Post on 05-Jan-2022
Multi-factor (MFA) AuthenticationSeptember 2018
Debi MohantySenior Manager Deloitte & Touche LLP
Spiros AngelopoulosPrincipal Solutions ArchitectForgeRock
Multi-factor Authentication 2
MFA – Evolved Authentication Spiros AngelopoulosPrincipal Solutions Architect, ForgeRock
© 2017 ForgeRock. All rights reserved.
• Who knows who I really am?• The agencies want
something better than username/password
• The citizens are expecting it (banks have spoiled them!)
• And technology is adjusting
Why MFA, specifically?
2018 Verizon Data Breach Investigations Report
© 2017 ForgeRock. All rights reserved.
Orchestrate factors and signals based on Context, Behavior, Risk, User Choice, AnalyticsVisually design smart login experiences using a simple, drag-and-drop interfaceOptimize login journeys and gain deeper customer insights with analytics
Evolved authentication – a good answer
Leverage an extensive security ecosystem that enables third party integrationDeliver dynamic content personalization informed by user and device context
© 2017 ForgeRock. All rights reserved.
Some considerations
• Review what you are trying to protect
• Take a closer look at your user community especially its habits and expectations
• Consult with experts on what is the right MFA profile for you
• Understand the integration effort and its impact to other operations
• Match your MFA (and your policies) to the value of your assets and the risk associated with their breach/theft
© 2017 ForgeRock. All rights reserved.
Types of MFA
Lots of options
• KBA• Passphrase/pin• OTP/SMS/App• Behavioral• Soft token (certificate)• Hard token (certificate +)• Biometric• Combination of above
© 2017 ForgeRock. All rights reserved.
Requirements for the technology to work
• Ease of use, by your admins and users alike
• Ease of integration to all apps/environments that might need it now or the future
• Ease of audit so you always have visibility into operations
• Test, test, and when done, test again
© 2017 ForgeRock. All rights reserved.
Related concepts
• Sort out your directories and databases (everywhere that matters)
• Maximize confidence in your enrollment and suspension processes
• Identify what policies are implemented, when, and how
• Fine-tune the experience to make it usable and safe
© 2017 ForgeRock. All rights reserved.
• Swipe,• Fingerprint Scan • Custom
• Authenticator Mobile App for iOS and Android that uses push notifications to enable password-less logins
• Personalize by adding your logo, or use the source code to build your own mobile app
• Uses SNS for secure communication to phone – to eliminate man in the middle attacks
• Maximize support for other methods and devices: OATH, T/HOTP, SMS
Mobile authentication
© 2017 ForgeRock. All rights reserved.
• Seek platform and deployment flexibility
• Match the cost of ownership/management to the user group that needs it
• Ensure compatibility with your business’ and technical targets
• Verify multi-layered offerings including (when necessary), event-based access, FIDO, PIV, and even biometric functions
USB tokens
© 2017 ForgeRock. All rights reserved.
Cutting edge
For normal users
• Location/time-based • New-gen PKI• Wearable devices• Lifestyle monitoring• Simple biometrics with user
awareness• Combinations of 2 or more
For administrators
• Thorough biometric-based evaluations
• Non-invasive, stealthy mechanisms
• Combinations of 3 or more
© 2017 ForgeRock. All rights reserved.
© 2017 ForgeRock. All rights reserved.
An example of efficient auth management(ForgeRock authentication trees)
Multi-factor Authentication 14
MFA Implementation StrategyDebi MohantySenior Manager, Deloitte & Touche LLP
Multi-factor AuthenticationCopyright © 2018 Deloitte & Touche LLP. All rights reserved. 15
Operational challenges with MFA multifactor authentication
FAR - False Accept RateFRR - False Reject RateFTE - Failure to EnrollFTA - Failure to Acquire
Multi-factor AuthenticationCopyright © 2018 Deloitte & Touche LLP. All rights reserved. 16
For better MFA implementation, following are identified as four key desired outcomes
Reduce risk of potential compromise and/or stolen
credentials
Strengthened Security
Build upon leading practices for future MFA
integrations
Set the Stage
Create a better, simple, and consistent user
experience
Positive User Experience
Yield minimal impact to employee productivity
Smooth Integration
In order to achieve the desired outcomes, companies should look at integrating technical solutions with organizational change management principles
to develop a holistic deployment strategy.
Multi-factor AuthenticationCopyright © 2018 Deloitte & Touche LLP. All rights reserved. 17
An effective deployment strategy allows for desired MFA outcomesFor an MFA rollout, two-fold deployment strategy involves critical technical and organizational change management (OCM) components.
Application ReadinessPerform technical integration, testing and piloting for each application’s MFA enablement
User ReadinessFocus on user awareness and adoption of MFA, starting with the IT population and migrating to the broader user base
Development & Integration Testing
Application Go-Live
ApplicationPilot
Hypercare Support
Go-Live Communications
Pilot Feedback Gathering
Awareness Campaign
Leadership Engagement
Change Impact / Risk Assessment
Comms & Resource Development
MFA Use Case Discovery
Support Model
1 2
Multi-factor AuthenticationCopyright © 2018 Deloitte & Touche LLP. All rights reserved. 18
Success factors that help drive MFA successThe success of an MFA deployment requires meticulous planning, strategic execution, and collaborated team effort by dedicated team members.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2018 Deloitte Development LLP. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.