1 / 46

Strong Authentication and Digital Signing using ArcotID

Strong Authentication and Digital Signing using ArcotID. Christian H üsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking Technologies Conference April 12th 2006. Agenda. Company Overview Strong Authentication for Banking Applications

kaida
Download Presentation

Strong Authentication and Digital Signing using ArcotID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strong Authentication and Digital Signing using ArcotID Christian Hüsch Senior Technical Consultant Arcot GmbH II. Central and Eastern European Banking Technologies Conference April 12th 2006

  2. Agenda • Company Overview • Strong Authentication for Banking Applications • Challenges and Goals / The Consumer Reality • Authentication Approaches • Layered Authentication Approach • Comparing Authentication Technologies • Beyond Strong Authentication • Deployment Examples • Digital Signing • Summary • Questions

  3. Arcot Systems • Founded 1997, HQ in Sunnyvale, CA, US • Private Company, Venture Funded • Onset, Accel, Goldman Sachs, INVESCO • Adobe, Visa International, Wachovia, SEB (SE), Oracle, Novell • Offices • European Offices in London (GB), Munich (DE) • Development Center in Bangalore, India • Headcounts • 100+

  4. About Arcot Technology • Leadership in Consumer and Business Authentication • Pioneered 3-D Secure e-commerce authentication platform with Visa, MasterCard and JCB • Currently in use by 10,000+ banks, over 7 million consumers enrolled • 300 million users protected with Arcot solutions in the enterprise • Patented Two-factor technology • Two-factor authentication, fully in software • Layered with additional factors such as IP location, Device ID, Scrambled PIN Pad, and Text-based Mutual Assurance Message • Digital Signature capable

  5. Strong Authenticationin the Banking Environment

  6. Challenges and Goals • Reduce cost by moving business processes online • By Increasing use of online banking • By Moving other applications online • Address phishing attacks to restore/increase consumer confidence in online banking • Enhance customer relationships, win newcustomers and add new products and applications • Be compliant with regulation and mitigate risk • E.g. FFIEC in the US • Provide a viable solution from a TCO point of view • Provide a solution for both employees and customers

  7. The Consumer Reality • Customers are heterogeneous set of individuals • Varying level of expertise with computers and technology • Use Multiplicity of devices for access • Home PC, office PC, Internet café etc. • Variety of tasks are performed • Equally likely to embrace new solutions or move to alternate channels No one solution is going to make everybody happy; flexible solution suites provide multiple options

  8. FI as an extended enterprise • More systems open and accessible to non-employees • Technology creates increased reach and flexibility • FIs no longer limited by geography or timing • Increased benefits and potentially increased risks Partner Consumer Employee Client

  9. Risk Management in Financial Institutions • FIs trying to maintain a balance between security and user convenience… • On the one hand • Need to reduce risk • Need to provide assurance to consumers (or they might switch to ‘less risky’ but potentially more expensive channels) • On the other hand • Need to make experience simple; and not drive away consumers • Need to contain costs of solution – proportionate to perceived risk

  10. Threats facing the industry • Phishing • Spurious message (likely, email) that induces user to enter critical personal information at a bogus site • Many variations exist, but email is easiest and cheapest for the fraudster • Pharming • Modifying DNS entries to redirect user to bogus site • Malware • Programs planted in user’s desktop to capture key-strokes, mouse clicks • Man-in-the-middle • User redirected to intermediate site that behaves like genuine site to the user and in turn behaves like user to the genuine site

  11. Solution Categories • Server Authentication • Identifying server to the User • Assurance that user is at the right site, or that user received mail from right source • Base User Authentication • Determine that user is likely to be who he/she claims to be • Based on device used by user, location of user, habits of user… • For example, activating a card by calling from home telephone number • Typically achieved without user active participation • Strong (Unique User) Authentication • Determine with high level of assurance that the user is who he/she claims to be • Based on credential issued to the individual – combination of something he/she is, something he/she has, something he/she knows • User explicitly participates in the process

  12. Usability Consumer Ease of Use Distribution, Training, Renewal, Help-Desk Deployment Standards based – vendor dependence Disruption to existing applications Software required at consumer desktop? Protection against Phishing Pharming Trojans, Spyware Man-in-the-middle attacks Additional features Strong Authentication Obsolescence Proof ROI enhancement What does it cost Considerations

