Wednesday Feb 04, 2015

Security and the User Experience: A Balancing Act

Author: Forest Yin

Security is a key business consideration to protect customer data and transactions, business secrets and intellectual property (IP) as well as ensure compliance with regulations. On the other hand, better user experience is critical as it attracts more customers with more transactions or enables employees to be more productive.

But how can you provide better user experience while at the same time enhance security?

Let’s take a look at a real-world example. A large bank used to provide mobile online banking through their browser applications. However, their customer rating of mobile online banking experience was well below the bank’s competitors. As mobile banking is becoming the most important channel of customer interaction, in order to better compete, the bank decided to provide a native mobile application for online banking.

However, mobile banking has inherently higher risk than traditional channels. For example, the device can be easily lost or stolen, and the password can be easily obtained through shoulder surfing. Given these challenges, stronger security is required for mobile access. But due to user experience considerations, the bank cannot require customers to register their devices or require customers to always use one-time-password (OTP) or other types of multi-factor-authentication (MFA), which may turn customers away.

Even the typical web username and password based login is inconvenient for mobile access.

To ensure tight security while providing excellent user experience, the bank implemented a solution with the following capabilities:

1. Initial setup process

a. When the customer first downloads and installs the native mobile banking application on a mobile device, the user registers the application with the backend server through user name and password authentication.

b. As this is the first time the device with the application is trying to connect to the backend, a one-time-password through email or SMS is sent to the user to further validate the user.

c. Once the user is validated upon application registration, the device fingerprint is taken automatically to register the device for the user.

d. The user can then set up a 4- to 6-digit pin for their future online banking access.

2. Online banking experience after initial setup

a. The user launches the mobile app on the mobile device with a pin.

b. To look up an account balance, no further user authentication is needed if the device fingerprint is validated (automatically in the background).

c. Banking transactions such as money transfers require a pin-based authentication without the need for username-password authentication.

3. Risk control and adaptive authentication. Although the banking experience above is a typical user experience for majority of customers most of the time, the solution is monitoring and analyzing risk based on real-time context such as device, location, transaction amount, frequency, etc., based on defined policies and access patterns. If the risk is deemed high, the user may be required to further authenticate using OTP or Knowledge Based Authentication (KBA) or in some cases the user may be denied access altogether.

With the launch of native-application-based online banking and the excellent user experience provided, the bank’s new mobile online banking service gained wide adoption and the bank’s service rating increased substantially.

The key to balancing security with user experience is an intelligent Access Management solution that understands real-time risk and context and accordingly takes adaptive actions. For example, we all know that passwords are not safe enough. However, it is not practical to require all consumers or even all employees to use MFA all the time due to experience and adoption issues. Security and user experience can be balanced through an intelligent security system.

Users appreciate the fact that they can continue to use passwords as they
always have and will only be challenged further with MFA when risk is high.

In future blogs, we will talk about how Oracle Access Management can intelligently provide context-aware, content-aware and risk-aware access to simplify user experience, so please stay tuned.

About the Author

Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.
THE AUTHOR can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 14, 2015

The Future of User Authentication

Author: Prateek Mishra

As business and citizen services, entertainment and social life all become digitized and virtualized, passwords emerge as a key piece of data to be used for stealing information and online resources. In the past, this was a possibility and an occasional occurrence but in recent years the Apple Celebrity Photo breach [1], JPMorgan [2] and Pharmaceutical Company [3] data breaches have demonstrated the increasing scale and range of password-based threats to businesses. It is interesting to observe that each of these three breaches demonstrates a *different aspect* of the "password problem": ability to guess or reset passwords, password re-use and subsequent discovery from a website with weak security controls, and last, phishing attacks targeted at executives or administrators.

Pundits, bloggers, security gurus and journalists have all declared passwords "dead".
The Motorola login pill [4], the heartbeat monitor [5] and device hardware [6] are just a few of the many claimants jostling for a tryout as password replacements. So are we finally at a point where passwords will no longer be used to login to your employer or at your online medical portal?

To get some perspective, it helps to step back and review the overall context in which passwords are used and the different parties involved. For the business or service provider, passwords are a *scalable* and *low-cost* way to control access to services. For the user, there is a familiarity and ease with the *ceremony* of password use and the overall *user-experience*. Finally, both businesses and users share a conceptual and visual understanding of login page, user registration, forgotten password service and so on.

A successful new model for authentication must address these issues. While business costs and administrative overhead are important, a predictable and easily learnt user-experience is critical and for obvious reasons. The best authentication model is useless if customers or employees find it difficult to use. This is the key reason why it has proven so difficult to transition away from passwords - even after many years of effort - Bill Gates [7] had called for their removal almost a decade ago!

As we are all aware, one significant technological change in the past five years has been the worldwide availability of phones - smart phones (now widespread in the developed world) and wireless feature phones (in the developing world). And perhaps herein lies the future of authentication. We all know how to use a phone and its services, and we are being trained to download and install applications. Phone features are constantly being improved and a foundation for innovative ways to authenticate.

