Multifactor Authentication For Dummies Iovation Ebook201

These materials are © 2018 John Wiley & Sons, Inc.
Any dissemination, distribution, or unauthorized use is strictly prohibited.

Multi-Factor
Authentication
iovation Special Edition
by Crystal Bedell and

Michael Thelander
These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Multi-Factor Authentication For Dummies®, iovation Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written
permission of the Publisher. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons,
Inc. and/or its affiliates in the United States and other countries, and may not be used without written
permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is
not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT
LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED
OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED
HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING
THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL
SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR
DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN
THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN
THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE
MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT
INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN
THIS WORK WAS WRITTEN AND WHEN IT IS READ.
ISBN 978-1-119-45602-5 (pbk); ISBN 978-1-119-45601-8 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
For general information on our other products and services, or how to create a custom For Dummies book
for your business or organization, please contact our Business Development Department in the U.S. at
877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For information about
licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
Development Editor: Production Editor:

Elizabeth Kuball Selvakumaran Rajendiran
Copy Editor: Elizabeth Kuball Special Help: Kathy Simpson,
Executive Editor: Katie Mohr Geoff Sanders, and Connie Gougler
Editorial Manager: Rev Mengle

Business Development
Representative: Karen Hattan
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 2
CHAPTER 1: Understanding Consumer Authentication

Challenges.......................................................................................... 3
Authentication Systems Built for Enterprises.................................... 4
Password Insecurity.............................................................................. 4
The Weakness of Strong Authentication............................................ 5
Need for Convenience.......................................................................... 6
Authorized for Everything.................................................................... 6
CHAPTER 2: Protecting Access with Multiple Factors................... 7

Employing Authentication Factors...................................................... 7
Combining Authentication Methods................................................... 8
Using Client-Side Authentication......................................................... 9
Fingerprint scan............................................................................... 9
PIN code............................................................................................ 9
Pattern code..................................................................................... 9
Geofencing...................................................................................... 10
Bluetooth device proximity.......................................................... 10
Facial recognition........................................................................... 10
CHAPTER 3: Unifying the User Experience........................................... 11

Understanding Authentication Fragmentation............................... 11
In the consumer world.................................................................. 12
In the business world.................................................................... 12
Unifying Authenticators...................................................................... 13
Considering New Access Requirements........................................... 14
Mobile authentication................................................................... 14
Bidirectional and real-time authentication................................. 14
CHAPTER 4: Decentralizing MFA Architecture.................................. 15

Recognizing the Drawbacks of Centralized Authentication........... 15
Realizing the Benefits of Decentralization....................................... 16
Table of Contents iii
CHAPTER 5: Adapting to Risk in Real Time........................................... 19
Using Dynamic Authentication.......................................................... 19
Introducing the Three Cs of Dynamic Authentication.................... 20
Contextual....................................................................................... 20
Continuous..................................................................................... 22
Complementary............................................................................. 22
Seeing How Dynamic Authentication Works................................... 23
CHAPTER 6: Customizing the MFA Experience.................................. 25

Personalizing MFA Technology.......................................................... 25
Integrating MFA Technologies........................................................... 26
Giving Users and Administrators Choice.......................................... 27
Extending Authentication to Authorization...................................... 27
Single-user and multiuser a
uthorization.................................... 28
Deploying MFA as a Platform............................................................. 29
CHAPTER 7: Securing MFA................................................................................. 31

Using Current Protocols and Standards........................................... 31
Managing Cryptography..................................................................... 32
Practicing Security by Design............................................................. 34
CHAPTER 8: Meeting Your Authentication Goals,

Today and Tomorrow.............................................................. 35
Emerging Standards and Regulations.............................................. 36
MFA Applied......................................................................................... 36
The Internet of Things................................................................... 36
Financial services........................................................................... 37
Ecommerce checkout.................................................................... 37
Insurance........................................................................................ 37
CHAPTER 9: Ten MFA Buying Criteria....................................................... 39

Omnichannel Support........................................................................ 39
User-friendly Controls........................................................................ 40
True MFA Support............................................................................... 40
Compatibility with Existing Authentication Services....................... 41
Advanced Cryptography..................................................................... 41
Decentralized, Anonymous Architecture.......................................... 41
Updatable Platform............................................................................. 42
Developer Support.............................................................................. 42
Dynamic Administrative Controls...................................................... 43
Single-User and Multiuser Authorization......................................... 43
iv Multi-Factor Authentication For Dummies, iovation Special Edition
Introduction
D
igital businesses are in a precarious state. They need to
authenticate users for their own protection, but if the
process proves to be too cumbersome, they won’t have any
customers to authenticate. Yet the most common form of authen-
tication (and, some people would argue, the best understood) is
also notorious for being cybersecurity’s weakest link. You know it
well: the combination of username and password.
Meanwhile, as more and more consumer services go digital,

reliance on usernames and passwords continues to grow — and
so does the risk of a major credential breach.
It’s time for a change. It’s time to disrupt the status quo and
give users the security and authentication experience that they
deserve, and that enables you to run a successful digital business
with confidence.
About This Book

This book introduces IT professionals to next-generation multi-
factor authentication (MFA), an approach to authentication that
goes well beyond usernames and passwords to provide the right
level of security assurance at the right time, anytime. But that’s
not all: Next-generation MFA also streamlines authentication
while empowering users to take control of their data privacy.
If you’re responsible for authenticating users to your company’s

applications or services, this book is for you.
Introduction 1
Foolish Assumptions
In preparing this book, we’ve assumed a couple things about you,
the reader:
»» You work in product management, customer experience, or

information technology (particularly access management) for
a corporation, government agency, or services firm.
»» You have foundational knowledge of authentication
principles, computer systems, and network security.
Icons Used in This Book

This book uses the following icons to indicate special content:
The Tip icon points out practical advice that can help you craft a
better strategy, whether you’re planning a purchase or setting up
your software.
You won’t want to forget the information in paragraphs marked

with the Remember icon.
Look out! When you see the Warning icon, it’s time to pay
attention. You won’t want to miss this cautionary information.
Maybe you’re one of those highly detailed people who really need
to grasp all the nuts and bolts — even the most techie parts. If
so, these tidbits marked with the Technical Stuff icon are right
up your alley.
Beyond the Book

We explore multi-factor authentication platforms in great detail
in this book, but if you crave even more information, we encour-
age you to visit www.iovation.com.
2 Multi-Factor Authentication For Dummies, iovation Special Edition
IN THIS CHAPTER
»» Getting to know consumer
authentication requirements
»» Understanding the weakness of

knowledge factors
»» Recognizing the drawbacks of strong

authentication
Chapter 1
Understanding
Consumer
Authentication
Challenges
T
hanks to the digitalization of practically everything, authen-
tication is a ubiquitous exercise. No longer limited to finan-
cial transactions or the workplace, it’s integrated into our
everyday lives, from actions as mundane as making a phone call
to visiting a favorite online store.
Just because authentication is commonplace, however, doesn’t

mean it’s unimportant. Effective consumer authentication is
critical to the security, privacy, and financial reputation of every
person. With so much riding on authentication, it’s time for a new
approach.
In this chapter, we look at some of the problems posed by legacy

authentication technologies that must be overcome by next-
generation technologies for multi-factor authentication (MFA).
CHAPTER 1 Understanding Consumer Authentication Challenges 3
Authentication Systems Built
for Enterprises
Many enterprise technologies have been affected by the consum-
erization of IT, but authentication isn’t one of them. The systems
that are built and deployed to authenticate internal users to an
enterprise network and its systems don’t work well to authenti-
cate consumers for websites, mobile applications, vehicles, and
more. Systems like LDAP, RADIUS, and SAML, often used in con-
junction with hardware tokens that generate keys, aren’t suitable
for consumer environments.
Consider Julie, the enterprise user. Julie is trained by the IT

