Passwords, multi-factor authentication, knowledge-based questions/answers, and hard tokens are based on technologies that are now 20 years old. With organizations losing the battle against cyber attacks, it’s clearly time to move beyond these legacy technologies and adopt a modern approach in which awareness and flexibility are king. Authentication must adapt based on the level of risk, so that it can deliver strong security yet be invisible to users most of the time.
Achieving that balance of strong security and appropriate user friction is the basis for modern authentication. This session will explore what modern authentication is and why using it across all users, devices, and services is vital to turning a losing battle into a winning strategy to stop cyber attacks.
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Modern Authentication – Turn a Losing Battle into a Winning Strategy, Robert Block, SVP, Identity Strategy
1. Modern
Authentication:
Turn
a
Losing
Battle
into
a
Winning
Strategy
Robert
Block
|
SVP,
Identity
Strategy
SecureAuth +
Core
Security
– Better
Together
2. Why
are
we
here?
Organizations
are
losing
the
Battle
81%
“81%
of
hacking-‐related
breaches
leveraged
either
stolen
and/or
weak
passwords.”
2017
Verizon
Data
Breach
Investigations
Report
3. Passwords
have
layers
of
problems
+ +COMPLEXITY COSTSHYGIENE
Credits:
Adrian
Zumbrunen
Wakefield
Password
Survey
CIAM
2017
Flanagan
keynote
4. 2FA
has
layers
of
problems
+ +
=
Disruptive
UX Limited
Deployment
Vulnerable
Credits:
Scott
Adams
Wakefield
2fa
survey
6. How
did
we
get
here
Authentication
in
the
Beginning…
•Physically
protected
•No
remote
connectivity
•Limited
number
of
users
•One
system
•Life
was
good.
7. Today’s
Authentication
Toolkit
Any
Device
Any
ID
Type
Any
VPN
Any
ID
Store Any
MFA
PASSWORDS 2FA/MFA SSO IDENTITY
PROVIDER
• Complex
passwords
• Self-‐service
password
reset
• Password
vaulting
• Password
generators
• Hard/soft
tokens
• OPT
via
email,
text,
phone
• CAC/PIV
• Biometrics
• Certificates
• Device
recognition
• Behavioral
biometrics
• SAML
• Oauth
• WS-‐Fed
• WS-‐Trust
• OpenID
• Directory
connector
• User
self-‐service
• REST
API
Organizations
are
losing
the
Battle
8. Authentication
Security
is
falling
behind
COMPUTING
AUTHENTICATION
1961
First
password
developed
1946
The
first
commercial
computer
1979
Data
Encryption
Standard
(DES)
developed
1996
Advanced
Encryption
Standard
(AES)
developed1995
First
patent
filed
for
two-‐
factor
authentication
2002
SAML
standard
developed
1993
Hardware
token
–
SecurID -‐
developed
1970
The
first
modern
computer
1973
The
first
ethernet
cable
1974
Internet
1990
HTML
1998
Google
2007
The
first
iPhone
2013
First
smartwatch:
Pebble
2013• FIDO
launched
• Touch
ID
launched
Organizations
are
losing
the
Battle
2009
LTE
Introduced
2008
First
Android
phones
launched
2018
• Face
recognition
• Iris
recognition
2018
Mobile
as
desktop
replacement
9. IAM
Solution
Drivers
63
59
55
50
46
45
41
41
0 10 20 30 40 50 60 70 80 90 100
Strengthening
identity
and
access
security
Meeting
compliance
and
regulatory
stds
Improving
ability
to
detect
insider
threats
Simplifying
user
access
Ability
to
integrate
with
present
IAM
solutions
Keeping
within
budgets
Making
admin
easier
Reducing
admin
costs
What
are
IAM
professionals
looking
for?
Organizations
are
losing
the
Battle
Average
Driver
Importance
On
0-‐100
Scale
10. Why
do
security
professionals
invest
in
IT
security?
63
57
32
20
19
17
17
15
10
9
9
0 10 20 30 40 50 60 70 80 90 100
Protection
of
sensitive
data
Regulatory
compliance
Reducing
incidents
and
breaches
Protection
of
intellectual
property
Alignment
with
organizational
and
IT
strategic
…
Protecting
brand
reputation
Reducing
attack
surface
Improving
visibility
into
security
operations
New,
advanced
threats
and
techniques
End
user
education
and
awareness
Improving
incident
response
What
are
security
professionals
looking
for?
Organizations
are
losing
the
Battle
11. 1. Adaptable
user
experience
2. Authentication
appropriate
to
risk
3. Invisible
analysis
4. Authentication
is
flexibly
deployed
and
contributes
outside
of
authentication
A
Winning
Strategy
Modern
Authentication
12. • A
common
misconception
has
been
propagated
by
security
professionals,
and
it
needs
to
be
dispelled.
• End
users
are
not
lazy.
• End
users
are
empowered
to
participate.
• End
users
want
more
control
than
ever
before
• End
User
Choice
must
be
a
fundamental
component.
• Choice
of
endpoint
• Choice
of
interaction
experience
• Choice
of
Identity
Provider
• Choice
of
additional
factor
when
required
A
Winning
Strategy
1.
