Born Identity

Most of the readers already know what is ‘authentication’ and how closely it is tied to accessing resources on the network, either directly or via technologies like SSO (Single Sign-On), which are then relied upon by the IT and security management folks as a central management console for controlling and managing access to resources within the enterprise.

But unfortunately, most of us including the certified security professionals assume that these two access management technologies are enough to thwart fraudulent attempts to steal sensitive information. So to put my concerns into perspective I am going to start by re-articulating basics, in the hope that this will help us clearly understand where the weakness’s in the current infrastructure and processes are; and how our time tested assumptions go awry when it comes to access security.

What is authentication?
Authentication is the process of determining if a user or identity is who they claim to be. Authentication is accomplished using something the user knows (e.g. password), something the user has (e.g. security token) or something of the user (e.g. biometric).

The authentication process is based on a measure of risk. High risk systems, applications and information require different forms of authentication that more accurately confirm the user's digital identity as being who they claim to be than would a low risk application, where the confirmation of the digital identity is not as important from a risk perspective. This former process is commonly referred to as "stronger authentication". Stronger authentication certainly means higher trust of an authentication process with regards to an identity.

So what is an Identity?
Every individual has a unique identity in this real world but in the digital world (the internet or intranet), where we spend most of our time socially or otherwise, our digital identities cannot be guaranteed to be that unique and very prone to misuse and identity-theft. This is because we use and rely on technology that was designed and fostered for computation (computers) and communication (networks) but unfortunately abounding with security problems since security was always an after-thought. Traditional stronger authentication methods include digital certificates, security tokens and biometrics but unfortunately all of these types of solutions have been compromised of late.

Security token authentications, such as hardware OTP tokens, are used to authenticate an identity (something that you have) during the Login process, or if required by a single sign on system for a higher risk application, this identity is verified by entering in the numbers appearing on the token screen along with their unique id. Since the numbers change randomly to the user viewing the screen (but is understood by the central authentication server), there is a higher degree of trust associated with this form of authentication but simple social engineering attacks like Phishing/Pharming can easily circumvent this authentication process and inject fraudulent transactions without the knowledge of the end user. Often, many enterprises use combination's of these including passwords, to place a higher degree of trust for higher risk applications or information access but with no real security advantage.

On the other hand using Public key infrastructure (PKI) authentication is yet another way of performing identity authentication. An identity is given a digital certificate by a Certificate Authority (CA). This is then presented during the authentication process to verify an identity is who they say they are. The level of authentication trust varies for digital certificates depending on the level of identity verification done during the identity registration process as well as the digital certificate revocation process. Unfortunately these digital certificates were designed to be used for encryption and not as an authentication tool as these can easily be stolen from host machines or spoofed although these have been deployed to authenticate and verify an identity in single sign on systems, document management systems and in web services.
Smart cards are utilized as another form of authentication token (something you have). Often they contain a digital certificate as well as additional identity attribute information. Smart card authentication is becoming wide spread but has the same weakness as token when it comes to compromising the PIN which is used to unlock the smartcard. These same smart cards that are used in an authentication process are now commonly used as well for access control mechanisms to enter physical facilities, buildings, floors and rooms.

However, on top of these security concerns the operating costs for tokens/smart cards and biometrics are much higher since they must be physically issued, replaced and recovered. In spite of the various options available for authentication with its associated pros and cons there is no authentication scheme which can claim to be 100% secure and this gets worse when our infrastructure and sensitive business applications simply rely on this Boolean process. This unfortunate assumption is why Identity theft has become a silent crime that most people don't realize they are victims of until they apply for a loan or open a bank account. With mounting levels of identity fraud and authentication technologies not being able to overcome this, on-line organizations are literally faced with the challenge of how to improve protection of their end customers’ identities. This does not just come from the direct impact of fraud losses but, even more importantly, from the impact to consumer confidence. With phishing attacks appearing in the consumer’s inbox every day and new incidents of Man-in-the-Middle attacks, customers are increasingly wary of the safety of their identities while on-line irrespective of the kind of identity verification solutions in place including just passwords or tokens. The result has been a slow down in the adoption of on-line products and services and most recently even banks have been forced to shut down some of their online ACH operations – a real loss to organizations given the expense of traditional delivery channels and more over the direct pressure of the real bottom line due to the current downtrend in the markets.