department on how to use the systems and applications she needs
to do her job. The IT organization controls how, when, where, and
to what she authenticates. Julie has no say in the authentication
factor itself, let alone its complexity or the policies that govern it
(such as how often she has to change her password).
Now consider Brad, the consumer user. Brad is one of many poten-
tial users who may or may not be tech-savvy. Regardless, Brad
doesn’t want to learn a complex authentication process or adhere
to strict controls that make it difficult to check his bank account
balance, download a mobile app, or purchase a book online. He
has a choice in the matter. If the authentication process is incon-
venient or messy, he’ll find another provider.
Password Insecurity
Passwords are the de facto authentication mechanism for just
about anything. Unfortunately, they’re also inherently insecure.
There are several reasons for this insecurity:
»» Weak knowledge factors: Of the three primary factors of

authentication (which we discuss in Chapter 2), knowledge
factors are the weakest because they’re based on informa-
tion that another person may know, guess, or infer.
»» User carelessness: Users can’t be trusted with passwords.
They create simple passwords that are easy to guess, they
write them down, they share them, and they fall victim to
password attackers and malware.
»» Password-cracking tools: Passwords have been around
for so long that password crackers have become a
cottage industry. These applications can leverage cheap
processor power to cycle through thousands of hash
permutations and open an account in minutes through
brute-force efforts.
»» Centralized password repositories: Password function-
ality is traditionally built on top of the systems or apps
the passwords are meant to secure. As a result, the
authentication layer (with its unified attack surface) is
centrally located and accessible by anyone, including
cyber attackers.
Attackers can obtain hundreds of thousands of user
credentials from a single break-in. Because users reuse
passwords, they may be useful for gaining access to other
services. Attackers may use the credentials or sell them on
the dark web.
The Weakness of Strong Authentication

Strong authentication, or two-factor authentication (2FA), is often
used to compensate for the weakness of passwords. Although 2FA
enhances the authentication process, it leaves some problems
unresolved and creates others.
In most implementations, 2FA pairs a token or one-time password

(OTP) alongside a traditional password. The token is generated by
the application or a fob, or sent to the user’s mobile phone. The
token entered by the user is compared with the token generated
by the app. If the tokens are identical, the user is granted access.
But 2FA has several drawbacks:
»» 2FA relies on symmetric key cryptography, which uses the

same keys for encryption and decryption. This approach
doesn’t adequately secure the shared secret. If the user’s
device or the app is compromised, the attacker can obtain
and use the shared secret to generate his own token.
Further, a token may be intercepted when it’s delivered to
the app for use.
»» 2FA retains an in-band password layer, so the core password
problems we discussed earlier in “Password insecurity” remain.
CHAPTER 1 Understanding Consumer Authentication Challenges 5
»» 2FA affects the user experience. OTPs expire quickly and aren’t
always received on mobile devices in near real time. Faced
with these inconveniences, users are likely to abandon 2FA.
The term strong authentication is often used synonymously with

multi-factor authentication, but most definitions specify salient
differences. We cover those differences in Chapter 2.
Need for Convenience

It’s a well-known fact that users prefer convenience over secu-
rity. They expect you to protect their sensitive data and personally
identifiable information (PII), but if your security controls prove
inconvenient, they’ll implement workarounds or abandon your
application.
Authorized for Everything

A password provides authentication (proving that users are who
they say they are), but it doesn’t provide authorization (validating
that a user has permission to complete a specific task). As a result,
users who authenticate with a password may have access to every
task within their purview. This can be problematic.
When banking online, users might check an account balance,

transfer funds, or pay bills. After they’re authenticated, users
can perform any of these activities at will. Authentication alone
might be fine for checking an account balance, but allowing users
to move money without requiring specific authorization increases
the risk of fraud.
IN THIS CHAPTER
»» Working with authentication factors
»» Putting the multi in multi-factor
»» Authenticating on the client side
Chapter 2
Protecting Access with
Multiple Factors
G
iven the many security issues surrounding passwords and
the architectural problems associated with two-factor
authentication (2FA), you may wonder how you can safely
authenticate users.
Fortunately, many secure authentication processes are available.

In this chapter, we introduce various multi-factor authentication
(MFA) technologies.
No single authentication factor is impenetrable. Solutions provide

varying levels of security assurance depending on the implemen-
tation, user, and attack vector.
Employing Authentication Factors

The three primary types of authentication factors are
»» Knowledge: A knowledge factor is something that the user

knows. This factor can be a password, a challenge question,
or a personal identification number (PIN).
CHAPTER 2 Protecting Access with Multiple Factors 7
»» Possession: A possession factor is something that the user
possesses, often in the form of a physical device, such as a
security token or smartphone.
»» Inherence: An inherence factor utilizes a physical characteris-
tic that inherently represents a unique user. Inherence
factors, like fingerprints and facial patterns, are measured
and analyzed by biometric technologies.
Further, an authentication factor can be classified as transparent

or interactive:
»» Transparent: Transparent authentication takes place

behind the scenes without user interaction. Two examples
of transparent authentication factors are Bluetooth device
proximity and geofencing.
»» Interactive: Interactive authentication requires the user to
do something, such as enter a PIN or pattern code.
We discuss several transparent and interactive factors in “Using

Client-Side Authentication” later in this chapter.
Transparent and interactive factors make a great team. A trans-

parent factor can authenticate a user for low-risk activities, such
as viewing her own wish list, and an interactive factor can be
required for higher-risk activities, such as completing a purchase.
Combining Authentication Methods

MFA requires users to authenticate by using more than one
authentication type concurrently. Commonly, MFA is used to
boost assurance levels when a single factor, like username and
password, is insufficient. This process reduces the risk of unau-
thorized access because an attacker must bypass two or even three
authenticators to gain access to the target system.
MFA is most effective when knowledge, possession, and inher-

ence authentication factors are used dynamically (as we discuss
in Chapter 5) so that one factor can compensate for another fac-
tor’s weakness. This process also makes it much more difficult
for an attacker to obtain the necessary authenticators. (It’s much
easier to get two knowledge-based authenticators, for example a
password and a pet’s name, than to acquire a knowledge-based
authenticator and an inherence factor, such as a fingerprint.)
Using Client-Side Authentication

Client-side authentication offers flexibility and strength by allow-
ing users to choose among multiple transparent and interactive
authentication factors from their own client, such as a mobile
device.
MFA technologies that use client-side authentication often lever-

age the hardware and internal authentication capabilities of each
user’s smartphone and/or tablet. Client-side authentication
factors are processed locally on the user’s device. All data and
authentication processes are securely stored on the device’s local
storage, making it inaccessible to both the authentication server
and the requesting application, where attackers typically lurk.
In the following sections, we discuss the different types of

authentication methods.
Fingerprint scan
Many new smartphones and tablets include digital scanners that
enable users to authenticate to the device by assessing their fin-
gerprint rather than entering a PIN. MFA technologies can lever-
age this functionality by verifying the user’s biometric scan via
the mobile device.
PIN code
A PIN is a string of numbers or characters that users enter via the
number or keypad on their mobile devices. Each user creates her
own PIN, and the system administrator determines when PINs
should be updated.
Pattern code
A pattern code (such as a circle code or pattern lock) is a knowledge
factor that uses the touchscreen of the user’s mobile device to
verify a predefined sequence of movements or actions set by the
end user. Such action might include movements around a circle or
connecting a sequence of dots onscreen.
CHAPTER 2 Protecting Access with Multiple Factors 9
Geofencing
Geofencing allows the user or enterprise to identify specific physi-
cal locations in which the mobile device must be located before
the user can authenticate. If the device is outside these areas,
authentication fails or the user is prompted to submit another
authentication factor.
Bluetooth device proximity