  13. Server Authentication • SSL Lock – yellow lock at bottom of page • Best possible technology solution • Not vulnerable to man-in-the-middle attacks • Provides complete assurance that user is at the right site • However two big limitations • Browser technologies allow this to be spoofed – not all users will know how to detect the spoof • FI are not standardized on which pages are SSL locked (often password entry page is not locked; only password submission triggers this) • Alternate/Addition is to provide an ‘assurance message’ • Enter userid, wait for server to display ‘shared secret’, then enter password. • Shared secret can be text or other information the user is likely to recognise

  14. Assurance Message • Protects against phishing and pharming • Provides a first level assurance (authenticate server to user) • Widely deployed mechanism as part of 3-D Secure • (Visa and MasterCard) • Fingerprinting of “registered” computers • Browser based - no client side software required • Easy to use; simple to train end users • Complements any form of user authentication Enter User Name Enter Password Display Assurance Message Registered computer Unknown computer Verification Dialog

  15. Assurance Message Example

  16. @ Limitations of Assurance Message • Does not authenticate user to server • Vulnerable to man-in-the-middle (MIM) attacks • User conditioned to accept verification dialog • Does not know why ‘fingerprinting’ failed • Depends on ‘velocity checks’ for MIM IP addresses 3. Verification Dialog Real Bank Site 2. User-id 4. Verification Dialog 1. User-id Man-in-the-middle Attacker

  17. Base User Authentication • Circumstantial forensics, in addition to userid / password • Combination of elements • Machine fingerprint (including cookies left there) • Location of IP address that transaction is originating • Evaluate elements => determine if transaction is risky • Action to be taken next is variable • Flag to alert user • Ask for secondary authentication (maybe different credential) • Switch to second factor (email, call, SMS) • Route through different process – CSR interrupt • Deny transaction

  18. Limitation of User ‘Approximation’ • No protection against ‘friendly’ fraud • People in same household or even at workplace • Share machines, share IP address, share ‘location’ • Risk scoring – inexact science • False positives – user inconvenience • Need number of transactions even to ‘learn’ pattern – several applications (including e-Banking) don’t lend themselves to such volume • Action on risk detection • SMS, Callback – not reliable for online activity • Second authentication – again conditions user to expect this question – potential for phishing

  19. Strong (Unique User) Authentication • Issue strong credential to individual user • User is told about strong credential • User knows sharing credential opens him/her for risk • Ask for strong authentication • For all access • For access to specific ‘high risk’ areas • For ‘high risk’ transactions only (based on amount, type etc) • Typical strong authentication is 2-factor • Two of three things - something you have, something you know or something you are (biometrics)

  20. Challenges to Strong Authentication • Cost • Issuing new credentials • Training users • Inconvenience • Learning to use 2 factors • Access when one factor is missing – user travels without something he/she has • Application upgrade • Applications need to know how to use this technology and authenticate users – new systems, new integration

  21. Electronic Business Enablement View • Beyond Compliance and Risk Mitigation • Authentication strategy must • Maintain simplicity • Provide IT and business process flexibility • Facilitate retention and acquisition of customers • Allow new products/services to be delivered • Strengthening Customer Relationship and adding new applications

  22. Arcot’s LayeredAuthentication Approach

  23. Crypto Strong Authentication (ArcotID) Location ID Geo Location Device ID Layered Authentication Approach Arcot Level 3 Solution Digital Signing (En)/Decryption (ArcotID + certificates) Arcot Level 2 Solution Arcot Level 1 Solution Mutual Authentication / Assurance Message + Srambled PIN Pad Increasing Value and Benefits – Security + Other Uses (Signing/Encryption) UserID / Password

  24. Layered Authentication Approach • Without user intervention • Usage of machine and connection characteristics to determine whether user is genuine, e.g. • IP address • Browser version • Comparison with last good access, or information at registration time • With user intervention • Strong Authentication using ArcotID • Additional Security Features • Personal Assurance message • Scrambled PIN pad

  25. Customizable Authentication Approach Scrambled PIN Pad – defeats Keyboard loggers “Assurance Message” – for Site Authentication ArcotID for Strong Authentication IP and Device Forensics – for Increased Identity assurance

  26. The ArcotID Enabled Application Username Password Software Smart Card ArcotID The power of two-factor, with the simplicity of passwords …

  27. Fully Flexible Solution Multiple levels of functionality available • Authentication Only • No installed software required • Java/Flash on-demand • Add Digital Signing, Encryption • Requires client software for advanced functionality • Staged approach possible • addressing current business requirements • and providing a future-proof solution using the same framework • Provide the user with a security solution that addresses the risk and is still user-friendly