The popularity of a phone-based "authenticator app" which provides TOTP (Time-Based One-Time Passwords) to augment existing password systems is a great example. The technology is well-known and was standardized in RFC 6238 [8] by IETF (the folks who helped define most of the protocols for the internet such as HTTP and SMTP). As an open standard, it has been reviewed by leading experts in the field and so we can have some reasonable expectations of its robustness and quality.

Many websites and vendors now provide such an app: for example, the Oracle Mobile Authenticator can be installed on Android [9] devices or an iPhone [10] and works in concert with the Oracle Access Manager. Once a user has installed the authenticator app, they are guided through a registration process which connects the app to their online account. Notice that a password is still required for this step. The app generates six digit (pseudo) random numbers, in a sequence specific to the user, typically changing to a new number every 30 seconds.

At subsequent logons, in addition to their password, the user is prompted to enter the current random number displayed by the app. Even if the password has been compromised and is known to an attacker, the attacker will be unable to login to the user account.

Clearly this "password+otp" model has its limitations. An attacker could "phish" both the password and the code and within a few seconds login into the user account. A more sophisticated attacker could extract information about the random number generator from the app or the target website and simulate the random number sequence used by the app.

Nevertheless, this model protects against a common attack - where the password was guessed or discovered at a previous time. The level of security sought by a business should be based on the value of the resource and types of attacks against which it is trying to protect itself. The goal is to *impose costs* on an anticipated class of attacks, versus achieving some security ideal. The password+otp user-experience remains a familiar one, though individuals do have to learn the extra step of viewing the app on their phones to retrieve the current number, and entering into a login screen.

Passwords aren't dead but they are going to be less important in the future. They will provide only one component of user authentication, though the conceptual and visual model of the login page will be retained. There are going to be lots of experiments, some profound and some silly (authentication tattoos anyone?), that companies and researchers will bring forward. The recent iPhone 6 [11] fingerprint scanner and Keychain integration is an intriguing sample: how can it be integrated with the familiar login experience and might it become a universal feature of smart phones in the future?


About the Author

Prateek Mishra is Technical Director at the Identity Management Division, Oracle. His group participates in standards and open source activities, including OAuth and OpenAz. He is best known for his pioneering role in conceptualizing and creating the SAML identity standard.
Prateek can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Monday May 05, 2014

Is Mobility Creating New Identity and Access Challenges? - by Marcel Rizcallah

Are mobile, social, big data and cloud services generating new Identity and Access Management challenges? Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting and today will highlight some of the new IAM challenges faced by customers with Cloud services and Mobile applications.

Sales force users ask more often for iPad or mobile devices to access Cloud services, such as CRM applications. A typical requirement is to use an AD or corporate directory account to login seamlessly into the Cloud service, either with a web browser or a downloaded application on a device. The benefits, compared to a different login/password provided by the Cloud provider, is more security and better identity governance for their organization; password policy is enforced, CRM services are granted to sales people only and Cloud accounts are de-provisioned immediately when people leave.

Integrating a mobile device browser with the intranet is easily addressed with federation solutions using the SAML standard. The user provides his login and password only once and tools such as Oracle Mobile Security Suite and Oracle Access Manager provide the end-to-end integration with the corporate directory.

Authenticating through a downloaded application provided by the Cloud service may be more complex; the user authenticates locally and the device application checks first the credentials in the cloud environment. The credentials are relayed to the organization’s intranet using REST services or standards such as SAML to validate the credentials.

Integrating IAM services between SaaS applications in the Cloud and the corporate intranet may lead to a weird situation. Let’s look at this example: one of my customers discovered that their CRM SaaS application, provided by a public Cloud environment, was supposed to be SAML compliant, yet did not correctly generate one of the SAML messages when authenticating through a downloaded application on the device. Despite all parties agreeing that this is a bug, fixing the Cloud application was not an option because of the possible impact on millions of Cloud customers. On the other hand, changing the Oracle Access Manager product, fully compliant to SAML 2.0, was not an option either. The short term solution would be to build a custom credential validation plug-in in Oracle Access Manager or an integration tool, such as Oracle API Gateway to transform the wrong message on the fly! Of course this should not stay a long term solution!

When we ask customers which SSO or Identity Governance services are the priority for integrating Cloud SaaS applications with their intranet, most of them says it’s SSO. Actually SSO is more urgent because users want to access Cloud services seamlessly from the intranet. But that’s the visible part of the iceberg; if Cloud accounts are not aligned to employees referential or sales force users, customers will end up paying more license fees to the Cloud provider than needed. SSO with Oracle Access Manager will improve customer experience, but cloud provisioning / de-provisioning with Oracle Identity Governance will optimize Cloud costs.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« August 2016