Page 1 of 10. DIGIPASS Plus

Transcription

1 DIGIPASS Plus A Federated Identity White Page 1 of 10

2 DISCLAIMER Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, withoutt any otherr warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and supplierss shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may nott apply to you. Copyright No part of this publication may be reproduced, storedd in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any timee and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Page 2 of 10

3 CONTENTS Abstract... 4 What is a Federated Identity?... 5 VASCO s Authentication Philosophy... 6 An Opportunity Revealed... 6 DIGIPASS Plus (DP+)... 7 The tools of VASCO Federated Identity... 8 The Intersection of Security and Value... 8 Captive Federation... 9 Consumer Federation VASCO Partnership Approach Conclusionn Page 3 of 10

4 ABSTRACT This paper outlines the opportunity to extend authentication beyond traditional security and enhance its deployment by federating identities to multiple ebanking, ecommerce, egaming, and egovernment sites. DIGIPASS Plus identifies a shift in multi-factor authentication (MFA): building upon the proliferation of DIGIPASSS devices and credentials to garner additional business opportunities and provide further value to users. DIGIPASSS Plus achieves this end by leveraging the distribution of existing deployments and enabling a variety of devices to support a second identity in addition to their normal functions. This provides an opportunity to extend authentication to new applications and partnershipss that are not secured effectively today. This solution improves customer adoption and retention, enhances third party co-marketing opportunities, andd builds a revenue model to recoup the costs of MFA deployments. DIGIPASS Plus provides a tool for application owners to bring new applications, products, and services to their users while securing their users against online fraud attacks. Page 4 of 10

5 Beyond securing against the risks associated with exchanging sensitivee information or performing transactions over the Internet, an opportunity exists to extend authentication as a means of increasing business. If done properly, business owners can take advantage of market shifts and consumer behaviors to provide a valuable service to their customers by extending secure access to third party applicationss which bring value to the user and businesss owner. Essential to achieving the balance between security and business is having a high degree of confidence in the authenticity of users and a trusted source to manage the connections between multiple parties. This connection of these pieces and its implementation is referred to as federated identity management. If done properly, federated identity managemen nt can provide an opportunity forr both application providers and users. The process is based on utilizing proven technology to leveragee the emergence of new applications, such as social networking, and understanding impact these applications will have on their users online experience for years too come. This paper will build upon an existing authentication methodology used by some of the world s most prestigious companies. It will illustrate the opportunity for an improved authentication model in order to (a) extend the valuee to customers (b) recoup costs to the application providerr (c) generate revenuee opportunities for tomorrow and (d) differentiate your business. WHAT IS A FEDERATED IDENTITY? Wikipedia defines federation as The virtual reunion, or assembled identity, of a person s information, stored across multiple distinct management systems. In a practical sense, a federated identity is the technology and agreement between multiple parties to allow users access across different sites with the same identity. Ideally, this is a convenience to the user and an economic benefit to the providers. The federated identity has evolved over the years with varying the way there have been three aspectss that havee advanced identity. degrees of the vision success. Along of a federated 1. The Liberty Alliance began by establishing thee policies, business, and technology to provide a trusted identity from one site to another. The Liberty Alliance brought together major vendors, banks, and technologists to define the standards of authentication. 2. Microsoft Passport (Windows Live ID) allowedd users to sign in with one credential (username and password) and use them on other Microsoft Passport sites. On a regular basiss users accessed MSN messenger and hotmail with a single credential. Page 5 of 10