Bluetooth device proximity allows users to employ one or more of
the devices they already carry as authentication factors. When a
device is within Bluetooth range of the mobile phone or tablet
that’s serving as the authenticator, that device becomes a trans-
parent authentication factor. The device can be a fitness band, a
smartwatch, or anything else that uses Bluetooth. This concept
will also apply to near-field communications protocols (NFC) as
those technologies gain traction. NFC enables wireless communi-
cation at distances of 60 centimeters or less.
Facial recognition
Another authentication method is facial recognition. Like finger-
print verification, facial recognition uses the mobile device’s
functionality for biometric authentication. In this case, the user
leverages the camera on a mobile device to authenticate their
unique biometric facial signature.
Contextual factors that rely on behavioral traits, like the way a

user walks or holds her device, or risk indicators, like the pres-
ence of evasion techniques that are masking the user’s identity,
are becoming an important component of MFA. We discuss those
issues further in Chapter 5.
IN THIS CHAPTER
»» Seeing why authentication is fragmented
»» Realizing the value of a unified user

experience
»» Identifying the requirements for

authentication
Chapter 3
Unifying the User
Experience
F
or every channel that customers use to engage with your
company, chances are that they have a different way to
authenticate. The goal of authentication, however, isn’t to
see how many authenticators or authentication methods you can
force on users.
In this chapter, we look at why companies need to unify the

multi-factor authentication (MFA) experience to improve security
assurance and user experience.
Understanding Authentication
Fragmentation
The authentication experience today for both business users and
consumers is fragmented across a variety of channels. The result
is a poor outcome for everyone involved.
CHAPTER 3 Unifying the User Experience 11
In the consumer world
Modern enterprises communicate with consumers through many
touchpoints or channels. Banks, for example, allow customers to
access their accounts via online banking, mobile app, ATMs, and
tellers. Each of these customer touchpoints serves as a channel
to the same account, but each requires a different authentication
method. For example, the same user may need to authenticate
with a username and password for his online account, with an
ID card in person, and with knowledge questions when calling
customer support.
Although organizations strive to achieve omnichannel customer

engagement (that is, to create a consistent, unified customer
experience from one channel to the next), they often require dif-
ferent authentication mechanisms for each channel.
In the business world

No one knows the hassle of a fragmented authentication experi-
ence better than enterprise IT users. During any given day, users
must authenticate to multiple applications and systems to do
their jobs. In addition to creating a poor user experience, mul-
tiple requests for passwords affect both user and IT productivity.
When users forget their passwords and lock themselves out, the
IT organization is called upon to reset passwords.
Single sign-on (SSO) attempts to solve the problem of fragmented

authentication by enabling users to authenticate to multiple
applications with one username and password.
SSO improves the user experience — and may improve productiv-

ity by reducing password resets — but does nothing for security.
SSO doubles down on the inherent weakness of passwords by put-
ting multiple systems and applications behind one password and
creating a single point of failure. Therefore, instead of obtain-
ing immediate access to a single application, a successful attacker
has all the user’s applications at his fingertips. Worse still, the
attacker can try this compromised username-credential pair on
other systems, in a cyber version of Russian roulette.
Unifying Authenticators
Luckily, a better approach to authentication is available. An MFA
platform allows each channel to use any or all of the available
authentication methods when they’re most appropriate. This
arrangement creates a unified experience across brands or services,
resulting in a simplified user experience and stronger security.
If you think about all the ways you authenticate to a single service,
you’re likely to count multiple usernames and passwords, per-
haps a personal identification number (PIN), challenge questions,
and proof of identity. With a unified authentication approach, all
of these disconnected methods can be consolidated into a single,
mobile MFA experience that spans all touchpoints.
Unified authentication allows you to employ one consistent MFA

experience to virtually any type and any number of applications —
websites, desktop software, mobile apps, kiosks, game consoles,
sensors, smart devices, and so on. Offering a broad choice of
authentication methods within a unified platform provides the
level of assurance you need for any given use case.
Unifying authentication also improves the user experience.

Consider these scenarios:
»» When Shelly logs in to her bank’s website, a mobile app on

her smartphone buzzes. She uses the mobile app to
authenticate into the web session.
»» Instead of answering questions to verify her identity to a
customer service representative in the contact center, Shelly
responds, in real time, to an authorization request sent to
her mobile phone.
»» To get cash out of an ATM, Shelly places her smartphone on
a pad and uses the mobile banking app to authenticate and
execute the request. The pad uses near-field communica-
tions, a standard that enables wireless communication at
distances of 60 centimeters or less, to receive the informa-
tion from the app without plugs or wiring.
»» When logging into the mobile banking app to check her
account balance, Shelly is immediately authenticated within
the app.
CHAPTER 3 Unifying the User Experience 13
Considering New Access Requirements
As we state in Chapter 1, legacy authentication methods don’t
always translate well to consumer authentication. In addition,
consumer and enterprise authentication scenarios place new
requirements on authentication and authorization.
Mobile authentication
Online activity is no longer limited to desktop computers in the
workplace. We live and work in a highly connected, mobile world.
Regardless of where a user happens to be, connected networks
and the services that run on them are just a tap away via smart-
phones, tablets, smartwatches, and other devices. The need for
authentication and authorization can arise anywhere, at any time.
As a result, authentication solutions must be mobile.
A mobile authenticator enables users to authenticate from any-

where at any time via a mobile device. Through the authenticator,
users have access to a variety of client-side authentication fac-
tors that can be used for any communication channel. In the ideal
design, all authentication data is encrypted and stored locally on
the user’s device, where it can be accessed only by the mobile
authenticator.
Bidirectional and real-time

authentication
When a system authenticates users with passwords, the onus is
on those users to supply their passwords to the requesting ser-
vice. A password is verified only after the user hands it over. For
authentication to be available anytime and anywhere, however,
services must be able to request the authentication of a user even
if that user doesn’t initiate the authorization.
A next-generation MFA service can reach out to a user to obtain

authorization in real time, even when the user isn’t expecting the
request or initiating an authentication event. The mobile authen-
ticator can receive requests from applications through real-time
push notification.
IN THIS CHAPTER
»» Uncovering the drawbacks of centralized
authentication
»» Reducing risk by decentralizing
»» Keeping MFA flexible
Chapter 4
Decentralizing MFA
Architecture
T
he centralized architecture used in password-based authen-
tication presents a significant liability. Next-generation
multi-factor authentication (MFA) technologies must elim-
inate the risks associated with centralized credential stores to
provide robust protection.
In this chapter, we dig deeper into the problem of a centralized

layer of authentication and present an alternative: decentralized
architecture.
Recognizing the Drawbacks of

Centralized Authentication
Authentication can take place in two ways:
»» In band: When authentication is in band, credentials are

provided and authenticated via the same channel as the
system or application that requests them, such as a pass-
word used in an application’s login form.
CHAPTER 4 Decentralizing MFA Architecture 15
»» Out of band: When authentication is out of band, the
authentication process takes place via a separate channel.
Instead of the user submitting credentials through the
requesting application (in band), for example, the application
can verify a token or fingerprint via the user’s smartphone
(out of band).
A centralized layer of authentication in a networked environ-

ment takes place in band, placing the authentication and autho-
rization layer in a central location that’s accessible to anyone
who attempts to access that layer — legitimate users or not. In
essence, the application or system that users are attempting to
access holds on to the user credentials. Attackers only need to
breach this single layer of authentication to gain access to the
entire credential store.
A decentralized architecture is fundamental to secure authenti-

cation, distributing the storage, input, and verification of cre-
dentials to each user out of band with respect to the applications
being secured (see Figure 4-1). To gain access to every user’s cre-
dentials, those same attackers must now locate and breach every
individual user separately.
FIGURE 4-1: Centralized versus decentralized authentication.
Realizing the Benefits of Decentralization

