Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight

1. Selecting a Strong Authentication SolutionScott Mackelprang, V.P. of SecurityDigital Insight

2. Vendor view of the FFIEC Guidance • The recent strong authentication guidance was good – • For the financial industry • For vendors and providers • For end users • Unified guidance through the FFIEC was right way to do it • Relieved concern of conflicting guidance • Best approach for new significant changes going forward • Strict vendor neutrality was appropriate • One year deadline was about right • Will be challenge for some, but a deadline was needed

3. Step 1: Determine What the FI’s Want • FI attitudes towards changes in the End User Experience • How intrusive? • How much effort/burden for end user • How complicated? • Degree of sophistication required of end user • How much user mobility? • Allow end users to roam? • How much inconvenience will roaming entail? • How to address shared accounts? • Shared authentication credentials allowed? • How to register users for strong authentication?

4. Step 1: Determine What the FI’s Want • FI administrative wants and needs • How much security? • Not all solutions offer equivalent protection • Additional computer peripherals okay? • Some solutions require additional peripherals on PC • Implement more than one technology? • Some solutions are complimentary • Implement all users at once or one user at a time? • Big bang vs. one by one • Needed how soon in order to meet deadline? • FI’s inertia will impact rollout effort • What impacts are there to account aggregation? • Secondary methods to back up the strong authentication? • Non-mobile solutions, forgotten passwords, etc

5. Step 2: Clearly Establish your Objective • What’s more important • Prevent theft of credentials or… • Prevent use of stolen credentials • Phishing makes the headlines but…. • Strong authentication doesn’t just address phishing • Other important threats must be considered • Remote access trojans • Man in the middle attacks • New emergent threats • Going to solve only the authentication problem? • What about authorization? • Commercial, retail, administrative: All use same approach?

6. Step 3: Evaluate Technology Options • Synchronous token • Somewhat expensive, heavier administrative model, supports mobility very well, choice of early adopters • USB token • Commodity priced, moderate administrative model • Smartcard • Lacks supporting infrastructure in US, good authorization features • Shared secrets • Not as strong as other mechanisms, good for backup to primary method • Asynchronous Password generating token • Can lower cost of token (matrix cards, scratch lists, etc), moderate to high administrative model

7. Step 3: Evaluate Technology Options • Biometrics • Fingerprints infrastructure rolling out now, non-fingerprints have high infrastructure barriers. Proprietary lock-ins common in biometrics • Out-of-band communications • Convenience and availability could be issues, good for backup in event of failures of primary approach • IP address and geo-location • Weak as a primary method, but could strengthen primary means. ‘Spoofable’. Shortcomings called out by FFIEC • Client computer/network ‘fingerprinting’ • Could have moderately heavy administrative model, simple for end user. Good supplement to primary techniques • Digital certs on client (SSL client certs etc) • Strong security, cumbersome to use broadly

8. Step 4: Narrow Options, then Test and Negotiate • Leave time to fully negotiate license arrangements • Vendors tend to want to charge on per user basis • Evaluate and size the integration task for product software • Staff as required to meet established deadlines • Test scalability of selected technology • Test security of selected technology • Test usability through a pilot to the extent possible • Test results should flavor the decision making process

9. Step 5: Develop and Test Solution EXAMPLE - Digital Insight’s Solution and Priorities • DI selected a solution that provided 3 levels of authentication • Cookies • Software download • USB token • Wanted sliding scale of protection without upgrades at server or client • Wanted to protect against newly emerging threats, especially Man-In-The-Middle attacks • DI expects man-in-the-middle attacks to become prevalent in 12 to 18 months • DI is building a framework to support multiple technologies • All FI’s may not be able to conform to a single technology selected by DI • A framework will also serve authorization needs of financial services

10. Step 6: Roll Out the Solution • Provide wide latitude for timing of rollout • Flexibility is a must • FI’s need many options in timing their rollout • Not all FI’s will evaluate risk the same • Not all have same product or risks • Provide backup education to authentication failures well in advance • E.g. DI provides 2 out-of-band mechanisms for unusual circumstance logins • Provide consultative services for FI’s who will need the help

11. Step 6: Roll Out the Solution • Broadly distribute communication to FI customers explaining implementation philosophy and process • Roll out prerequisite infrastructure in advance of actual deployment of strong authentication technology to ease process • Do it behind the scenes if possible • Minimize impact on FI during the rollout itself • Shorten lead time required of FI’s for their rollout • Reduce work for FI to migrate to new solution • Conduct focus groups through usability experts to establish helps for customers • Create excellent Help text verbiage • Help with collateral for FI’s to ‘sell’ end users on new technology • Create FAQ’s designed to describe and educate at all levels