad on the phone. After delivery of this OTP, the user enters the OTP number into the phone and, provided it is the correct number, the user can continue without disruption. Out-of-band phone verification is generally used to protect high-risk activities such as a change in personal information or a high-value money transfer.
The strength of out-of-band phone authentication is especially effective in protecting against nefarious threats such as Man-in-the-middle servers and other crimeware
such as keyloggers, screenscrapers, and Man-in-the-browser Trojans. Out-of-band phone authentication prevents the scenario in which a fraudster has all or most of a customer’s personal account information or has even placed a piece of crimeware on the customer’s device. Without access to the customer’s phone, the fraudulent attempt will be blocked successfully.
Challenge Questions
Challenge questions (sometimes called “shared secrets” ) are questions which an online user enrolls in and is then prompted to answer when additional authentication is required based on the transaction or activity. Enrollment in challenge questions occurs when the end user signs up for stronger authentica-tion. This typically occurs either when a new user initially joins an organization’s website or when an organization chooses to roll out this new form of authentication protection.
Customer challenged with
knowledge-based authentication (KBA) High risk
(minority)
What is the color of your ’97 Nissan Maxima?
Which of the following domain names is/are registered in your name? From whom did
you purchase your current property? Which of the following
people are you most closely associated with?
Login / transaction activity
8 RSA Solution Brief
The use of challenge questions ensures the utmost security while providing the best possible user experi-ence. Challenge questions have been developed and perfected by RSA through authenticating millions of online users in the past several years.
From a security perspective, the following are some of the aspects that make RSA’s challenge questions method among the most advanced:
– Randomly selecting the questions that are collected from each user from a very large pool of questions – The order of the selected questions is randomized – Collection of multiple questions while authenticat-ing the user with only a subset of those questions – Collecting the answers only occurs during low-risk
scenarios in which the user has been positively identified and authenticated
– The use of “ fuzzy logic,” a proprietary, advanced matching algorithm to ensure low rejection rates through errors that are traditionally caused by simple human input mistakes
RSA Identity Verification – Powered by Knowledge-based Authentication*
Knowledge-based authentication (KBA) presents an end user with a series of top-of-mind questions utilizing relevant facts on the individual obtained by scanning public record databases. Quickly and accurately, KBA delivers a confirmation of identity —usually within seconds —without requiring any prior relationship with the user.
Knowledge-based authentication assures user identities based on knowledge of personal information, driven by a real-time question and answer process. Knowledge-based authentication enables organizations to: – Increase revenues and attract new end users by
simplifying authentication and avoiding privacy concerns that result when personal information is requested from end users and prospects – Enhance enterprise security by enabling scalable
and easy-to-implement authentication – Strengthen identity protection throughout the
end user relationship via the use of additional authentication methods, re-issuance of credentials and efficient exception handling
– Protect against fraud
– Establish KBA as either a primary authentication method, a “backup” for lost or forgotten credentials, or to establish an identity without a prior relationship (i.e. account enrollment or account origination) Knowledge-based authentication provides a critical role in securing real-time activities and delivers a safe environment for end users to conduct business that does not impede on their privacy or overall experi-ence. It allows organizations to meet end user demands for more real-time, self-service options via remote channels while reducing the operational costs of authenticating users across an organization —and across channels.
BNY Mellon Shareowner Services
“After implementing RSA Identity Verification, we experienced a significant reduction in our Call Center volume which has offered us tremendous cost savings. In addition, we have been able to greatly improve customer satisfaction with the new authenti-cation process providing shareowners with real-time & secure access to our self-service website.” (Marc Librizzi, CIO)
A knowledge-based authentication system typically collects and verifies information, generates ques-tions, collects and scores answers and delivers a pass/fail result. The system is designed to logically develop correct and incorrect answers using actual end user data in real-time. Because the answers to the questions presented are not easily found by an Internet search, it makes it very difficult for anyone other than the genuine end user to guess correct responses. Therefore, fraudsters with stolen docu-ments are prevented from establishing new accounts and conducting unauthorized activities.
One-time Password Authentication
RSA SecurID®one-time password technology provides a
leading two-factor authentication solution; it is based on something you know (a PIN or password) and some-thing you have (an authenticator). The authenticator generates a new one-time password (OTP) code every 60 seconds, making it difficult for anyone other than the genuine user to input the correct token code at any given time. To access resources that are protected by the RSA SecurID system, users simply combine their secret Personal Identification Number (PIN) with the token code that appears on their authenticator display at that given time. The result is a unique, one-time-use password that is used to positively identify, or authen-ticate, the user.