You can decentralize the authentication process by moving it out
of band, implementing a client-side authentication layer that
resides on users’ mobile devices. Instead of requiring users to
supply their credentials to an application, you can direct the appli-
cation to obtain authorization by reaching out-of-band to users’
mobile devices. Each user authenticates remotely and responds to
authentication requests that are delivered to her device, and the
authentication layer is accessible to only the user of that device.
Decentralized authentication architecture offers several benefits

to both users and businesses:
»» Shifting the authentication layer to outside the application

reduces the risk of a massive credential breach. Because
authentication takes place in an independent channel for
each user, an attack that attempts to apply fraudulent
credentials becomes impractical. This segregation of
authentication layers confines any compromise to the
individual user involved.
»» Decentralization reduces the risk to the application layer itself.
A central repository of credentials, with its sensitive data and
personally identifiable information (PII), is an enticing target
for attackers and malware. By moving this repository outside
the application layer, you remove that target.
»» Decentralization distributes the authentication layer among
multiple user clients, where it can be managed by users
within the limits of your administrative policies. Under this
system, IT staff are no longer burdened by tasks like
resetting passwords or properly securing the database of
user credentials. Also, allowing users to manage the
authentication process themselves increases convenience
resulting in greater user adoption.
»» Decentralization is well suited for connected devices and
networked applications that are part of the Internet of
Things. Decentralization shifts the technical burden of user
authentication (which may require input/output devices like
keyboards, biometric scanners, cameras, and so on) to more
capable mobile devices that already provide these features
and capabilities, rather than on the increasingly wide variety
of connected devices that don’t.
»» Decentralization enables businesses to fortify access to
sensitive applications, systems, and transactions without
having to invest in expensive authentication hardware. You
don’t have to limit digital innovations to those that can be
adequately protected by passwords. Financial services
CHAPTER 4 Decentralizing MFA Architecture 17
institutions, e-commerce companies, and internal business
organizations can leverage the features and capabilities on
their users’ own devices to deliver secure access.
»» Decentralizing the authentication layer reduces the over-
head associated with managing, storing, and securing user
credentials, while removing the threat that an incorrectly
secured database or disgruntled administrator could result
in the breach of every user’s credentials. All authentication
data is securely stored on each user’s mobile device. Should
a user’s mobile authenticator become jeopardized, users
themselves, as well as the requesting applications, can
remotely unpair and disable compromised, stolen, or lost
clients as needed.
KEEPING MFA FLEXIBLE

Flexibility is key for MFA technologies that leverage client-side authen-
tication. Due to the variability in risk and the potential overhead of
MFA, services must be able to enforce authorization rules through
security policies defined dynamically by the application in real time.
By leveraging dynamic security policies, with multiple client-side
authentication options, users can select authentication methods they
prefer to use within the constraints set by the administrator.
This flexibility also ensures that the MFA technology can change inde-
pendently of the user or application. As mobile devices evolve, possi-
bly incorporating new embedded authentication hardware, the
client-side authenticators inherit those new capabilities. As threats
evolve in turn, dynamic security policies ensure you’re never locked in
to a static security posture.
Finally, this flexibility is necessary in dealing with large, diverse groups

of external consumers. There are tremendous differences in the level
of comfort various demographic groups have with different authenti-
cation methods, as well as their willingness to engage with those
methods with which they’re not accustomed. Research has shown
that millennials are comfortable with facial recognition, while baby
boomers and seniors are not. Similarly, baby boomers are comfort-
able with knowledge factors, but millennials mark these as their least
favorite methods.
In Chapter 5, we talk more about dynamic authentication.
IN THIS CHAPTER
»» Understanding dynamic authentication
»» Recognizing the three Cs of dynamic

authentication
»» Putting dynamic authentication to work
Chapter 5
Adapting to Risk in
Real Time
R
equiring multiple factors for authentication and imple-
menting a decentralized architecture can solve some of the
problems associated with single-factor authentication. But
you’re still left with a rigid “one-size-fits-all” approach to
authentication that forces you to sacrifice the user experience for
stronger assurance or stronger assurance for a better user
experience.
Security isn’t static. Both applications and users have unique

security needs that change based on the task, risk, and threat
landscape. You need the flexibility to alter security requirements
from application to application, as well as within each application
itself. This is where dynamic authentication comes in.
In this chapter, we introduce dynamic authentication, including

its benefits and how it works.
Using Dynamic Authentication

Dynamic authentication addresses the technological and user
experience challenges associated with different authentica-
tion technologies. Even multi-factor authentication (MFA) is
CHAPTER 5 Adapting to Risk in Real Time 19
not immune to them. Dynamic authentication is a multilayered
approach that adapts to specific authentication policies in real
time.
The principles of dynamic authentication are similar to those of

other security scenarios. It’s common practice, for example, for
businesses to require signatures from multiple executives when
large sums of money are being transferred. Similarly, the mili-
tary has a two-man rule for critical situations such as launching
a nuclear missile, requiring multiple officers to work together to
reduce the risk of unauthorized activity.
Dynamic authentication frequently combines two or more authen-

tication and authorization technologies into a seamless solution
that enforces the appropriate level of authentication at the right
time based on perceived risk. Typically, a lightweight, transpar-
ent method, such as device-based authentication, is coupled with
a robust interactive technology such as mobile MFA. When these
otherwise-independent technologies are bound by a common
policy, different authentication factors can be required at differ-
ent touchpoints within an online site, application, or service.
Introducing the Three Cs of

Dynamic Authentication
Dynamic authentication has three characteristics: It’s contextual,
continuous, and complementary. We describe these three Cs in
the following sections.
Contextual
Dynamic authentication is contextual because it considers all pos-
sible risks — both near and far — at the moment of authentica-
tion. Dynamic authentication looks at a user’s access request in
full context, taking into account factors such as the following:
»» Type of transaction the user wants to complete

»» Anomalies in when and/or where access is requested
»» Integrity of the user’s device (if it’s been compromised or
jailbroken, for example)
»» Number of fonts or images on the device
»» Match between the transaction’s IP address and the IP
address reported by the browser
»» The device’s speed and kernel version
»» Consistency between the subscriber identity module (SIM)
operator’s country and identification number with what local
services report
Dynamic authentication technologies take these and other factors

into account when applying authentication requirements.
You can apply different levels of authentication rigor or assur-

ance to defined policies. If a user’s device profile and credentials
are aligned, for example, you can request simpler authentica-
tion methods. But if the user moves outside his home area, as
defined by geofencing policies (see Figure 5-1), you can request
two or more authentication factors. (We discuss geofencing in
Chapter 2.)
FIGURE 5-1: Geofencing capabilities allow you to apply contextual authenti-

cation policies that provide additional factors or constraints.
Continuous
The days of “one-and-done” authentication are over. The dynamic
nature of security and risk requires continuous authentication.
The goal of dynamic authentication is to deliver the right level of

authentication for the current level of risk at any time during the
user session. Every touchpoint that marks an online purchase —
login, product selection, checkout, entry, or selection of shipping
and payment information — reflects a change in risk. The same
is true for the touchpoints in online money management, or even
in online gaming. Dynamic authentication monitors for specific
signals that indicate an increase in risk and, therefore, the need
to re-authenticate or to request stronger authentication methods
to deliver the appropriate level of assurance.
Complementary
Dynamic authentication uses complementary technologies to
provide varying levels of assurance. Disparate authentication
technologies work together as the system decides which method
best suits the current risk/request scenario.
Dynamic authentication takes into account the assurance levels

associated with each method of authentication and applies them
in a layered manner based on the risk of the action. Authenti-
cation methods can run the gamut from fully passive to highly
interactive.
Here are some authentication methods that can work together in

a dynamic authentication model:
»» Next-generation MFA technologies can use a common

platform — typically, a mobile app — to deliver a variety of
authentication methods, such as fingerprint recognition and
pattern verification (see Chapter 2).
»» Device-based authentication (sometimes referred to as
device fingerprinting) verifies signatures generated by
information from the user’s device, along with contextual
data, to authenticate the user.
»» Soft tokens use one-time passwords generated in a mobile
application to authenticate users out of band (see Chapter 4).
»» Knowledge-based authentication uses information previ-
ously shared between the user and authenticator.
Seeing How Dynamic