However, addressing these challenges has represented an ambitious undertaking for on-line organizations given the conventional options available to improve identity security. Traditional methods like tokens and smart cards are expensive and significantly impact the user experience coupled with known security weaknesses, often making the cure worse than the disease. These challenges are clearly visible due to the low rate of implementation of such solutions.

So is there a cost effective way to authenticate consumers without the need to burden the end users with physical gadgets or is there a solution which can address security and usability at the same time?

Fortunately there has been substantial innovation recently in how customer authentication can be improved without the cost and usability impacts of traditional methods. These solutions were designed in the form of real time proactive fraud prevention platforms (unlike the traditional fraud detection solutions) with open standards based multi-factor authentication security. These solutions are designed to enhance and secure traditional authentication schemes thereby plugging the weakness associated with these. Ultimately deployed together, organizations can start with one or the other depending on their specific requirements and move to the complete solution over time.

Real time fraud prevention represents an attractive approach as it can be used to detect identity attacks proactively in real time and stop suspect transactions. This approach does not require any change to the user experience – eliminating much of the work to roll out a solution. This means a fraud prevention solution can be put in production and be used almost instantly to reduce fraud by detecting anomalous activities by deploying it within the customer’s existing enterprise environment including identity and access management infrastructures or by layering it as a proxy in front of their existing business applications to monitor all on-line transactions without impacting the business application. The proxy based integration approach monitors on-line traffic and extracts each user action allowing for a complete picture of the on-line session. By monitoring all traffic versus substantial modification of business applications, production deployments can be done in weeks, not months.

Also these platforms are developed using open standards, so fraud prevention rules can be quickly updated and all transaction info necessary to detect new patterns are available instantly.

For some organizations, it may be more attractive to provide a confidence factor to their end users with stronger authentication of the user using secure mutual authentication as it provides more visible protection that may be desirable from a marketing perspective. In pursuing this path, it is important that any technology be open and supports a spectrum of authentication methods. From transparent techniques such as machine fingerprinting to the variety of interactive approaches such as one-time-password tokens, authentication requirements will change over time and be varied for different user groups and applications. For example, in large retail environments customers may answer pre-selected questions when logging in from a risky profile (example: phishing attack, anonymyzing networks, airport kiosks or strange and foreign geographies) more securely, ensuring that this challenge/response process also does not succumb to the phishing/pharming/Trojans based attacks, while a corporate customer may perform authentication during sensitive document access with a one-time-password token. For example, at the start of an on-line session, transparent recognition of the end user’s geography and desktop can provide an initial authentication. When the user’s on-line behavior suggests the potential of fraud, a more interactive authentication can be triggered.

If the solution does not support a spectrum of authentication methods in a single platform but also be able to influence session management with their user based on a centralized policy, then the platform is no longer flexible and open, to support various end user, business and security needs. In such cases, organizations will end up deploying a variety of different silo technologies that will make it expensive to integrate, operate and maintain. Regardless of where organizations start, multi-factor mutual authentication security or real time fraud prevention, both will be deployed together or over time as a single strategic solution to protecting customer identities. Proactive real time fraud prevention and detection will be used to determine risk levels from assessing the probability of fraud and drive user authentication from the open multi-factor authentication platform. When risk levels derived reach certain thresholds, users can be prompted for additional authentication from an open authentication platform.

With the need to move quickly to restore customer confidence as well as the long term requirement for a strategic consumer authentication platform that combines real time proactive fraud prevention with multi-factor authentication security, it becomes more important to seek out solution providers that provide complete capabilities, architected and developed from the grounds up to be able to prevent fraud instead of point solutions or solutions with integration challenges due to acquisition of disparate solutions to provide this platform. By working with providers that have deployed these capabilities in live production environments, organizations can successfully deploy confidence in the near term while ensuring, in the long run, the security of customers’ identities and their confidence in the on-line channel.