SecureAuthWhy Two-Factor Authentication Isn’t Enough

Ryan RowcliffeDirector, Solution Engineersrrowcliffe@secureauth.com

Damon TepeDirector, Product Marketingdtepe@secureauth.com

November 16, 2016

2Copyright SecureAuth Corporation 2016

+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the

presentation+ Slides and recording will be sent later this week+ Contact us at webinars@secureauth.com

Webinar Housekeeping

3Copyright SecureAuth Corporation 2016

Single Factor….NOT Enough+ 63% of reported 2015 breaches involve

the use of compromised credentials (Verizon DBIR 2016)

+ Attackers will find weakest link & move laterally

+ Frequent PW changes/complex PWs = poor security practices & rising costs

+ PW re-use is common and creates vulnerabilities

+ Poor user experience

44% of assets are protected by

username/password or nothing at all

1 - Wakefield Survey, Sept, 20162 - http://www.darkreading.com/risk/average-cost-of-data-breaches-rises-past-$4-million-ponemon-says/d/d-id/1325921

4Copyright SecureAuth Corporation 2016

A) More than 90%B) 75% - 90%C) 50% - 75%D) 25%- 50%E) Less than 25%

+ What percentage of your assets/resources are protected with 2-factor authentication today?All answers are anonymous – we only see the accumulated results

POLLING QUESTION

5Copyright SecureAuth Corporation 2016

The Next Step…2FA & SSO+ Single Sign-On (SSO) reduce number of

log-ins & increases user productivity but…

+ 99% of IT decision makers feel that 2-factor authentication is best way to protect

+ Then why only cover 56% of assets?

+ Anonymity networks (e.g. Tor) pose a threat1

Why not deploy 2FA more?

Resistance from company executives (42%)

Worry about disrupting users (42%)Lack of resources to support (40%)Steep user learning curve (30%)Fear improvements wouldn’t work (26%)

1. The Trouble with Tor – Mathew Prince - https://blog.cloudflare.com/the-trouble-with-tor

6Copyright SecureAuth Corporation 2016

A) YesB) No

+ Do you feel 2-Factor Authentication is the best way to protect assets/resources?All answers are anonymous – we only see the accumulated results

POLLING QUESTION

7Copyright SecureAuth Corporation 2016

Calculating Business Value

5000 User Organization7500 Password Reset Calls/year$40/call$300,000 spent annually on PW Resets

++=

Passwords Can Be Expensive

5000 User OrganizationSave 3 minutes/day (240 x 3mins = 12hr/yr)$40/hr x 12hr/yr = $480/yr

$2,400,000 in saved labor costs/productivity gains=

Removing Disruptions Has Benefits

$480/yr x 5000 employees

www2.secureauth.com/Password_Calculator

www2.secureauth.com/SSO_Calculator

8Copyright SecureAuth Corporation 2016

Popular 2FA Methods Have Flaws

Knowledge based questions & answers

One-time passcodes (OTPs), delivered via SMS/Text or email

Push-to-acceptHard Tokens

9Copyright SecureAuth Corporation 2016

How Easy Can An Attacker Get Past Security?

https://youtu.be/lc7scxvKQOo

10Copyright SecureAuth Corporation 2016

Quick Summary+ Username & password doesn’t protect

+ Self-service tools save costs

+ SSO is great if properly protected

+ User experience is important

+ Some popular 2FA methods have flaws

There is a better way…..

11Copyright SecureAuth Corporation 2016

SecureAuth Uniquely Positioned

Raise Confidence in Authenticating Identities

&

Provide a Good and Positive User Experience

12Copyright SecureAuth Corporation 2016

• Recognizes people• Makes it easy• Is part of a community• Adjusts over time

13Copyright SecureAuth Corporation 2016

Employees

Partners

Customers

Adaptive Authentication

Risk checks without users knowing

1

SMS OTP

Telephony OTP

Email OTP

Fingerprint Biometric

Push-to-Accept

Multi-FactorAuthentication

25+ methods to choose from

2

ContinuousAuthentication

Post-authentication continual monitoring

3 4

Flexible Workflows

Admins MUST MFA every time

On campus logons don’t require MFA

Deny ANY user posing a serious threat/risk

Best Possible Security5

Data Visualization & Sharing

Dashboard

SIEM Integration

Faster Intrusion detection & remediation

14Copyright SecureAuth Corporation 2016

Device Recognition

Threat Service

Directory Lookup

Geo-Location

Geo-Velocity

Geo-Fencing

Phone Number Fraud Prevention

Behavioral Biometrics

Identity Governance

User & Entity Behavior Analytics

Pre-Authentication Risk AnalysisAdaptive Authentication

Do we recognize this device?Associated with a user we know?

Real-time Threat IntelligenceIP Address Interrogation

Group membership and attribute checking Request coming from a known location?

Do we have employees, partners or customers here?Has an improbable travel

event taken place?

Track normal behaviorLooking for anomalies

Who should/does have access rights?High Access Rights = greater

risk/vulnerability

Access request coming from within or outside a geographic barrier

Typing Sequences & Mouse MovementsUnique to each user on each device

Reduce # of OTPs, Block device class,Identify “porting” status, Block by carrier

15Copyright SecureAuth Corporation 2016

Multi-Layered Risk Analysis Only require a MFA Step if risk present

Single Sign-OnConvenience of removing log-in

across multiple systems

User Self-ServiceAllow user to help themselves

without a Help Desk call

More pre-authentication risk checks than any other vendor –

bullet proof vest

• Library of over 8000+ apps• All Federation protocols supported

• Support custom branding

• Password Resets• Account Unlocking

• Enrollment• User Personal Info

MFA Step

Deny

Redirect

Allow

Best Possible User Experience

On-Prem AppsHomegrown AppsSaaS AppsVPNData Stores

16Copyright SecureAuth Corporation 2016

Matt Articulates HIS User’s Experience

“The end users love the new system. When they’re on premise, they don’t even have to be prompted for their credentials, however if they take that same device off network, they’re automatically prompted for credentials. It’s really a nice solution and a lot of time people don’t even realize they are using it”- Matt Johnson, Manager, Server Engineering, Houston Methodist Hospital www.secureauth.com/

resources/case-study-houston-methodist

17Copyright SecureAuth Corporation 2016

Adaptive Authentication

Low

MediumHigh

Medium Medium Medium MediumHigh High High

Normal Day Travel Day Lost/New Laptop Stolen Credentials Stolen Laptop

AllowMFA Step

Deny

AllowMFA Step

Deny

AllowMFA Step

Deny

Allow

Deny

dtepe@secureauth.com

***********dtepe@secureauth.com

***********hack@cyberattack.com

**********

hack@cyberattack.com

**********

Device Recognition

Threat Service

Directory Lookup

Geo-Location

Geo-Velocity

Geo-Fencing

Phone Number Fraud Prevention

Behavioral Biometrics

Identity Governance

User & Entity Behavior Analytics

AllowMFA Step

Deny

Redirect Redirect Redirect Redirect Redirect

MFA Step

18Copyright SecureAuth Corporation 2016

The New Adaptive

Visit www.secureauth.com

The intellectual content within this document is the property of SecureAuth and must not be shared without prior consent.