Adaptable
User
Experience
13. Authentication
has
far
too
long
been
thought
of
as
a
binary
event.
MFA
approach
suffers
from
a
binary
authentication
event
approach.
Modern
authentication
views
authentication
as
a
risk
score.
Risk
is
not
static;
it
is
dynamic
and
changes
throughout
a
user's
session.
A
Winning
Strategy
2.
Authentication
Appropriate
to
Risk
Risk
mitigation
by
authentication
challenges∑
(Probability
of
compromise)
x
(impact)
=
14. • Risk-‐based
authentication
needs
to
be
a
fundamental
component
of
modern
authentication.
• Risk-‐based
authentication
measures
attributes
of
the
activity
that
a
user
is
performing
and
calculates
a
risk
score.
A
Winning
Strategy
3.
Invisible
Analysis
Advantages
of
this
approach
include:
• Analysis
is
invisible
to
end-‐user
• More
layers
=
more
security
• Maximize
both
usability
and
security
Risk
checks
done
behind
the
scenes
15. A
Winning
Strategy
4.
Flexibly
deployed
and
integrates
across
ecosystem
Cloud
SIEM
Hybrid
On-‐prem
PAM UEBA
EMMIGA
CSA
16. Machine
learning
driven
Adaptive
Authentication
3rd Party
Risk
Analysis
Location
Risk
Analysis Credential
Risk
Analysis
Device
Security
Risk
Analysis
Data
Access
Risk
Analysis
Application
Access
Risk
Analysis
Event
Risk
Analysis
SecureAuth
Modern
Authentication
Solution
Risk
based
analytics
=
modern
technology
17. + Challenge
with
MFA
+ Accept
Access
+ Deny
Access
+ Redirect
Access
+ Contain
identity
+ Revoke
granted
access
+ Initiate
Certification
+ Increase
alert
fidelity
+ Decrease
event
noiseSECUREAUTH
Machine
learning
driven
Adaptive
Authentication
3rd Party
Risk
Analysis
Location
Risk
Analysis
Credential
Risk
Analysis
Device
Security
Risk
Analysis
Data
Access
Risk
Analysis
Application
Access
Risk
Analysis
Event
Risk
Analysis
DETECT
PROTECT
ORCHESTRATE
SecureAuth
Modern
Authentication
Solution
Modern
Authentication:
putting
it
all
together
18. Modern
Authentication
in
practice
Low
Medium Medium Medium Medium Medium
Medium High High
Standard
Usage Allowable
Deviation Unclear
Deviation
Suspicious
Activity Malicious
Activity
Allow
MFA
Step
Deny
Allow
MFA
Step
Deny
Allow
Deny
dtepe@secureauth.com
***********
dtepe@secureauth.com
***********
hack@cyberattack.com
**********
hack@cyberattack.com
**********
Device
Recognition
Threat
Service
Directory
Lookup
Geo-‐Location
Geo-‐Velocity
Geo-‐Fencing
Phone
Number
Fraud
Prevention
Behavioral
Biometrics
Identity
Governance
User
&
Entity
Behavior
Analytics
Allow
MFA
Step
Deny
Redirect Redirect Redirect Redirect
MFA
Step
SecureAuth
Modern
Authentication
Solution
Allow
MFA
Step
Deny
Redirect
Low
19. Modern
Authentication
There
are
numerous
considerations
that
need
to
be
weighed
and
navigated
as
part
of
modern
authentication
R/evolution
Next
steps
require
reframing
your
believes
and
culture,
change
what
you
ask
for,
and
how
you
ask
for
it
Considerations
&
Next
Steps
+ What
authentication
infrastructure
is
in
place
today
– how
does
a
modern
solution
provider
complement
/
replace
this
solution
+ What
additional
cyber
security
investments
do
I
have
that
my
modern
solution
provider
can
make
more
effective
+ What
API’s
and
Standards
to
I
care
about
most
and
why
+ What
applications
do
I
own
and
what
do
I
own
within
them
Technical
Considerations
+ What
do
I
need
to
consider
in
modernizing
my
risk
tolerance
and
guidance
+ Which
factors
are
we
willing
to
embrace
from
a
security
perspective
and
why
Security
Considerations
+ What
is
appropriate
friction
in
each
user
category
+ Document
use
cases
per
category
+ %
of
Smartphone
enabled
categories
+ What
are
they
willing
to
share
with
my
organization
End
User
Considerations
20. • The
definitions
for
Authentication
were
born
in
a
different
'day'
and
based
upon
technology
and
approaches
that
are
20
years
old
• Passwords
are
the
internets
version
of
Asbestos
• Modern
Authentication
must
balance
security
&
end
user
experience
• Modern
Authentication
must
be
measurable
against
credential
use
(translation
=
the
Breach)
• Modern
authentication
has
the
following
key
tenants:
1. Adaptable
user
experience
2. Authentication
appropriate
to
risk
3. Invisible
analysis
4. Flexibly
deployed
and
integrates
across
infrastructure
Modern
Authentication
A
Winning
Strategy
Conclusion