6 3. OPEN ID and OAuth have both worked to establish open web standards to give users one login to access multiple sites and to authorize websites to access data from one another. While determining the role VASCO could play in building a federated identity for our customers, it was critical to understand our limits and capabilities. The goal of VASCO has always been to provide services to our customers that make the online experience more convenient and secure for users. As such, VASCO has focused on delivering the tools and services that make this goal possible. VASCO S AUT THENTICATION PHILOSOPHY VASCO believes that the best model for a federatedd authentication solution is to combine security, user convenience, and access to key applications from one platform.). In order to deliver a solution that meets the requirements of the application owner, user, and third party application a process was required to leverage existing technology and processes being used around the globe. The best method includes improving upon what works today and collaborating with partners to achieve a common goal tomorrow. VASCO brings a family approach to authentication and designed all solutions to work on one single infrastructure, as shown in Figure 1. Any VASCO customer can add or deploy any/all VASCO solution without making significant changes to their existing set-up. The solutions are designed to provide a broad range of alternatives that can satisfy the demands of any customer ranging from the most secure (higher cost,, lower userr convenience), to the most user friendly (lower cost, lower security). Hardware and software DIGIPASS are practical when used for securing customer-facing applications. If the user remains a customer for a period of time the application provider can distribute hardware DIGIPASS to the user base and justify the cost of the solution over the period of time the user is a customer to the application provider. AN OPPORTUNO NITY REVEALED VASCO s global experiences over the past decade have revealed an opportunity to expand the value of authentication to its customers and address a longstanding need in the market. With over 100+ million users accessing online accounts, many of these users are able to access only one application with one DIGIPASS and must have multiple devices in order to access various sites. Many of the online users today access different applications with a multitude of hardware, software, card readers, and mobile devices. Userss could be faced with the inconvenience of carrying a token necklace in order to accesss multiple online accounts securely. As an example, a user can havee one token to accesss their corporate VPN, one to access their online bank, and yet another to access their gaming site. Furthermore, with the constantly changing and complex password models used to secure Page 6 of 10

7 many online accounts the authorization process for a user is becoming more complicated and inconvenient. Nevertheless, the ever shifting landscape of sophisticated internet fraud has driven the requirements of online providers across all industries and countries to (1) secure its users against attacks, (2) improve the level of services they provide to their users, and (3) build a model that can be applicable tomorrow. Users could be faced with the inconvenience of carrying a token necklace in order to access multiple accounts securely. DIGIPASS PLUS (DP+) DIGIPASS Plus (DP+) represents the latest evolution of VASCO s continued market leadership and vision. In recognizing the evolution of the worldwide authentication market and the demand for more convenient, portable, and cost-effective methods of adding security to all online applications and functions, VASCO has embarked on a mission to expand the use of authentication to any platform, at any time, for any application. The mission of DP+ is to provide a service to customerss that will allow them to expand their authentication deployment and open access to new applications that are critical to the future. The mission of DP+ is to provide a service to customers thatt will allow them to expand their authentication deployment and open access to new applications VASCO s philosophy dictates that any successful deployment of authentication is a compromise between security, user convenience, andd cost. Therefore, any expansion of an authentication strategy must be based on the same principal in order for the plan to succeed. VASCO has maintained its fundamental approach to security with DP+ and has done so in a way that provides a platform for customers to benefit for years to come. Page 7 of 10

8 THE TOOLS OF VASCO F FEDERATEDD IDENTITYY With the basic definition of federated identity established, we can discuss the different tools that can be used to verify identities across multiple parties. They are: DIGIPASS CLIENT VASCO s suite of products designed to generate dynamic passwords and/or electronic signatures. A DIGIPASS is engineered to secure access to an online application (e.g. online banking, gaming, social networking) or transaction that is protected by a VASCO back end. DIGIPASS PLUS VASCO s suite of products including a second identity which is embedded within the DIGIPASS client. VACMAN V CONTROLLERC R/IDENTIKEY VASCO s server technology which accepts/rejects a DIGIPASS authentication request from a user. DIGIPASS AS A SERVICE (DPS) PLATFORM VASCO s hosted authentication service. PROVISIONINP NG The distribution of DIGIPASS clients to end users. Provisioning includes shipment, software downloads, licensee keys, and activation. MULTI-FACTOM OR AUTHENTICATION The process of insuring a user is who they claim to be by using two separate methods (e.g. a user s PIN and a device) in conjuncture. THE INTERSECTION OF SECURITY AND VALUEE VASCO has taken a unique approach to building a federated community. While many technologists, vendors, and open source communities pursued a federation in a holistic fashion, VASCO has elected for a pragmatic approach to solving the problem that has vexed application providers and consumers for years. This was a result of considering successful multi-factor authentication deployments thoughout the years a number and recognizingg the emergence of several similarities. First, the most succesful deployments have been driven by a business minded professional that sees security as an enabler to do more businesss for their organization. These people balance cost with risk and opportunity, and are proactive in their approach to growing businesss for their organization. Second, these deployments have been an evolution, not a singular event. The deployment, technology, communication, and application all adapt to the shifts in user behavior, risks, and market conditions. Third, business owners have proven to be eager to understand the various experiences from other professionals. If joined together, these professionals share and collaborate with each other. In the case of online fraud, the only true competition is the fraudsters. Page 8 of 10

