Next Gen Security Technologies for Healthcare Authentication

Similar documents
FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR. All Rights Reserved FIDO Alliance Copyright 2017

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Authentication Work stream FIGI Security Infrastructure and Trust Working Group. Abbie Barbir, Chair

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Who What Why

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

A NEW MODEL FOR AUTHENTICATION

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

Keep the Door Open for Users and Closed to Hackers

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

How Next Generation Trusted Identities Can Help Transform Your Business

Using Biometric Authentication to Elevate Enterprise Security

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Modern two-factor authentication: Easy. Affordable. Secure.

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Dissecting NIST Digital Identity Guidelines

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

More than just being signed-in or signed-out. Parul Jain, Architect,

Identity Proofing Blinding the Eye of Sauron

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

THE SECURITY LEADER S GUIDE TO SSO

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

FIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018

Authentication Technology for a Smart eid Infrastructure.

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

DIGITAL IDENTITY TRENDS AND NEWS IN CHINA AND SOUTH EAST ASIA

Mobile: Purely a Powerful Platform; Or Panacea?

Survey Guide: Businesses Should Begin Preparing for the Death of the Password

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

How Secure is Blockchain? June 6 th, 2017

Executive Summary. (The Abridged Version of The White Paper) BLOCKCHAIN OF THINGS, INC. A Delaware Corporation

Mobile Biometric Authentication: Pros and Cons of Server and Device-Based

FIDO AS REGTECH ADDRESSING GOVERNMENT REQUIREMENTS. Jeremy Grant. Managing Director, Technology Business Strategy Venable LLP

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Cloud Security, Mobility and Current Threats. Tristan Watkins, Head of Research and Innovation

Prof. Christos Xenakis

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Next Generation Authentication

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Internet of secure things: issues and perspectives. Pasquale Pace Dimes - UNICAL

Prof. Christos Xenakis

Google Identity Services for work

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Access Management Handbook

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Yubico with Centrify for Mac - Deployment Guide

Bridging Identity Islands with Continuous, Contextual Identity Assurance

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Decentralized Identity for a Decentralized World. Alex Simons Partner Director Program Management, Identity Division Microsoft

Safelayer's Adaptive Authentication: Increased security through context information

Authentication. Katarina

Preserving Data Privacy in the IoT World

The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

A Market Solution to Online Identity Trust. Trust Frameworks 101: An Introduction

FIDO Alliance Response to the European Banking Authority (EBA)

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

THE FUTURE IS DECENTRALIZED

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

FPKIPA CPWG Antecedent, In-Person Task Group

Warm Up to Identity Protocol Soup

EMERGING TRENDS AROUND AUTHENTICATION

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Introduction to Device Trust Architecture

Direct, DirectTrust, and FHIR: A Value Proposition

IEEE-SA Internet of Things - Security & Standards

1. Federation Participant Information DRAFT

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Accelerating growth and digital adoption with seamless identity trust

InCommon Federation: Participant Operational Practices

Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

TRUE PASSWORD-LESS SECURITY

Password-less protection. Reduce your risk exposure with password alternatives

Authentication and Fraud Detection Buyer s Guide

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

SOLUTION BRIEF ADVANCED AUTHENTICATION. How do I increase trust and security with my online customers in a convenient and cost effective manner?

Overview of PBI-blockchain cooperation technology

Authentication Methods

Identity & security CLOUDCARD+ When security meets convenience

Do I Really Need Another Account? External Identities for Campus Applications

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Transcription:

Next Gen Security Technologies for Healthcare Authentication Session 261, March 8, 2018 Abbie Barbir, Senior Security Adviser, Aetna Brett McDowell, Executive Director, FIDO Alliance 1

Conflict of Interest Abbie Barbir and Brett McDowell have no real or apparent conflicts of interest to report. 2

Agenda The Problem: Authentication in Healthcare Old Authentication vs. FIDO Authentication Advanced Authentication in Healthcare Aetna s Case Study Lessons Learned Q&A 3

Learning Objectives Examine the problems created by weak, password-based authentication, and how these credentials can be stolen and reused Analyze the changes taking place in identity management and the patient s use of different devices and channels, and the problems this creates in managing the patient/provider/payer relationship Explain how new authentication standards from the FIDO (Fast IDentity Online) Alliance and behavioral authentication techniques enable a provider to protect against myriad attacks while ensuring a simple user experience 4

Learning Objectives Define the key capabilities required in a next-generation identity management and authentication healthcare solution Demonstrate and explain the architecture and advantages of a nextgeneration authentication solution for managing and deepening payer/provider/patient relationships across more personal devices, including wearable fitness or medical devices, and across multiple channels 5

Over 3 billion user IDs and passwords were stolen in 2016 Source: Shape Security 6

Criminals Use Those Credentials to Take Over Your Accounts In 2016, data breaches increased by 40% 51% of consumers suffered some kind of security incident in 2016, including a stolen password or breached account 81% of hacking related breaches leveraged stolen or weak passwords Sources: 2017 Verizon DBIR Report; Identity Theft Resource Center (ITRC) and CyberScout 7