Authentication Works
Dynamic authentication requires a policy manager and decision-
ing engine that calculates the risk and forms the request, based on
overall situational awareness, and then invokes the appropriate
authentication requirements. The policy manager can use policy
based on rules created by experts. It can leverage machine learn-
ing to generate an automated decision. Either way, the system
compares returning devices with known device profiles, assesses
current risk, and calculates rates of acceptable change.
Static, rules-based policies might look like the following examples:
»» If the user’s credentials are appropriate, but the device is

rooted or jailbroken, deny the request or ask for two factors
of authentication.
»» If the device’s language, IP address, and country are consis-
tent, use the standard authentication process; otherwise,
add another factor.
»» If a user’s device is coming across a proxy service, request at
least one knowledge factor in addition to a possession or
inherence factor (see Chapter 2).
Dynamic authentication capabilities enable MFA technologies to

adapt to changing risk conditions, whether a risk is related to
the state of the user’s mobile device, the threat landscape, or the
nature of the requested action. You might allow users to authen-
ticate by using their mobile devices’ digital fingerprint for a low-
risk request, for example. This type of transparent possession
factor provides a frictionless user experience.
If the integrity of a user’s device is questionable, however, or

the risk of a request is higher, you could hand the request to an
MFA solution that adds biometric fingerprint recognition to the
authentication requirements.
Dynamic authentication enables you to require the right amount
of authentication at any time. Using risk-appropriate authentica-
tion only when it’s needed allows you to preserve a frictionless
user experience for longer periods, which improves the overall
user experience and results in greater user acceptance.
GARTNER’S TAKE ON RISK

Global IT research and advisory firm Gartner recently established a
strategic approach for merging risk insight with the authentication
experience by using continuous adaptive risk and trust assessment
(CARTA; see the figure).
Gartner, Use a CARTA Strategic Approach to Embrace Digital Business Opportunities

in an Era of Advanced Threats, (Figure 4 in report), 22 May 2017
CARTA assesses risk signals in the user’s session and on the device, as
well as any inherent risk in the user’s request. Risk signals include
environmental context, threat intelligence, enterprise policy, and his-
torical behaviors. These signals inform an adaptive authentication
process that continually aligns risk throughout the session. MFA solu-
tions are uniquely suited to delivering this dynamic authentication
experience to users.
IN THIS CHAPTER
»» Making MFA personal for customers
»» Integrating MFA with existing

applications and services
»» Extending authentication
»» Using MFA as a platform
Chapter 6
Customizing the MFA
Experience
A
uthentication technologies become yet another channel
through which customers and users interact with your
company. If you’ve made your users miserable in the past
by making them remember the name of their kindergarten teach-
ers, now take the opportunity to associate your brand with an
easy, secure user experience. Customizing the multi-factor
authentication (MFA) experience for your users — both internal
and external — helps you ensure consistency across your brand
and improves your brand’s image.
In this chapter, we look at how companies and brands can cus-

tomize the user experience to improve brand perceptions and
MFA adoption.
Personalizing MFA Technology

Personalizing your MFA technology is important for three rea-
sons, each of which delivers benefits:
»» It builds user confidence.
CHAPTER 6 Customizing the MFA Experience 25
»» It gives users a sense of ownership.
»» It promotes the brand you’ve worked hard to develop.
Sending users and customers to a third-party technology solu-
tion diverts their attention from your brand. Their first thought is
“Wait. Why am I giving this company my information?”
On the other hand, customizing the solution with your company’s

look and feel maintains a consistent user experience and keeps
your brand front and center. Instead of having to deal with a
third party of which they may be wary, users have confidence in
your brand and its capability to keep their personally identifiable
information (PII) secure. Your company becomes associated with
a user-friendly yet secure authentication experience.
Allowing users to personalize the solution by choosing their

authentication methods (see Chapter 2) is also important because
it gives users a stake in their privacy. It allows them to determine,
to some degree, how much friction will be in their authentica-
tion experience. They feel greater responsibility for keeping their
information private and willingly accept the opportunity to take
on some of that liability because you’ve given them a say in the
matter.
Integrating MFA Technologies

You have several ways to integrate next-generation MFA technol-
ogies into your applications and services, depending on whether
you want to incorporate only specific capabilities or white-label
the provider’s mobile authenticator.
With a software development kit (SDK), your developers can

embed device-based and MFA capabilities into your custom web,
mobile, and software applications. To simplify the process, the
authentication technology provider should offer SDKs in every
major programming language along with support for major
frameworks, in a platform-agnostic solution that each of your
applications and systems can interface with independently.
A white-label authenticator SDK allows developers to custom-

ize the mobile authenticator to match the look and feel of your
organization’s existing apps. This customization facilitates user
adoption and reinforces your brand every time users authenticate,
across every channel. An embeddable version of the authentica-
tor runs independently within your mobile app, transparently
providing all the functionality and options of the technology
provider’s authenticator.
If you’d rather integrate specific features or capabilities within

your applications, your developers can instead use application
programming interfaces (APIs), which typically cover the full
scope of capabilities in the provider’s authentication solution, and
work with any operating system or platform.
Giving Users and Administrators Choice

With each new massive data breach, users are reminded how poor
a job passwords do of protecting their PII. As a result, some users
want the ability to protect their data with additional security mea-
sures. Next-generation MFA technologies give users the freedom
to enable additional factors within the boundaries defined by your
administrator. This option increases customer engagement and
gives them a greater role in protecting their data.
It’s equally important, however, for a next-generation MFA tech-

nology to provide administrator choice. Not every customer or
internal user is concerned about protecting the privacy of data.
Whether through ignorance or laziness, some users reuse pass-
words, use overly simplistic passwords or opt out of stronger
authentication methods. As a result, your administrators need the
ability to implement security policies that enforce the use of an
additional authentication method when added assurance is nec-
essary. Administrative choice gives them this capability.
Extending Authentication to
Authorization
When MFA technology verifies that an enterprise user is who she
claims to be (that is, authenticates her), it must verify that the user
actually has the right to access the system or perform the requested
action. In a consumer-focused world, it must obtain the user’s
consent and approval, separate from verifying her credentials. In
both cases this process is called authorization.
Next-generation authentication technologies allow you to extend
and integrate authorization processes into more touchpoints along
the customer’s online journey. Instead of authorizing a user to carry
out every task at the time of authentication, the user can be autho-
rized each time he makes a request for a specific action. This system
helps ensure that if any changes create increased risk, appropriate
measures are taken to ensure that the user is both authenticated
and authorized. If the risk is too high, the request can be denied.
Single-user and multiuser authorization

Combining decentralized authorization with dynamic authentica-
tion (see Chapter 5) gives you great flexibility and allows you to
implement authentication in more nuanced workflows, such as
multiuser authorization.
Multiuser authorization enables you to require multiple people to

authorize a transaction or event as part of a single authentication
flow. This system can be handy when managers need approval
from the finance department and/or an executive to complete a
purchase, for example. As part of the authentication process, the
appropriate people are asked, in real time, to approve or sign off
on the action. Multiuser authorization can also assess risk signals
and context to adjust the authentication requirements of each
individual within the group through dynamic security policies.
Single-user authorization involves prompting the account holder

to authorize an action being taken on his behalf. For example,
single-user authorization can even prevent fraud as it occurs in
a user-friendly manner. Instead of calling the customer to verify
the legitimacy of a purchase, credit card companies could request
customer authorization for unusual or suspicious purchases by
pushing an authorization request to the customer in real time.
Multiuser and single-user authorization can be leveraged in a

number of ways. Customers could authorize shippers to leave
a package on the doorstep. Parents could authorize credit card
purchases made by teenagers. Players could authorize high-value
online bets.
When you employ single-user or multiuser authorization, you

benefit from greater security assurance, as well as auditability.
The explicit authorization of transactions creates a digital trail
that can be useful for compliance and repudiations, making it
harder for a customer to contest, say, a $200 purchase that she
explicitly authorized in real time.
Deploying MFA as a Platform
The best way to take advantage of customizations is to deploy
MFA as a platform. A decentralized MFA and real-time authoriza-
tion platform can serve as an end-to-end authentication solution
(see Figure 6-1). As the platform provider develops and adds new
technologies, you can take advantage of them at the right time
and in the right places.
FIGURE 6-1: An MFA platform serves as an end-to-end authentication

solution.
Authentication technologies are evolving at an astounding rate.