One-time password authentication from RSA comes in a variety of form factors to meet the needs of an organization and its end users. Deploying an OTP authentication approach may be appropriate in the following cases:
– Where end users are accustomed to using OTP technology
– Where a tangible authentication solution is required to instill user confidence
– Where the information and/or assets being protected are such that stronger authentication is deemed necessary in all instances (for example, an employee that accesses extremely sensitive company documents or a wealthy customer that conducts high-value transactions on a regular basis)
Knowledge-based Authentication to Protect New Account Origination and Enrollment
Despite the widespread protection of most organiza-tional websites with important content on them (e.g. financial services, healthcare, social network-ing, manufacturnetwork-ing, and other industries), certain elements of transacting and existing online remain unprotected or have been extended insufficient protection. Typically, the processes having to do with enrolling new end users in an organization’s services or in activating the online portion of an organization’s business tend to be ignored. Knowledge-based authentication is the ideal solution for organizations looking to assure
identities for new account origination and enrollment because it is easy-to-use and does not require any prior relationship with the end user. So what are the benefits of using KBA to protect the account origination and enrollment process?
– Prevents unauthorized users from gaining access to information intended for another genuine customer (i.e., a health insurance card or credit card account)
– Prevent new end users from using an organization’s infrastructure to commit fraud – Allows organizations to comply with federal
10 RSA Solution Brief Hardware Tokens
From a usability perspective, traditional hardware tokens (sometimes referred to as “key fobs” ) are small enough to fit on a keychain and meet the needs of users who prefer a tangible solution or access the Internet from a number of different locations. Each RSA SecurID authenticator has a unique symmetric key (or “seed record” ) that is combined with a proven algorithm to generate a new one-time password (OTP) every 60 seconds. Patented technology synchronizes each authenticator with the security server, ensuring a high level of security.
RSA SecurID on PDA & Mobile Phones
RSA SecurID software tokens support the same algo-rithms as the industry-leading RSA SecurID hardware authenticators, including the industry-standard AES algorithm. Instead of being stored in an RSA SecurID hardware authenticator, the symmetric key is safe-guarded securely on the user’s desktop, laptop, PDA, handheld, or mobile phone. RSA SecurID symmetric keys may also be stored on smart card and USB devices and used in conjunction with the RSA SecurID software token on the user’s desktop.
OTP Web Toolbar
The OTP Web Toolbar offers a low-cost method by which to deploy one-time-password (OTP) technology directly to a user’s web browser. Its “Copy password” function offers the ability to automatically fill in the one-time password field in the online applications without the need to manually key in the numbers. The toolbar generates multiple one-time passwords which may be required to log into different services. This eliminates or prevents the “necklace of tokens” problem. This option is particularly suited for users that tend to transact with an organization from only one or two PCs (although multiple instances of the toolbar can be deployed, for example at work and at home).
Display Cards
Organizations can now offer their users enhanced OTP security for online activities and a heightened level of trust and confidence with a thin wallet-sized magnetic stripe card that has an embedded chip and display screen. The RSA SecurID Display Card leverages this new form factor and offers OTP-based strong security and greater portability by eliminating the need to carry an additional item on a keychain and by allowing end users to easily slip the card into a wallet or purse instead.
The RSA SecurID Display Card supports an event-based derivative of the highly successful SecurID algorithm. The “event” occurs when the user presses the button on the card to generate a new and unique password. The event-based OTP display card, supported by Adaptive Authentication, is ideal for the needs of organizations and their end users as they authenti-cate themselves to their online applications.
Flexible Deployment and Configuration Options
RSA recognizes that no two businesses share the exact same user authentication needs which is why we offer a wide array of authentication, deployment, and customization options. Adaptive Authentication can be deployed, configured, and used in a number of ways to meet the needs of an organization and its end users.
Visible or Invisible Deployment
On the other hand, some organizations prefer to use invisible authentication to monitor online activity in an effort to not disrupt or change the user experience, to avoid alerting fraudsters to the fact that a new security system is in place or as an additional protective layer against advanced threats.
On-Premise or ASP/Hosted Deployment
Organizations worldwide currently deploy Adaptive Authentication in two ways – as an on-premise installation that uses existing IT infrastructure or as a hosted (ASP) authentication service.
Multiple Configuration Options
Adaptive Authentication can be configured in a number of ways to balance security and risk without compromising the user experience. For instance, many organizations currently provide risk-based authentication for their entire user base and allow the RSA Risk Engine to determine those individuals that require additional protection. Other organizations choose an appropriate supplemental form factor based on a user’ s preference or the types of activi-ties they conduct (i.e. hardware or software tokens for individuals that conduct high-risk activities on a regular basis).
Most token form factors can be custom branded, pro-viding an opportunity for organizations to align their brand with safety and security in order to remind their users of the value placed in their online protection.
A Proven Solution
RSA Solution Brief
RSA is your trusted partner
RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical informa-tion assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance.
RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.
©2008 RSA Security Inc. All Rights Reserved.
RSA, RSA Security, the RSA logo and eFraudNetwork are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies.
