In this podcast recorded at RSA Conference 2017, Michael Thelander, Director of Product Marketing at iovation, talks about lessons learned from bringing authentication technology out to customers and seeing what the demand looks like in the market.
Here’s a transcript of the podcast for your convenience.
We’ve seen three things, especially with relation to authenticating consumers and new customers out in the market in that space that we call ‘beyond the firewall’.
What we’ve seen, first thing is that authentication for the enterprise, what we’re used to in the enterprise with on premise or even cloud-based servers and credentialing based on some identity management system, Active Directory or something like that, doesn’t really work for the consumer environment. It’s much more fluid, it’s typically much larger. Where you’re authenticating a few thousand in the enterprise, you might be authenticating a few million when you’re out in the customer environment. It doesn’t really scale, and usability is of extreme importance, obviously, when you’re out authenticating customers into their banking accounts, or their retail accounts, or even their social media accounts.
Second thing that we’ve seen is that authentication – and this is sort of old-school learning, but it still remains true – authentication needs to be adapted. Everything in that range, from easy authentication and access for low risk activities to highly rigorous high assurance authentication and authorization for high risk activities, need to be able to adapt pretty much seamlessly along that continuum.
Third thing is that context matters. Context is everything. And what I mean by that is if, Michael, if I authenticated into something with my username and password, in the old world, we would just say, ‘Michael’s got the right username and password. Let him in to do anything he wants.’ But in this world, where we’re faced with some of the biggest breaches in history, where credentials are out in the black market, those credentials don’t mean as much as they used to. So we might have to pause and say, ‘Yes, those were the right credentials, but what context do we see? What are the indicators of compromise of those credentials or risk inherent in that session that we can actually act on, and then somehow step up to a more rigorous or broader authentication?’
Those are the three things we’ve seen that it’s different for consumers than in the enterprise, it needs to be adaptive, and that context matters.
What is iovation’s solution for these challenges?
In the last year, we’ve already had our customer authentication or device-based authentication called ClearKey. We acquired a product called LaunchKey, which is multifactor authentication.
Our solution is to create a dynamic authentication suite. So cover that whole broad range, everywhere from, ‘Just let me authenticate based on the presence of a known good, recognized device, whether that’s my mobile, whether that’s my laptop, whether that’s an IoT device, whether that’s anything that I’ve got. As long as I recognize it, it’s what we’ve registered before with that account and there’s no inherent risk in it or anomalies in it, just go ahead and let them in.’ All the way to highly rigorous, multifactor authentication that requires two or even three factors of authentication to be present at that time, as well as things like real-time authorization.
Many companies are offering new multifactor authentication technologies. How is your technology different?
When we acquired LaunchKey, we were specifically looking for a next generation multifactor solution that did a few things. It would be decentralized, meaning we didn’t have that central store of credentials that we would have to manage. We built on really forward-looking technologies, and we built on standards that are extensible, ways that we could integrate into other people’s authentication strategies.
That, combined with the context that we bring along, because iovation has been in fraud prevention authentication based on device as well for many years, over 12 years now. We bring that insight and context into that risk. Has that device been rooted or jailbroken? Is it coming through an emulator? Is it coming through a Tor browser? Is there anything anomalous between the device’s reported IP address and its actual geolocation? So we bring all of that to it.
I think what we bring that really uniquely different is we can take that contextual device-based, our ClearKey technology, and drive the authentication factor. So, yesterday, when I was at home, logging into my mobile banking, it could’ve said, ‘Hey, Michael is in the right place at the right time with roughly the right IP address range and no risk. Present just one multifactor option. Thumbprint.’ Well, now Michael’s in San Francisco. Things have changed, basically. We can tell that from the context. We use that to drive maybe another authentication step. ‘Not only your thumbprint, but enter your four-digit PIN. Or enter your graphic circle code.’ And that’s why I think the marriage of these technologies, this dynamic authentication suite is really different. And that’s what our customers are responding to.
I got up very early this morning, at 5 o’clock, to do a call, because of the range of customers. We had a customer that lives in Tel Aviv, and one that lives in London, and of course, us, here in the West Coast. Because we’re taking one of the customers that has used our fingerprinting technology for many years, he’s looking at going the next step into the multifactor technology, and providing a reference for yet another customer in a different industry, in online gaming, where they’re looking to actually integrate both technologies at the same time. And it was really just a reference call to say, ‘What have you run into?’
The interesting thing is, for us, with the same response, the same reaction from both in this card issuing financial space, as well as online gaming and gambling, ‘We need the easiest experience possible for our customers when it’s appropriate. We need that measure of appropriateness to be measured by the amount of risk that we see in that session. And we need to be able to react immediately.’
Another thing in their responding is they’ve known for a long time – in both of these cases, in financial services, as well as in online gaming – they’ve known for a long time that passwords and knowledge-based authentication questions have to go away, they haven’t known how to do it. Their response now is, ‘Okay, now I see the path. I see the path to get rid of passwords by having this highly dynamic range of authentication that’s interwoven and works seamlessly together from completely transparent all the way to highly interactive with real-time authorization. So they see that as solving problems that they’ve really had for a long time, but not had a way to address it.
And if there’s any interest around that dynamic authentication, we have these things work together, but also what it means in consumer authentication for retail, banking, finance, social media, media of the sectors. We have a follow-on webinar that’s coming on March, 1st: The Consumerization of Authentication. We will take a lot of learnings here, from this event, at RSA Conference, what other people are saying about how they authenticate.
Dynamic Authentication Suite
See how iovation’s Customer Authentication service integrates with LaunchKey MFA to create a dynamic authentication suite that responds to context and risk, works seamlessly with your site or application, and leverages the insight of a worldwide community of fraud and security experts.