Technologies that are not quite ready for massive, consumer-
oriented deployments today will be the norm in a few short
months. A short sampling of promising but not-quite-ready-for-
prime-time MFA methods includes the following:
»» Voice recognition
»» Facial recognition
»» Iris scanning
»» Heartbeat-sensing wearables
»» Gait or stride patterns
When MFA is viewed as a strategic platform, you have the ability
to add new authentication methods as they mature and stabilize,
without ripping and replacing all the underlying systems.
FISCHER MAINTAINS MARKET
LEADERSHIP WITH MOBILE MFA
Fischer Identity has a vision to be “the last identity management solu-
tion you’ll ever need.” Even as a perennial market leader in the iden-
tity and access management (IAM) space, with successful solutions for
password management, privileged access, single sign-on, and identity
provisioning, the team at Fischer uses this vision to keep innovating.
The company’s newest release, Identity 6, introduces Fischer

Authenticator, a multi-factor authentication solution built with the
MFA principles prescribed in this book. Fischer Authenticator is a mobile
app that provides a simple and automated way to deliver the right level
of assurance at the right time without getting in the way of good users.
Dan Dagnall, Fischer’s chief operating officer, describes it this way:

“We’re driven to provide strong and usable authentication technolo-
gies to our customers, and they, in turn, are driven to leverage their
user’s ubiquitous mobile devices as a more user-friendly way of
authenticating. Building a mobile MFA offering was the best solution
for everyone.”
As Dagnall puts it, “No tool or solution is an island,” so extra thought

should be given to how the MFA requirements described in this book
can be integrated with existing security policies. “When this is achieved,
overlapping access control policies can be created that eliminate
redundant 2FA licenses, simplify setup and maintenance, and further
streamline the experience.”
With Fischer Authenticator:
• Users respond to authentication requests by simply opening the

Authenticator app on their devices and authenticating through
one or more factors as needed.
• Users can authenticate with PIN codes, time-based one-time pass-
words (TOTP), biometrics, proximity to a known and trusted
Bluetooth device, or gestural codes known only to the user.
• Users respond to authentication challenges completely out-of-
band, outside their current context, through encrypted interac-
tions that are more secure and more “spoof-proof.”
• Users can begin experiencing “password-free” authentication
experiences today.
IN THIS CHAPTER
»» Understanding the importance of
protocols and standards
»» Managing encryption
»» Extending security by design to

applications and services
Chapter 7
Securing MFA
W
e talk in Chapter 1 about the security problems associ-
ated with legacy authentication systems, especially as
they relate to implementation and architecture. In
Chapter 4, we discuss decentralizing the multi-factor authentica-
tion (MFA) architecture to address some of those problems. But
efforts to secure the MFA service can’t stop there. Attackers are
always trying to punch holes in systems and services. If the
authentication factors themselves prove to be difficult to steal or
impersonate, cyber attackers will go for the gold: the service itself.
In this chapter, we discuss security best practices for a next-

generation MFA solution.
Using Current Protocols and Standards

Using an MFA service that’s built on outdated protocols or stan-
dards is like putting up an “Open for Business” sign for cyber
attackers.
Protocols and standards are continually updated to address

vulnerabilities that naturally arise as technologies evolve. These
security issues are low-hanging fruit for opportunistic cyber
attackers looking for easy targets. Using the most recent — and
secure — standards and protocols will deter all but the most
sophisticated attackers.
CHAPTER 7 Securing MFA 31
In addition, protocols and standards are updated to address new
technologies, such as the Internet of Things (IoT). Secure imple-
mentation of standards and protocols, such as using the larg-
est possible cryptographic key size, is critical. Aligning to these
standards and protocols allows you to use new technologies with
confidence.
A next-generation MFA solution should be designed with the

most recent and most extensible protocols in mind. Ideally, your
team already relies on standards such as these:
»» JWT: Short for JSON Web Tokens, JWT is an open standard

that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object.
This process creates access tokens that can be encrypted
and authenticated.
»» OAuth: Created in 2006, OAuth is an open standard for
access delegation that specifies a process for Internet users
to authorize third-party access to their information without
sharing their credentials. The latest version, OAuth 2.0,
provides specific authorization flows for web applications,
desktop applications, mobile phones, and IoT devices.
»» OpenID Connect: This open-standard, distributed-identity
protocol allows webmasters to rely on trusted third parties
for authentication. Controlled by the OpenID Foundation,
OpenID Connect is a simple identity layer on top of the
OAuth 2.0 protocol that enables clients to authenticate end
user identities with modern RESTful APIs. OpenID Connect
allows users to log in by using credentials they’ve established
for another site.
»» SSH PAM: Secure Shell Pluggable Authentication Module,
commonly known as SSH PAM, is a pluggable authentication
model for Unix systems that allows a file and remote access
model to operate securely, even over unsecured networks.
Managing Cryptography
Encryption plays an important role in securing the MFA service,
but it’s effective only if it’s the most robust encryption avail-
able. Like protocols and standards, cryptographic keys are grow-
ing increasingly robust as they take advantage of technological
improvements like higher processor speed and better memory
utilization. At the same time, new attack vectors are also being
continually exploited. Latest cryptographic technologies address
these weaknesses by leveraging the largest possible cryptographic
key sizes with the most secure cryptographic approaches.
Consider the shared secret architecture of symmetric key cryptog-

raphy utilized by classic two-factor authentication (2FA) in one-
time password (OTP) implementations. If an attacker manages
to compromise either the user’s device or the application, he can
obtain the shared secret and compromise the integrity of the entire
cryptographic flow. The user’s token can also be intercepted by an
attacker, malware, or observer in a man-in-the-middle (MITM)
attack. You can see why it’s important to use a superior crypto-
graphic approach. In an MFA scenario, asymmetric cryptography
with public/private keys is the way to go. An attacker would need
to obtain both the private key of the client, as well as the private
key of the service in order to compromise the system.
FORWARD SECRECY PRINCIPLES

Forward secrecy is a property of secure communication protocols that
prevents an encryption key that may be compromised in the future
from retroactively decrypting previously encrypted packages. This
means no one secret value can compromise the integrity of the authen-
tication flow. Here’s how it works in a typical MFA implementation:
1. Two encrypted packages are created and contained within a

pending authentication request.
2. One package, which contains a 32-character secret, is decrypted
by the private key located on the client.
3. After decryption, the secret is used to decrypt the second
package.
4. The secret is saved by the mobile client and used to encrypt the
data in the following call to the authentication server.
5. The mobile client saves each subsequent secret and discards
older ones.
This “rolling secrets” technique on the client prevents device spoofing

and the cloning of mobile clients.
CHAPTER 7 Securing MFA 33
Although asymmetric cryptography should protect against MITM
attacks, you should always assume that the data transmitted
during the authentication process can be intercepted. Thus, you
should use Secure Sockets Layer/Transport Layer Security (SSL/
TLS) and forward secrecy (see the nearby sidebar “Forward
secrecy principles”) along with the largest possible encryption
keys and strongest available hash functions to defend against
brute-force attacks.
These tactics maintain the integrity of the authorization service.

Eliminating the possibility that data can be altered or spoofed in
transit ensures that an application can trust and validate user
responses.
Practicing Security by Design

A next-generation MFA solution isn’t designed just to be secure. It
also enables application developers to practice security by design.
In other words, it helps developers build security into their proj-
ects by incorporating a seamless, end-to-end approach to MFA in
all applications and services.
Applications are often built for user experience, with authen-

tication being a distant afterthought. This approach has led to
the proliferation of usernames and passwords, which has led to
numerous problems (see Chapter 1). Instead, developers should
begin with a user workflow, answering questions such as these:
»» How will users access the app?