  28. Comparing Authentication Technologies

  29. Arcot & Identity Management / Authentication Identity Management Authentication Authentication Strong Weak Multi-Party “3D Secure” Software-based “Multi-Key” Hardware-based “Two Factor” “Passwords” Digital Signature Online Banking ePayment Authorization Remote Access VPN

  30. The Authentication Gap Strength of Authentication Strong Weak The Authentication Gap

  31. Comparison ArcotID vs. Other Technologies Identity Management Strength of Authentication Strong Weak Cost of Deployment and Support $$$$ $ User Experience Impacted Transparent Application Flexibility Application Specific Highly Flexible

  32. Beyond StrongAuthentication

  33. Beyond Strong Authentication:Secure Delivery of eStatements • ROI • Paper statements cost €0,60 • Electronic statement cost €0,06 • Savings per statement €0,54 • 12 statements a year €6,48 • Cost for paper based statement €650.000 • Annual cost for e.g. 100K users €150.000 • Anticipated savings per 100K users up to €500.000 per year

  34. User Authentication Username: Password: Beyond Strong Authentication:Receiving a Secure Electronic Statement • Customer selects e-mail message • Customer opens PDF attachment and is prompted for a “username” and “password” – which unlocks their second factor, the ArcotID and gives access to the private key required for decryption in 3) • Transparent to the customer, the document is decrypted, verified for integrity and presented to the customer rjones *********

  35. Beyond Strong Authentication:Efficient Loan Origination 1. Bank e-Mails encrypted PDF Loan Documents to Customer 2. Customer Verifies that Documents are Certified as having come from bank 3. Customer Digitally Signs Document using Arcot software and Adobe Reader ArcotID 4. Customer e-mails signed, encrypted document to Bank

  36. Deployments

  37. Customer Deployment Examples • Daimler-Chrysler Bank (DE) • Secure portal access for Treasury department • Protection of Citrix access for employees • Swedbank (LU) • Online banking access for customers via portal • Protection of Citrix access for employees • SSI Search • Strong authentication to Financial Service Portal • Certegy (US) • Strong Authentication for VPN access by partners • Wells Secure (US) • Digital IDs for individuals and businesses • Authentication and Digital Signing application

  38. Summary

  39. Arcot Strong Authentication • Proven Consumer Authentication Platform • 3-D Secure rolled out worldwide to millions • Supported and marketed by Visa, MasterCard, JCB • Proven Enterprise Authentication Platform • Software two-factor solution in place at major corporations • Worldwide installations – U.S., Asia-Pac, Europe • Integration / Co-existence with other ID mgmt and auth solutions (hardware, etc.) • Patented & proven mature technology, developed and in use since 1997 • Industry-standards compliant – Identrus, SAFE, PKCS#11, MS-CAPI, X.509 • Extensible to mobile and other devices • Small footprint interfaces • First Mobile pilots started in 2005

  40. Arcot Benefits Beyond Authentication • Enables digital signatures - Replace print & sign • New saving / checking account opening • Commercial Account Opening/ Changes of standing orders, direct debits etc. • Online credit card applications • Mortgages / home-equity line of credit • Enable encryption • PDF based secure communication of statements and other sensitive data to the end user • Supports federation • ArcotID PKI-based platform provides support for smart card implementations and other government initiatives • Allow roaming of users • Transferring user credentials temporarily to other machines • Integrates as needed with Verified by Visa or MasterCard SecureCode, J-Secure by JCB consumer auth programs

  41. Why Arcot? • Long-standing player in the authentication space • Experience on how to provide authentication to a large number of users • Flexible, cost-effective and future-proof solution • Local representation through our strong partner IND • Strong technology partnerships with Adobe, Documentum and others

  42. Questions?

  43. Thank You ! For further information, please contact: Michael Seifert, Managing Director Arcot GmbH Michael.Seifert@arcot.com Or the local IND office

  44. Backup Slides

  45. Arcot & ePayment Infrastructure 3-D Secure Card Issuers 10,000+ Merchants 50,000+ Internet Card Holder

  46. RegFort™ Registration Platform TrustFort™ SignFort™ Server-Side Signature Generation Server-Side Signature Validation Universal Client™ Common Client to support Digital Signing Universal Client™ Common Client to support Digital Signing SAFE Infrastructure Issuers FDA Pharmas Internet Physician

More Related