Transitioning to Push Authentication

Transcription

1 Transitioning to Push Authentication Summary Current out-of-band authen ca on solu ons have not proven to be up to the task of protec ng cri cal user data, and have been disabled in a variety of recent a acks leading to millions of dollars in losses. Push no fica ons offer the opportunity to make out-of-band authen ca on more cost-effec ve and secure, while also providing protected two-way communica on that enables a variety of other use cases. With the power of Push Authen ca on, available as part of the DetectID mul -factor authen ca on pla orm from Easy Solu ons, your organiza on can start replacing SMS-based security measures and deepen the customer rela onships that make your business valuable.

2 Push Notifications: Mobile, Actionable & Smart Authentication Push no fica ons enable true out-of-band authen ca on via push messages delivered over a secure channel to enable mutual verifica on between the enterprise and user. It is a vast improvement over tradi onal forms of two-factor authen ca on for a variety of reasons. Be er interac ons with your customer Push no fica ons deliver value to your customers right on their home screens. Push is a proven, proac ve way to drive engagement and improve customer reten on with your app and brand. According to technology consul ng firm Forrester Research, "Marketers we interviewed already witness 50% higher open rates on push no fica ons versus . Click-through rates can be twice as high, too. 1 Push no fica ons create a feedback loop from your customers with a number of benefits for both consumers and financial ins tu ons, including increased interac on efficiency and improved security over exis ng authen ca on methods. They can even assist in portraying your brand as proac ve, helpful and modern. A Smooth Transi on from SMS-based Authen ca on If you are red of the unpredictable cost structure, low security, bad user experience and dependency on telecommunica ons operators that one- me passwords usually possess, push technology provides an excellent alterna ve. Enabling push instantly lowers opera ng overhead by elimina ng the cost per text or the expense of sending hardware tokens to an en re customer base, while also improving the end-user experience. Instead of going through the steps from ini a ng the login process to receiving and entering an OTP via text, end users can now instantly verify these requests right on their phone with a tap of the screen. Ac onable Security Alert Delivery Authen ca on is just one use case for push technology. There are many more benefits that both organiza ons and their customers gain from the use of push no fica ons. For example, you can put customer minds at ease with ac onable protec on alerts. By integra ng push no fica ons with fraud monitoring tools, your customer can receive alerts if any irregular or possibly fraudulent ac vity is detected. Poten al fraud concerns can then be verified in seconds, with the ability to automa cally dispute the transac on, cancel the card or acknowledge a transac on as legi mate. This is a clear advantage over one-way fraud no fica ons, which o en result in phone calls to call centers where customer service representa ves have no visibility into the fraud alert sent to the customer most of the me. Improvements to the High-Risk Transac on Verifica on Process Instead of manually contac ng your cash management customers to verify high risk wire and ACH transac ons or require verifica on over the phone for trade orders, you can leverage push no fica ons to streamline these processes, and decrease the amount of manual callbacks to verify high-risk transac ons. The integrated audi ng capability of push no fica ons allows your organiza on to keep track of all interac ons performed with customers as they relate to transac on verifica on. 2 www. e a s y s o l.n e t 1 Push Mobile Engagement to the Next Level, Forrester Research, Inc., 10/17/2013