»» Will we authenticate users as soon as they open the app?
»» What authentication factors will we use?
Developers should take this approach with everything they
develop, determining from the beginning where higher levels of
assurance are necessary and how to deliver authentication in a
manner that maintains the most user-friendly experience pos-
sible without compromising overall security posture.
IN THIS CHAPTER
»» Understanding how an MFA platform can
help you meet changing regulatory
requirements
»» Applying MFA to common use cases
»» Putting FIDO into perspective
Chapter 8
Meeting Your
Authentication Goals,
Today and Tomorrow
S
o far, we’ve discussed how a modern approach to multi
factor authentication (MFA) can help you protect your users’
credentials and personally identifiable information (PII), as
well as secure access to your applications and services.
But as any IT or security professional will tell you, it’s not enough
to be secure. You must also be compliant (to make regulators and
auditors happy), and prepared to accommodate new products and
services (to keep the business happy). Amidst all of this, MFA
technology is rapidly evolving.
In this chapter, we discuss how a next-generation MFA platform

can help you comply with ever-changing standards and regu
lations, and illustrate how MFA is being applied to address the
business needs of today and tomorrow.
CHAPTER 8 Meeting Your Authentication Goals, Today and Tomorrow 35
Emerging Standards and Regulations
Regulators and standards bodies are eager to protect consumer
data by way of laws, regulations, and industry standards. As a
result, businesses must comply with new regulations like the
European Union’s Payment Services Directive (PSD) and the Gen
eral Data Protection Regulation (GDPR), as well as older, con
tinually evolving regulations like the Health Insurance Portability
and Accountability Act (HIPAA) and the Payment Card Industry
Data Security Standard (PCI DSS). There are nuances across these
regulations and standards, particularly as they apply to differ
ent industries. That said, regulators and auditors generally want
to see strong, documented, and auditable authentication policies.
Next-generation MFA technologies can support your efforts to

comply with standards and regulations. For example, analytics
and logs can help address auditing and compliance needs, while
pseudonymization masks hard data, making it anonymous. It’s
also important that the technologies use the latest protocols and
standards, as we discussed in Chapter 7.
Some technology providers monitor the regulatory and standards

landscape to ensure that their technology remains current and
continues to make it easy for you to be compliant.
MFA Applied
A next-generation MFA solution should support both current and
future use cases. Here are a few examples of how businesses can
apply MFA.
The Internet of Things

The Internet of Things (IoT) involves millions — even billions —
of devices, sensors, and systems connecting to the Internet.
That’s the easy part. The hurdle that remains is authenticating
and authorizing the users that directly or indirectly interact with
these “things.” Identity stores and credential repositories aren’t
designed to be implemented alongside millions of “constrained”
devices that have limited processing power and limited memory.
In this brave new world of connected devices and smart things,

authentication must take place out of band to compensate for
their limited capabilities. Instead of a user supplying a device with
credentials, that device must reach out of band and obtain autho
rization externally, in a decentralized manner. If this sounds like
an ideal scenario for a next-generation MFA platform, you’re
right. A mobile authenticator can serve as a secure gateway device
that allows users and devices to authenticate out of band.
Financial services
Fraud prevention is becoming an increasingly complex endeavor
for financial services firms. Customers want the ability to access
their accounts through multiple channels, but they don’t want to
remember a different authentication factor for each one.
Financial services organizations can reduce the risk of fraud and

create seamless omnichannel experiences for good customers by
leveraging an MFA platform that uses dynamic authentication,
machine learning, deep fraud intelligence, and advanced device
recognition technology. Together, these technologies provide the
visibility you need across device types and access channels, along
with the flexibility to match authentication requirements with the
type of transaction being conducted.
Ecommerce checkout
Ecommerce businesses are also at risk for fraud, but the risk tends
to be highest during the checkout process. Organizations have to
weigh additional authentication, which can impact the user expe
rience and increase shopping cart abandonment rates, against the
risk of fraud.
A next-generation MFA solution can help ecommerce companies

walk the fine line between fraud prevention and user experi
ence. A solution that combines dynamic authentication, device-
based authentication, and machine learning can help identify safe
transactions versus suspicious transactions that could be fraudu
lent. Known customers can be sped through the checkout process
while unknown customers or risky transactions can be flagged for
additional authentication.
Insurance
Insurance companies have long been the target of career criminals
who make a business out of filing fraudulent claims. In the past,
insurance companies have had the benefit of time to diligently
CHAPTER 8 Meeting Your Authentication Goals, Today and Tomorrow 37
assess the validity of a claim. However, this advantage is quickly
disappearing. As insurance firms look for new ways to maintain
an advantage over competitors, one of the ways they do so is to
reduce the time for a claims payout. Speeding up this and other
processes reduces the amount of time firms can dedicate to vet
ting claims and preventing fraud.
Dynamic authentication can help insurance companies identify

and reduce fraudulent activity. For example, an MFA platform can
identify if policyholders use one device to file multiple claims, a
common practice by fraudsters. Dynamic authentication can also
be used to increase authentication requirements for transactions
that are perceived to be at higher risk for fraud, such as policy
changes.
THINK BEYOND FIDO

Fast ID Online (FIDO) is garnering attention for being a scalable indus-
try standard for biometric, MFA, and two-factor authentication (2FA).
The specifications and certifications from the FIDO Alliance are
intended to create an interoperable ecosystem of hardware-based,
mobile-based, and biometrics-based authenticators. Although this is a
much-needed step toward strengthening consumer authentication,
businesses should be careful not to limit themselves to a FIDO-
certified solution.
The consumer authentication problem hasn’t gone unnoticed. Indeed,

there’s a lot of activity in the market today. Just as the FIDO Alliance is
striving to address it from a standards perspective, technology provid-
ers are rapidly evolving their products and services to meet the needs
of digital businesses. In fact, many of these rapidly engineered solu-
tions are built according to the same principles. They are in many
cases “more FIDO than FIDO,” meaning they embody the principles
not in theory, but in an actual shipping product. But because of the
need to meet market demand, many technology providers haven’t
had the time to go through a laborious FIDO compliance schedule.
Our recommendation to businesses is to use FIDO as a guideline for

your next authentication solution, but don’t limit your search to FIDO-
certified or FIDO-assessed products. Doing so will limit your choices.
IN THIS CHAPTER
»» Analyzing next-generation MFA
platforms
»» Authenticating users to any service on

any platform
»» Decentralizing authentication
Chapter 9
Ten MFA Buying Criteria
A
next-generation multi-factor authentication (MFA) plat-
form addresses the problems that currently plague authen-
tication and is necessary for doing business in the digital
age. As more of your business moves online, and your customers
move with it, you’ll need to provide increasingly robust authenti-
cation and authorization services to protect user information.
In this chapter, we provide ten criteria for an MFA platform that

will take you and your users safely into the future.
You need all these criteria in a single solution to achieve true,

robust MFA.
Omnichannel Support
Not long ago, the need to authenticate customers was limited to
the contact center or the primary website (financial services insti-
tutions notwithstanding). Today, the increasing number of chan-
nels through which customers engage with a company expands
the need for user authentication.
To further complicate matters, customers want to engage with

you via their preferred channels, regardless of the nature of their
request. They don’t want to have to log on to your website for
CHAPTER 9 Ten MFA Buying Criteria 39
high-risk requests because your site is the only place you can
deliver two-factor authentication (2FA).
A truly next-generation MFA platform enables you to deliver a

consistent MFA experience across channels, even if those chan-
nels include in-person interactions, like banks branches or drive-
up windows. Furthermore, it has the flexibility to accommodate
future channels.
User-friendly Controls
User experience is everything in today’s digital world. Users rou-
tinely abandon applications that aren’t intuitive or easy to use —
especially if users think they serve only to create bottlenecks in
their workflow.
Similarly, MFA technology must be easy for administrators to

configure so that it’s used appropriately across each touchpoint
and not applied in a cookie-cutter fashion (much like passwords).
To ensure the adoption and correct implementation of a next-

generation MFA platform, that platform must be user-friendly for
both customers and administrators.
Look for a platform with controls that are easy to enable through
the administrative interface and that allows users to select
their own authentication options (within the boundaries set by
administrators).
True MFA Support

True MFA leverages all three types of authentication factors:
knowledge, possession, and inherence (see Chapter 2). Using all
three types within the bounds of a single platform allows you to
apply them in a layered, adaptive, and risk-based approach that
takes context into account.
“True MFA support” includes the ability to embed any of these

factors and methods into your existing applications in a “white
label” implementation: Leverage any of the MFA functionality
you and your customers need, but wrap it completely in the look,
feel, and flow of your own applications.
Compatibility with Existing
Authentication Services
Today, your authentication requirements may exist only for web-
sites and mobile applications, but tomorrow, they may include
smart devices and consoles. A next-generation authentication
solution must be compatible with both online and offline applica-
tions used for a variety of purposes.
To futureproof MFA deployment, select a consolidated authenti-

cation solution that works with existing authentication services,
like username and password or even knowledge-based authenti-
cation (KBA) questions, regardless of platform. A single platform-
agnostic solution should be capable of authenticating users to a
variety of platforms, including game consoles, kiosks, vehicles,
sensors, and wearables.
Advanced Cryptography
As we discuss in Chapter 7, top-notch cryptography is a require-
ment in an MFA platform. If the platform you deploy doesn’t use
advanced cryptographic algorithms, you’re essentially leaving a
door propped open for attackers.
Make sure you use a solution built on asymmetric cryptography

as explained in Chapter 7. This reduces risk of compromise, such
as man-in-the-middle (MITM) attacks and spoofed authentica-
tors, without impacting overall usability of the system or the end
user’s experience.
An MFA platform is next-generation if it’s cryptographically

superior to its predecessors and uses modern cryptographic best
practices such as forward secrecy and public-key encryption.
Decentralized, Anonymous Architecture

The architecture of an MFA solution has a tremendous effect on
user credentials. A next-generation MFA solution decentralizes the
authentication and authorization layer and moves it out of band
(see Chapter 4). A user doesn’t provide his credentials to an appli-
cation via a central public authentication layer; instead, the appli-
cation reaches out to the user and asks for authorization through
an independent authentication layer accessible only to that user’s
client.
The data that’s transmitted between the applications or services

must be secured so that even the authentication service itself
can’t decrypt the requests and responses traversing its network.
This protects against the worst-case scenario in which an attacker
compromises the authentication service itself.
Updatable Platform
An updatable MFA platform allows you to efficiently adapt to
future changes, whether they be evolving authentication tech-
nologies, new vulnerabilities, or evolving threats. Updates to MFA
authenticators must be capable of being released at the discretion
of the organization’s administrators, while the update process
itself must not introduce friction that might impact user adoption.
A platform shifts the burden of maintaining and updating your

authentication capabilities to the technology provider, enabling
you to adapt to future events without having to make significant
changes in your systems and applications.
Developer Support
A next-generation MFA platform enables your developers to
extend all or part of the multi-factor experience into your com-
pany’s mobile applications to provide a seamless, consistent user
experience. Developers can achieve this goal by using configu-
rable software development kits (SDKs) and application program-
ming interfaces (APIs) that allow development teams to leverage
only the components and features they need.
Look for an MFA platform with mobile authenticator SDKs that

support Apple and Android apps, along with service SDKs for pop-
ular web and mobile programming languages like Java, Python,
JavaScript, Objective-C, and others.
Dynamic Administrative Controls
A dashboard serves as a control center where administrators can
carry out tasks related to the MFA platform, including creating,
monitoring, and managing integrations; configuring security
policies; and provisioning devices.
MFA platforms can provide two types of security policies: client-

side, such as requiring the user to enable certain authentication
factors; and server-side, such as geofencing (see Chapter 2).
Look for a next-generation MFA platform that allows you to
define security policies statically through a dashboard, as well
as dynamically through API calls. The latter type is particularly
useful for scenarios involving risk-based authentication, where
software logic programmatically changes requirements on the fly.
If you’re rolling out an MFA platform for internal business users,

ensure that only registered users in your organization can authen-
ticate to your applications and systems. Look for a solution that
enables you to provision users and their mobile devices manually
or by synchronizing the platform with an identity repository such
as Active Directory. Both approaches should be achieved through
the dashboard.
Finally, the dashboard should provide access to information about

authentication-related activity. Historic logs are important for
auditing and compliance purposes, and analytics help you identify
suspicious user behavior or noteworthy patterns.
Single-User and Multiuser

Authorization
A next-generation MFA platform recognizes that not all online
activities are created equal. Rather than grant users access to
every task or function with a single, “front door” authentication
request, the MFA platform should allow you to employ layers of
authorization, granting additional consent and approval, along-
side normal authentication practices that need greater assurance
or specific approvals. You want a solution that allows you to tie
authentication and authorization to touchpoints throughout your
application or service. The solution should also allow you to use
real-time, interactive authorization for unique use cases that
include multiple users authorizing specific tasks or workflows.
THE LICENSE TO KILL PASSWORDS

We see a counterintuitive future whereby better security no longer
means a more complicated or cumbersome user experience. We see
a future in which users happily take control of their privacy, out of
band mobile MFA is the norm, and nobody suffers the fallout from a
major credential breach. This future is free of sticky notes with scrib-
bled codes and centralized credential stores. Indeed, it’s free of pass-
words altogether.
That future doesn’t have to be far off. With a next-generation MFA

platform that meets the ten criteria outlined in this chapter, this dream
can become reality — when you’re ready. A next-generation MFA plat-
form can work alongside your password and other knowledge-based
authentication technologies. You could use MFA as your first layer of
authentication, for example, and fall back to your existing authentica-
tion method. Over time, you can scale back knowledge-based authen-
tication and kill passwords once and for all.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

Multifactor Authentication For Dummies Iovation Ebook201

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Multifactor Authentication For Dummies Iovation Ebook201

Diunggah oleh

Hak Cipta:

Format Tersedia

These materials are © 2018 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

by Crystal Bedell and

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO

ISBN 978-1-119-45602-5 (pbk); ISBN 978-1-119-45601-8 (ebk)

Manufactured in the United States of America

Development Editor: Production Editor:

Editorial Manager: Rev Mengle

CHAPTER 1: Understanding Consumer Authentication

CHAPTER 2: Protecting Access with Multiple Factors................... 7

CHAPTER 3: Unifying the User Experience........................................... 11

CHAPTER 4: Decentralizing MFA Architecture.................................. 15

Table of Contents iii

CHAPTER 6: Customizing the MFA Experience.................................. 25

CHAPTER 7: Securing MFA................................................................................. 31

CHAPTER 8: Meeting Your Authentication Goals,

CHAPTER 9: Ten MFA Buying Criteria....................................................... 39

iv Multi-Factor Authentication For Dummies, iovation Special Edition

Meanwhile, as more and more consumer services go digital,

About This Book

If you’re responsible for authenticating users to your company’s

»» You work in product management, customer experience, or

Icons Used in This Book

You won’t want to forget the information in paragraphs marked

Beyond the Book

2 Multi-Factor Authentication For Dummies, iovation Special Edition

»» Understanding the weakness of

»» Recognizing the drawbacks of strong

Just because authentication is commonplace, however, doesn’t

In this chapter, we look at some of the problems posed by legacy

CHAPTER 1 Understanding Consumer Authentication Challenges 3

Consider Julie, the enterprise user. Julie is trained by the IT

»» Weak knowledge factors: Of the three primary factors of

4 Multi-Factor Authentication For Dummies, iovation Special Edition

The Weakness of Strong Authentication

In most implementations, 2FA pairs a token or one-time password

»» 2FA relies on symmetric key cryptography, which uses the

CHAPTER 1 Understanding Consumer Authentication Challenges 5

The term strong authentication is often used synonymously with

Need for Convenience

Authorized for Everything

When banking online, users might check an account balance,

6 Multi-Factor Authentication For Dummies, iovation Special Edition

»» Putting the multi in multi-factor

»» Authenticating on the client side

Fortunately, many secure authentication processes are available.

No single authentication factor is impenetrable. Solutions provide

Employing Authentication Factors

»» Knowledge: A knowledge factor is something that the user

CHAPTER 2 Protecting Access with Multiple Factors 7

Further, an authentication factor can be classified as transparent

»» Transparent: Transparent authentication takes place

We discuss several transparent and interactive factors in “Using

Transparent and interactive factors make a great team. A trans-

Combining Authentication Methods

MFA is most effective when knowledge, possession, and inher-

8 Multi-Factor Authentication For Dummies, iovation Special Edition

Using Client-Side Authentication

MFA technologies that use client-side authentication often lever-

In the following sections, we discuss the different types of

CHAPTER 2 Protecting Access with Multiple Factors 9

Bluetooth device proximity

Contextual factors that rely on behavioral traits, like the way a