Debi Mohanty Senior Manager Deloitte & Touche LLP Multi-factor (MFA) Authentication September 2018 Spiros Angelopoulos Principal Solutions Architect ForgeRock
MFA Evolved Authentication Spiros Angelopoulos Principal Solutions Architect, ForgeRock Multi-factor Authentication 2
Why MFA, specifically? Who knows who I really am? The agencies want something better than username/password The citizens are expecting it (banks have spoiled them!) And technology is adjusting 2018 Verizon Data Breach Investigations Report
Evolved authentication a good answer Orchestrate factors and signals based on Context, Behavior, Risk, User Choice, Analytics Visually design smart login experiences using a simple, drag-and-drop interface Optimize login journeys and gain deeper customer insights with analytics Leverage an extensive security ecosystem that enables third party integration Deliver dynamic content personalization informed by user and device context
Some considerations Review what you are trying to protect Take a closer look at your user community especially its habits and expectations Consult with experts on what is the right MFA profile for you Understand the integration effort and its impact to other operations Match your MFA (and your policies) to the value of your assets and the risk associated with their breach/theft
Types of MFA Lots of options KBA Passphrase/pin OTP/SMS/App Behavioral Soft token (certificate) Hard token (certificate +) Biometric Combination of above
Requirements for the technology to work Ease of use, by your admins and users alike Ease of integration to all apps/environments that might need it now or the future Ease of audit so you always have visibility into operations Test, test, and when done, test again
Related concepts Sort out your directories and databases (everywhere that matters) Maximize confidence in your enrollment and suspension processes Identify what policies are implemented, when, and how Fine-tune the experience to make it usable and safe
Mobile authentication Authenticator Mobile App for ios and Android that uses push notifications to enable passwordless logins Personalize by adding your logo, or use the source code to build your own mobile app Uses SNS for secure communication to phone to eliminate man in the middle attacks Maximize support for other methods and devices: OATH, T/HOTP, SMS Swipe, Fingerprint Scan Custom
USB tokens Seek platform and deployment flexibility Match the cost of ownership/management to the user group that needs it Ensure compatibility with your business and technical targets Verify multi-layered offerings including (when necessary), eventbased access, FIDO, PIV, and even biometric functions
Cutting edge For normal users Location/time-based New-gen PKI Wearable devices Lifestyle monitoring Simple biometrics with user awareness Combinations of 2 or more For administrators Thorough biometric-based evaluations Non-invasive, stealthy mechanisms Combinations of 3 or more
An example of efficient auth management (ForgeRock authentication trees)
MFA Implementation Strategy Debi Mohanty Senior Manager, Deloitte & Touche LLP Multi-factor Authentication 14
Operational challenges with MFA multifactor authentication FAR - False Accept Rate FRR - False Reject Rate FTE - Failure to Enroll FTA - Failure to Acquire Copyright 2018 Deloitte & Touche LLP. All rights reserved. Multi-factor Authentication 15
For better MFA implementation, following are identified as four key desired outcomes Strengthened Security Smooth Integration Positive User Experience Set the Stage Reduce risk of potential compromise and/or stolen credentials Yield minimal impact to employee productivity Create a better, simple, and consistent user experience Build upon leading practices for future MFA integrations In order to achieve the desired outcomes, companies should look at integrating technical solutions with organizational change management principles to develop a holistic deployment strategy. Copyright 2018 Deloitte & Touche LLP. All rights reserved. Multi-factor Authentication 16
An effective deployment strategy allows for desired MFA outcomes For an MFA rollout, two-fold deployment strategy involves critical technical and organizational change management (OCM) components. 1 Application Readiness 2 Perform technical integration, testing and piloting for each application s MFA enablement User Readiness Focus on user awareness and adoption of MFA, starting with the IT population and migrating to the broader user base MFA Use Case Discovery Development & Integration Testing Application Pilot Change Impact / Risk Assessment Leadership Engagement Pilot Feedback Gathering Support Model Application Go-Live Hypercare Support Comms & Resource Development Awareness Campaign Go-Live Communications Copyright 2018 Deloitte & Touche LLP. All rights reserved. Multi-factor Authentication 17
Success factors that help drive MFA success The success of an MFA deployment requires meticulous planning, strategic execution, and collaborated team effort by dedicated team members. Copyright 2018 Deloitte & Touche LLP. All rights reserved. Multi-factor Authentication 18
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the Deloitte name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright 2018 Deloitte Development LLP. All rights reserved.