3 Key Inhibitors to New Authentication Systems Reliable online authen ca on is the primary obstacle keeping cybercriminals from stealing sensi ve customer bank account data. Companies have been adop ng stronger authen ca on by adding one or two extra factors is to protect important personal data. But over the years, hackers have learned to bypass some of legacy factors and once again gain access to sensi ve data. There is an increased need to start upgrading to a stronger authen ca on system and move toward mobile, but providers are o en hesitant to deploy new authen ca on due to three major inhibitors: cost, usability, and security. Cost The high cost of tradi onal strong authen ca on solu ons has o en been a major barrier to changing them for consumer applica ons. In most cases, the main business problem is authen ca ng a massive user base with mul ple and diverse devices at a scalable price. Calcula ng the total cost of ownership (TCO) depends on many variables, including acquisi on, integra on, deployment, support, and annual maintenance. The expense can quickly get out of hand as more factors are added to the overall authen ca on ecosystem over the years. Hidden SMS Costs When it comes to SMS one- me-passwords (OTPs), there is a price tag per SMS message that can be very unpredictable due to geography, message volumes and the false-posi ve rate of risk assessment tools. Many solu ons are ed to a par cular network operator, or require contracts with several operators to keep SMS costs low. Then there is the o en-overlooked expense of building the integra on process that allows consumers to update their phone numbers. Customers will also frequently need assistance when upda ng their phone number, either online or through other channels like branches, which requires addi onal staffing on top of the employees already necessary to support password resets. Maintenance Costs More o en than not, companies have to simultaneously deploy a variety of different authen ca on systems such as hardware tokens, SMS OTP or so tokens. Each one of these solu ons usually has its own team responsible for keeping it func oning smoothly, in addi on to its own infrastructure and interfaces. Essen ally, each of them is a closed system that creates inconsistent, uncoordinated experiences for end users and makes adap ng to changing authen ca on op ons difficult. This is all in addi on to the fact that it can be very me consuming to manage mul ple authen ca on systems, especially if they are from different vendors. Secured Application Mobile Banking e-bank IVR Office & Branches Other/Web/ VPN SSL ATM API API API SMS DeviceID SMS OTP Hard Token API??? KBA Support Team 1 Support Team 2 Support Team 3 Support Team 4 Usability Ease of use remains a higher priority for consumers than security, even a er all the massive data breaches domina ng recent headlines. If the authen ca on process is too difficult, consumers will not use an applica on for this purpose in the first place. Some providers follow a strategy of giving consumers authen ca on that is simple enough to use without making them abandon the applica on, while injec ng enough security to sa sfy a minimal level of assurance. It works enough of the me, but cybercriminals have disabled these systems in major a acks that have resulted in millions of dollars in losses. A temporary security shortcut meant to save a few bucks can prove enormously costly if it ends up enabling a large-scale breach. Today, the main authen ca on mechanism in place is the use of one- me passcodes (OTP), but the process of simply having to look up and enter unique codes during log-in also creates fric on: it slows the user down and is subject to error, especially for mobile users where the keyboard is more challenging to type. As the user performs more transac ons, the level of disdain for that process will only increase. 3 www. e a s y s o l.n e t

4 The two-step process does not have to be completely removed to please customers, especially as more become aware of security risks. Consumers are now skep cal of websites that only rely on passwords or do not require frequent password changes. But when consumers feel uncomfortable with online security, whether because there is too li le or too much of it, they withdraw or move elsewhere. Security Two or more security factors are usually combined to create a strong layered solu on in the two-factor authen ca on process, but only if they are all sound. The quality of an authen ca on factor is determined by the following: The factor is not forge able The authen ca on codes cannot be easily guessed The factor cannot be replicated The factor cannot be stolen via the Internet Unfortunately, the most frequently used two-factor authen ca on technology today relies on one- me passwords for online banking security, and most current OTP systems have been compromised in the past few years. OTPs are easily stolen due to technology that relies on browser-based communica on back to servers for valida on. There are numerous reports of advanced malware that can easily bypass these systems by intercep ng the OTP as it is being used. The a acker then creates a second hidden browser window in order to remotely log into an account from the user s own computer. OTPs sent via SMS are also not considered secure for several reasons. The OTP is sent to a device using a phone number, but the organiza on sending the SMS has no idea about (or control over) the level of security on the receiving device. The OTP could be intercepted by the command control of an a acker, which is what happens in the case of Mobile SIM swaps or SIM clones and call forwarding scams. Even if the OTP reaches the legi mate user s phone, the SMS message can be automa cally redirected to command control by Trojans like Zeus, Zitmo and Zveng, which leverage open access to SMS on mobile phones. It is no surprise that almost all malware now comes with SMS hijacking as a standard capability. Push Authentication Overcomes the Key Inhibitors to Stronger Authentication Adoption Push no fica ons are easier for enterprises to manage, and may help reduce total cost of ownership for a consumer solu on, paying big dividends in the long term. Push is not hardware-based and is network and operator-independent, and also does not rely on phone numbers. It reduces the need for help desk support to assist customers through the authen ca on process. Since consumers rarely go anywhere without their smartphones, these devices offer the most poten al for providing fric onless strong authen ca on. Push technology allows phones and servers to validate each other, in order to prevent network-level a acks against the authen ca on process, striking the right balance between user experience and security. For Users Ease of use No OTP to remember Simple, fast one-tap Benefits of Authen ca on For Informa on Security Owners Increased PKI Security Threat visibility Be er risk assessment Push Push on For Marke ng Owners Drive engagement Increase sa sfac on and reten on Transparent deployment 4 www. e a s y s o l.n e t

5 Part of the DetectID Framework for Easy Migra on Push Authen ca on is part of the DetectID Framework, which unlike standalone push systems, allows you to transi on from tradi onal form factors to push at your own pace. DetectID allows you to do this by suppor ng most of the current form factors and vendors that offer hardware tokens, so tokens or SMS OTP. DetectID also permits greater deployment flexibility, in which your organiza on can deploy form factors per channel, user group, or individual user. The DetectID Framework Mobile Banking e-bank IVR Office & Branches M obile SD K W eb S e rvices Server Hardware OTP Tokens Out Of Band SMS/ Other/Web/ VPN SSL ATM Push Compared to other Mobile Form Factors On the table below, push authen ca on s user-friendly array of func onali es is compared with legacy so ware authen ca on methods that leverage user mobile devices. Push is more versa le and flexible than any other authen ca on system, and protects against threats that one- me passwords and PIN numbers just can t stop. Low Cost Ease of Use Easy of Integra on Easy Enrollment Not Phone Number Dependent Mul -Channel Man-in-the-Middle Phishing Protec on Digital Signing Push Authen ca on So OTP (mobile app) QR Code SMS OTP (one- me code) 5 www. e a s y s o l.n e t

6 Push Authentication A Technical Overview At Easy Solu ons, we have taken the power of push no fica ons and added our security exper se to create our own Push Authen ca on solu on, helping organiza ons to overcome the barriers of cost, usability and security that prevent them from deploying stronger user verifica on. Our solu on enables you to deliver signed and encrypted messages with clear calls to ac on, and allows users to take immediate ac on from their device lock screens or in their no fica on center. Push is genuine out-of-band authen ca on that supports reciprocal verifica on between two en es and protects against all phases in the life cycle of a typical fraud a ack. The technology is based on push no fica ons, providing a na ve user interface that does not interfere with the mobile experience and actually enhances customer engagement. Push technology is provided as part of our DetectID mul -factor authen ca on solu on, and allows your organiza on to enable a second isolated, secure communica ons channel between a user s mobile device and your organiza on. This channel leverages advanced digital cer ficates and push no fica ons to digitally sign and encrypt all sensi ve transac ons with just one touch. At no point can a third party, not even the mobile carrier, access or tamper with these transmissions. A er downloading and installing the mobile applica on (with DetectID technology embedded), the mobile device can be registered using QR code scanning, entering a manual ac va on code or transparently upon successful login into the mobile banking app. As part of the ac va on process, the So ware Development Kits (SDKs) automa cally generate a key pair and unique device iden fier also referred to as a DeviceID. This process is seamless to your users and online service providers. Each private key is generated and securely stored on the mobile device and is used to sign authen ca on responses while the public key verifies the signature on the server. Push Authentication Flow Channels Applica on Servers IVR Mobile Banking Customer ini ates a transac on from any channel ATM e-bank Customer ID Customer s Response Request to Customer s Response SDK Customer s Response Customer s Phone with Push SDK Server Mutually Secure Communication Channel 6 www. e a s y s o l.n e t

7 Push Authen ca on Key Features: Unique device ID: DetectID technology generates a unique deviceid in addi on to the public/private key pair to uniquely iden fy your customer s mobile device. This device ID is used to individually recognize the device based on its par cular hardware characteris cs, mi ga ng possible key pair the. A fully encrypted communica ons channel: The SDK s self-contained cryptographic stack enables an isolated, encrypted communica ons channel between the user s mobile device and your organiza on. No third party can access these communica ons. Simple one-click authen ca on: No phone calls to wait for or passcodes to type in; transac on or login authen ca on requests are pushed to your customer s mobile device over the encrypted communica on channel. Your customers only need to tap a bu on on their phone to approve or decline transac ons. Transac on signing: All communica ons between the customer device and servers are signed and support nonrepudia on. A private key is generated and securely stored on the mobile device and is used to sign authen ca on responses, while the public key verifies the signature on the server side. Channel integra on through a full web-services-based API: A well-defined API provides flexibility in tailoring func onality and customizing the design according to parameters that your organiza on sets. Roo ng/jailbreak detec on: The SDK includes advanced detec on of roo ng, jailbreaking, or similar mobile opera ng system security bypass hacks. Trusted device - In addi on to authen ca on, Easy Solu ons delivers real- me mobile analy cs and threat deac va on, increasing your decision-making capabili es based on the level of threats present on the device. Gain full visibility and assess risk on all the mobile devices interac ng with your service. 7 www. e a s y s o l.n e t

8 An In-Depth Look at the Technology Behind Push Authentication Ac va on The ac va on process for Push Authen ca on binds the user s iden ty to a smart device. The binding is established through the registra on and issuance process that is described below. It is assumed in the following that the user is already known to the service provider and has been issued with a set of exis ng security creden als (e.g. username/password). Note: When a service provider chooses to transparently deploy ac va on, all steps are performed silently by the SDK without the end user s interac on. 1 Device Activation Flow 2 3 The ac va on process for DetectID is as follows: 1. Ac va on code is entered. Upon request, the DetectID server generates a me-limited ac va on code. The service provider sends the ac va on code to the user and asks the user to enter the ac va on code into the device. The DetectID SDK on the smartphone or mobile device generates a private/public key pair during the ac va on process. 2. Ac va on code is verified. A er the device has captured the ac va on code, it calls the DetectID server and sends the ac va on code for verifica on along with the device's public key and the unique deviceid. The public key and the deviceid are then stored by the server. Once verified, the DetectID server knows that the user holds the specific device and what type of device the user has. 3. Ac va on Successful. Upon successful valida on of the ac va on code, the server public key will be sent to the mobile device and be used to verify the signature of the push messages. Note: The DetectID SDK "fingerprints" the device to create a device ID for the mobile device. All keys are stored and secured with a personal unblocking code that is unique to the device. Transac on Signing DetectID offers PKI key genera on that provides legally binding digital signatures for authen ca on processes and non-repudia on. A private key is delivered to the mobile device and is used to sign authen ca on responses, while the public key verifies the signature on the server side. 8 www. e a s y s o l.n e t

9 Transaction Signing Flow 1 DetectID Push message 2 Mobile device Push message response Server The steps for enabling transac on signing are as follows: 1. Push Message to Device. The server sends a signed and encrypted push no fica on to the device. The push no fica on is encrypted using the device s public key, which guarantees that only the registered mobile device can decrypt the informa on. The no fica on is also signed using the DetectID server private key to prevent man-in-the-middle a acks. The device receives the encrypted push message, which can include the tle, summary and amount to be signed. 2. Response to Server. The DetectID SDK generates an encrypted response to the challenge and sends it to the server, and the response is signed with the device s private key. The DetectID server then verifies the response against its stored deviceid and the device s public key. 9 www. e a s y s o l.n e t

10 Architecture and Integra on 3 rd Party Applica ons Risk Engine Policy ACH and Wire Processing Systems Online / Mobile Applica ons Web Services Push HTTPS Wealth Management Server HTTPS Response Core components and easy integra on Online service providers will need to integrate Push Authen ca on on both ends to successfully deploy it. The client mobile app should use the DID SDK and embed client-side func onality, while the server applica on should communicate with DID server via a SOAP call when authen ca on is needed on a login or a transac on process. The client interface consists of only a few very basic func on calls that are very easy to integrate. DID SDK Libraries The DetectID SDK is delivered as a binary library together with a source code sample that demonstrates how to use different func on calls. Any communica on between the DID SDK and the mobile app is done via an asynchronous interface that does not block or influence the GUI experience of the app while processing the security func ons. The DetectID SDK comes with a graphical user interface (GUI) that mobile app developers are free to customize and for use with their own GUI. Whenever the DetectID SDK needs to show a message to the user, it informs the mobile app via the asynchronous interface. The DetectID SDK is available on Android (smart phone and tablets) and ios (iphone and ipad). A generic mobile app with an embedded and pre-configured DetectID SDK is uploaded into applica on stores by the service provider. Server The server interface uses the standard Simple Object Access Protocol (SOAP). DetectID is a standalone server which should run in a secure environment. Administra on Push Authen ca on includes ready-to-use administra on, reports and a help desk console. If required by the service provider, management func onality can also be integrated into exis ng administra on consoles and business processes via SOAP calls. Ac va on Codes DetectID can generate and deliver ac va on codes for user registra on via SOAP calls by the server applica on. Online service providers may choose between various methods of distribu ng ac va on codes to end users depending on internal security policies. Ac va on codes can be distributed through , SMS messages to pre-registered mobile phone numbers, or a self-service web page accessible by using exis ng creden als (sta c password, OTP, SMS, so OTP, etc.) QR Codes Once generated, the QR Code is scanned automa cally, using the camera on the device, and the device is registered and ready to use for receiving instant Push Authen ca on messages. Device Registra on Transparent Ac va on Using the SDK, devices can be automa cally registered when end-users successfully log into your mobile applica on. This allows for faster adop on of the service. With Push Authen ca on from Easy Solu ons, you can give customers simple one-click authen ca on for logins, transac ons, or any other sensi ve requests. Push technology available as part of the DetectID mul -factor authen ca on pla orm turns any smartphone into a simple and trusted communica on channel to replace SMS-based security, allowing you to strengthen rela onships with your customers. Push Authen ca on s ease of use and intui ve func onality gives organiza ons the tools to enable greater user adop on of authen ca on, and provides a crucial extra layer of protec on to your sensi ve data in an era when massive data breaches show no signs of slowing down. 10 www. e a s y s o l.n e t

11 About Easy Solutions Easy Solu ons is a leading security vendor focused on the comprehensive detec on and preven on of electronic fraud across all devices, channels and clouds. Our products range from an -phishing and secure browsing to mul factor authen ca on and transac on anomaly detec on, offering a one-stop shop for mul ple fraud preven on services. The online ac vi es of over 100 million customers of more than 385 leading financial services companies, security firms, retailers, airlines and other en es in the United States and abroad are protected by Easy Solu ons fraud preven on systems. Easy Solu ons is a proud member of such key security industry organiza ons as the An -Phishing Working Group (APWG), the American Bankers Associa on (ABA) the Bank Administra on Ins tute (BAI), the FIDO (Fast Iden ty Online) Alliance and the Florida Bankers Associa on (FBA). For more informa on, visit h p:// or follow us on Twi US Headquarters -Tel La n America -Tel. +57 (1) EMEA -Tel. +44 (0) APAC -Tel info@easysol.net Easy Solu ons, Inc. All rights reserved worldwide. Easy Solu ons, the Easy Solu ons logo, DetectID, DetectID in the Cloud, DetectID in the Cloud for SugarCRM, DetecTA, DetectCA, DetectID Web Authen cator, Total Fraud Protec on, Detect Safe Browsing, Detect ATM, Detect Monitoring Service, Detect Vulnerability Scanning Service, Detect Social Engineering Assessment, Protect Your Business and Detect Professional Services are either registered trademarks or trademarks of Easy Solu ons, Inc. All other trademarks are property of their respec ve owners. Specifica ons and content in this document are subject to change without no ce. 11 www. e a s y s o l.n e t