9 By looking at thesee similaritiess over the years we can define a process that is based on success and expand upon it. The first step in building a process is to do so without disrupting what is working today. Therefore, DIGIPASS Plus is designed as an embedded credential that is dormant in the device. Whereas a traditional DIGIPASSS is programmed with the unique parameters specfied by a customer too generate a one time password and/or electronic signature, a DIGIPASS Plus device will include a separate crednential which remains hidden. The dormant credential is separatee from the primary authentication key, which remains the property of the main application. Because the DP+ key is hidden and its host key remains within VASCO it is completely separate from the primary application and the security and control of the application remains the same as a traditional deployment. At a time chosen by the customer, the customer has the option to communicate with its user and activate the dormantt DP+ credential. This DP+ credential could then be used to authenticate to third-party applications that support the DP+ credential. Such examples include social networkingg sites, online publications, gaming, or electronic commerce. The DP+ key is hidden and its secret remains with VASCO completely separate from the primary application CAPTIVE FEDERATION The potential of DIGIPASS Plus offers a number of possible benefits to customers. The most easily recognizable benefit is that of a captive federation. Any organization thatt has protected its users with multi-factor authentication and looks to expand its usage to third- while not compromising the integrity of the primary application. In the case of commercial banking applications, there are a number of differentt applications that can be valuable to a party applications it does not control can utilize DP+ to access these applications securely small business. Such applications include payroll, insurance, and numerous financial services. Captive federation would allow the commercial banking operator to provide additional services to their users securely. In doing so, the bank is able to bring more value to its customers. Page 9 of 10

10 CONSUMER FEDERATION With the massive growth of social networking, onlinee gaming, and cloud computing, many consumers are accessing more private information online than ever before. The risks increase with each new account, avatar, picture, or piece of sensitive material that is posted online. In most scenarios consumers are accessing this information with usernamess and passwords and are susceptible to the same threats ass phishing, pharming, trojans, and key loggers. DIGIPASS Plus is designed to protect these consumer applications with multi-factor authentication. To achieve this, VASCO is working with its customers and the consumer application providers to link the authentication process to VASCO s cloud services platform, DPS. Consumer applications that are supported by DPS will be accessible via the DP+ key. DP+ customers, have an opportunity to connect with their consumers like never before. VASCO PARTNERSHIP APPROACH The primary goal of VASCO s federation model is to grow the benefit for our customerss and to address the security needs of the online user. By expanding the value of a DIGIPASS credential, VASCO can help our customerss expand into new opportunities in a fast changing global market. Thus generating new revenue opportunities and improving the retention rates for application owners. This expansion is not done without an eye on what has generated our success. VASCO s approach is designed to work with our existing customers and to maintain the level of trust that we have established over the years. VASCO has built a reputation in the market for products that work, are usable, and effective. VASCO cannot break this bond with its customers. CONCLUSION DIGIPASS Plus is built on the same fundamentals that have helped VASCO secure over one hundred million users around the globe. VASCO s commitmentt to balance security, cost, and easee of use has produced new breakthroughs for our customers. DIGIPASS Plus is the latest tool that is designed to allow application owners to expand its reach into applications and third-party businesses. The benefit of DIGIPASS Plus is that the DIGIPASS Plus key remains dormant and can be activated at a time of the application owners discretion. This solution is geared to help improve customer adoption and retention, enhances third party co-marketing opportunities, and builds a revenue model to recoup the costs of MFA deployments. Page 10 of 10