The Trouble with Passwords Most people use less than 5 passwords for all accounts Reuse makes them easy to compromise They are very difficult to remember There are lots of places to steal them from 50% 39% 25% 49% of those haven t changed their password in the last 5 years of adults use the same password for many of their online accounts of adults admit to using less secure passwords, because they are easier to remember of adults write their passwords down on paper Sources: Pew research; Telesign research 8

Modern Authentication Creates Opportunity New channels and devices can enable simple and consistent user experiences New Channels New Devices How do we manage patient identity, patient use of devices, and the patient/provider/paye r relationship? 9

250+ Organizations Solving the Problem Together + SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS 10

SECURITY Weak Strong The Mission: Simpler & Stronger Authentication authentication = open standards for simpler, stronger authentication using public key cryptography Poor Easy USABILITY 11

How Old Authentication Works ONLINE CONNECTION The user authenticates themselves online by presenting a humanreadable shared secret 12

How FIDO Authentication Works LOCAL CONNECTION The user authenticates locally to their device (by various means) The device authenticates the user online using public key cryptography ONLINE CONNECTION 13

How Industry Enables FIDO Use Cases User verification Device s Authenticator FIDO Authentication SE 14

Experiences Address an Array of Use Cases FIDO standards provide support for user-friendly, privacy-aware user experiences across platforms to meet varying requirements PASSWORDLESS EXPERIENCES Biometrics authn via mobile device Biometric authn via PC Biometrics authn to PC via mobile device SECOND FACTOR EXPERIENCES External token to PC (USB, BLE) External token to mobile device (NFC/BLE) Embedded second factor on PC 15

How FIDO Authentication Works Challenge User verification Device s Authenticator FIDO Authentication Require user gesture before private key can be used Private key dedicated to one app (Signed) Response Public key 16

Simpler? Reduces reliance on complex passwords Single gesture to log on Works with commonly used devices Same authentication on multiple devices Fast and convenient 17

Stronger? Based on public key cryptography Keys stay on device No link-ability between services or accounts Biometrics, if used, never leave device No serverside shared secrets 18 No 3 rd party in the

Sample: FIDO-enabled Services 3.5 BILLION Available to Protect Accounts Worldwide 19

Advanced Authentication in Healthcare Aetna is leading the way in introducing advanced authentication methods into the healthcare sector using FIDO standards and continual authentication. 20

Hands-On Perspectives: Deploying FIDO-Based Modern Authentication Aetna s Case Study 21

We Needed a Simpler and More Secure Experience >>Next Generation Authentication (NGA) program Our consumers no longer need to rely on traditional usernames and passwords when logging into Aetna applications Authentication, once a single event, is now integrated into the application transparently and continuously We re adjusting controls and analytic capabilities to create friction for the threat adversaries while reducing friction for our users 22

Attributes Identify You Our advanced authentication methods are built around attributes unique to you such as: Your physical location The time of access Your thumbprint How you hold your phone Your keystroke speed Your swipe gesture patterns How you walk When combined, these attributes help us more accurately determine if you are who you say you are and how much access to provide. 23

Modern Authentication MUST eliminate symmetric shared secrets Address poor user experiences and friction FIDO is a building block EXPLICIT AUTHENTICATIO N complements federation solutions 24 IMPLICIT AUTHENTICATIO N Impact Identity binding is essential Strong identity proofing a must

Continuous Risk-based Authentication Privacy Enhancin g 30-60 user attributes assessed Continual authentication without impacting the user experience 25 Risk score calculated Risk score determines how much and what access to provide

NGA: Design Principles Based on Open Specifications (i.e. FIDO) Easy SDK integration for web and mobile NGA s centralized authentication hub provides centralized analysis and decision making across all NGA applications API-based architecture Lightweight and efficient Device and platform portability Flows and interactions designed to reduce friction and improve user experience Eliminate fraud through increased friction for threat actor interactions Support for dynamic authentication through LOA 26 26

Why Standards? We chose to use the FIDO standard for the following reasons: 1. Local biometric capabilities are evolving rapidly and we wanted to enable the consumer with choices while following a standard to feed behavioral data into our NGA risk engine 2. The different capabilities for biometrics is dependent on carrier choices, manufacturer choices and software choices all beyond an enterprise s control and influence so adopting a standard like FIDO gives the enterprise a standard interface while providing the consumer with choices 3. Standards based architectures cost less to operate vs. non-standards based architectures 27

Advanced Authentication for Mobile and Web Transparently and continuously authenticate the device and the user Mobile Web Biometric Integration Primary Login - Fingerprint Secondary Login PIN FaceID in progress Continuous Contextual Authentication (ex. geolocation) Continuous Behavioral Authentication (ex. Keystroke) 28 Continuous Risk-based Consumer Authentication FIDO Standards assure that sensitive information never leaves your device Browser and system fingerprinting Device Binding Associate users and their devices

An Evolution from Binary to Behavioral Authentication Today Username and password login Phase 1-2017 Phase 2-2017 2018 Fingerprint and PIN login for mobile Introduction of riskbased authentication Enhanced security capabilities for mobile Aetna Mobile Browser fingerprinting for web Web & mobile risk based authentication PayFlex Mobile PayFlex Web Aetna Navigator (TBD 2018) Behavioral-based authentication (mobile) Support for biometric authentication on web applications Cross platform authentication Enterprise web & mobile applications 29

NGA and Mobile NGA s mobile integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: Transparently and continuously authenticates the device and user Improves security and reduces the risk of fraud Removes barriers to application access while improving the user experience Reduced reliance on passwords through enhanced user & device authentication Continuous Behavioral Authentication (i.e. swipe attributes) Continuous Contextual Authentication (i.e. geolocation) 30 Biometric Integration Designed in alignment with FIDO Standards

NGA and Web NGA s web integration capabilities provide a mechanism for implementing consumer accepted and expected authentication capabilities in a manner that: Improves member data security Reduces the risk of fraud while improving the user experience Reduced reliance on passwords through enhanced user & device authentication Browser & System Fingerprinting for each session improves security & usability Associate members & their devices through Device Binding to improve user experience & security Eliminates risk of impersonation, account takeover, and registration fraud 31

Federation NO PASSWORDS Complicated Authentication FEDERATION SAML OAuth OpenID Connect First Mile Second Mile Standards are catching up on mile one Mile two is getting more mature Federation need improvement No prior relationship SAML: Dynamic AuthN/Z OAuth, OIDC dynamic end point Blockchain Opportunity How about identity assurance? Poorly deploying strong authentication is the same as weak authentication FIDO solves the PW problem but mandates better identity binding at the relaying party Proper Identity vetting/proofing becomes essential 32

Identity Proofing and Account Recovery Account Login Current Pain Points I forgot my password I cannot find/lost my phone I am locked out of my account Account Recovery Options KBA (static and/or dynamic) Email account (compromised) Password reset link Or a new password Enrolling back in FIDO Identity Proofing Binding a FIDO authenticator to a user account on relying party requires performing an Identity vetting step 33 Trust anchor (aka Bootstrapping problem) Currently pre-established Authenticators are used as anchors of Trust (such as passwords) Online identity proofing is challenging and still relies on something you know

Lessons Learned Implementing FIDO is easy at the technical level Hard lessons: Get Applications owners on-board Set expectation up front UI-free API for enrolment/registration/authentication flows Do not expect application owners to user your flows You have to work with their flows Manage expectations Things get out of hand to support many use cases and scenarios Not two applications are the same Look and feel matter stay out of it 34 Build ID Proofing engine using OpenID Connect Allows for multiple proofing solutions/providers Develop an the Identity toolkit Protecting PII is resource intensive Remote ID proofing is Hard High Assurance level is a must Need to design to reduce reliance on CSR

How to Get Involved Build FIDO Certified Solutions Join the Alliance Deploy FIDO Authentication Take Part in FIDO Events 35

Questions? Abbie Barbir BarbirA@aetna.com @Aetna Brett McDowell brett@fidoalliance.org @FIDOAlliance 36

Blockchain Technology Blockchain distributed data store Public Key Cryptography (PKI) Peer to peer connected nodes Permisionless Proof of work (PoW) Open node participation Weak(er) governance Role of determined entities Performance Mileage may vary Consensus mechanism (PoS, PoW, etc) Smart contracts Permissioned Controlled participation Authorized entities Improved Governance Entities are vetted Potentially faster consensus 37

Blockchain: What is the Opportunity? Motivation Improve on identity vetting, registration and verification Address open issues in our current solutions such as Missing identity attributes Identity bootstrapping Compliance initial identity proofing Identity binding Better user experience What we want to achieve is a reliable and scalable system for attributes verification, storage, access, revocation and update Privacy enabled architecture where multiple entities collaborate on identity attribute services per user 38 Blockchain can transform identity proofing, binding and recovery Use Blockchain to implement a common identity trust fabric

Blockchain for Identity Vetting Blockchain does not hold individual identity U S Trusted User Nodes Establish (act Trust like a Federation) Attestation Participant E Individual identity data is stored off chain Participant C Avoid storing private attributes R A on a public ledger (even when encrypted) Stores references to data I Originators retain Wallet control of their data N Permission based system V For the Nodes client on the network are known O No Can data be about double me permissioned without Attestation me based on mining protocols Universal AuthN Token Blockchain L No Looking Limited blanket to permission Into a Consortium (finer (affiliation grained or control) a broker model) Universal Enc token V Will Need know to define who can attest for their data E What Public (DID) data Key Decentralized is Encryption being shared & Tokenization and identifiers for what profiles purpose D Control for binding Number and of Nodes unbinding an identity to a device Sovrin PKI FIDO Blockchain Unconsent support extension Policy Brokers IOT support Participant Attestation Serve as Infrastructure for B extra services including user wallets 39 Attestation Participant D Client acquire policy Client goes to Application Website to enrol Enrolment step requires Identity Verification Equivalent of KYC At registration stage Identity is asserted thorough Attestations on the blockchain More importantly with FIDO a binding between a device and identity can be asserted

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback