Usable Multi-Factor Authentication and Risk-Based Authorization

1.0  Summary ................................................................................................................. 1 
2.0  Introduction ............................................................................................................. 4 
3.0  Risk Perception and Communication ...................................................................... 7 
3.1  Methods .................................................................................................................. 7 
3.2  Assumptions ........................................................................................................... 7 
3.3  Procedures .............................................................................................................. 8 
3.4  Results and Discussion ......................................................................................... 12 
3.5  Conclusions .......................................................................................................... 18 
3.6  Recommendations ................................................................................................ 19 
4.0  Human Computer Interaction ................................................................................ 21 
4.1  Methods ................................................................................................................ 21 
4.2  Assumptions ......................................................................................................... 21 
4.3  Procedures ............................................................................................................ 22 
4.4  Results and Discussion ......................................................................................... 23 
4.5  Conclusions .......................................................................................................... 25 
4.6  Recommendations ................................................................................................ 26 
5.0  Biometric Multi-Factor Authentication ................................................................... 27 
5.1  Methods ................................................................................................................ 28 
5.2  Assumptions ......................................................................................................... 30 
5.3  Procedures ............................................................................................................ 31 
5.4  Results and Discussion ......................................................................................... 33 
5.5  Conclusions .......................................................................................................... 40 
5.6  Recommendations ................................................................................................ 40 
6.0  Risk-Based Authorization ...................................................................................... 41 
6.1  Methods ................................................................................................................ 42 
6.1.1  Risk, Uncertainty and Time ................................................................................ 42 
6.1.2  Uncertainty ......................................................................................................... 43 
6.1.2.1  Where Is Uncertainty? ..................................................................................... 43 
6.1.2.2  Reasons to Account for Uncertainty ................................................................ 43 
6.1.2.3  Handling/Modeling Uncertainty ....................................................................... 44 
6.1.3  On Accuracy of Risk Estimate ............................................................................ 44 
6.2  Assumptions ......................................................................................................... 44 
6.3  Procedures ............................................................................................................ 45 
6.3.1  Handling Uncertainty .......................................................................................... 45 
6.3.1.1  Handling Normal Fluctuations, Inaccuracy and Incompleteness ..................... 45 
6.3.1.2  Handling Possibilities Not Covered by Past Data and Experience .................. 45 
6.3.1.2.1  A Performance Optimization ........................................................................ 49 
6.3.2  Estimating Risk .................................................................................................. 50 
6.3.2.1  Bayesian Network Overview ........................................................................... 50 
6.3.2.3  Using A Bayesian Network Node To Merge Uncertainty ................................. 53 
6.3.2.4  Configuring a Bayesian Network Node ........................................................... 54 
6.3.2.5  Example: Configuring the CPT of the Location Anomaly BN Node ................. 56 
6.3.2.6  Example: Configuring the CPT of the Risk BN Node ...................................... 58 
6.3.3  Trust-Value-Risk Based Access Control Policy .................................................. 60 
6.3.5  Continuous Learning of Behavior Profiles .......................................................... 66 
6.3.5.1  Recognizing the Signs of Emerging New Behavior Patterns ........................... 67 
6.3.5.2  Bridging the Gap Between Human and Machine ............................................ 70 
6.3.5.3  Experimental Validation of the Learning and Scoring Mechanisms ................ 71 
6.4  Results and Discussion ......................................................................................... 76 
6.5  Conclusions .......................................................................................................... 76 
6.6  Recommendations ................................................................................................ 77 
7.0  Mobile Client and Security Services ...................................................................... 78 
7.1  Methods ................................................................................................................ 78 
7.2  Assumptions ......................................................................................................... 79 
7.2.1  Hybrid Application Design .................................................................................. 79 
7.2.2  Context-based Security ...................................................................................... 80 
7.2.3  Flexible Integration Options ............................................................................... 81 
7.3  Procedures ............................................................................................................ 87 
7.4  Results and Discussion ......................................................................................... 89 
7.4.1  Core Client-side Components ............................................................................ 89 
7.4.1.1  Native Plugins and Wrappers .......................................................................... 89 
7.4.1.2  Hybrid layer ..................................................................................................... 91 
7.4.2  Representative Business Application: Banking .................................................. 94 
7.4.3  Transition to Practice: Integration with ISAM ..................................................... 95 
7.4.3.1  Multi-factor authentication for web apps .......................................................... 96 
7.5  Conclusions .......................................................................................................... 97 
7.6  Recommendations ................................................................................................ 97 
8.0  Network Authentication and Authorization Services .............................................. 99 
8.1  Methods ................................................................................................................ 99 
8.2  Assumptions ....................................................................................................... 101 
8.2.1  Integration with network authentication / authorization services and network
services providers ....................................................................................................... 102 
8.2.1.1  Reverse Proxy .............................................................................................. 103 
8.2.1.2  Mobile Application Service ............................................................................ 103 
8.2.2  Secure operation and efficient communication protocols ................................. 104 
8.2.2.1  Secure operation ........................................................................................... 104 
8.2.2.1.1  Network and protocol security .................................................................... 104 
8.2.2.1.2  Mobile device security ................................................................................ 106 
8.2.2.1.3  NAAS and biometrics security .................................................................... 106 
8.2.2.2  Efficient communication protocols ................................................................. 107 
8.2.3  Inline / out of band processing ......................................................................... 112 
8.2.4  Biometrics – enrollment and verification ........................................................... 114 
8.2.5  Risk Authorization ............................................................................................ 115 
8.2.6  Authentication Challenges ............................................................................... 115 
8.2.7  Risk Communication ........................................................................................ 116 
8.2.8  Administration .................................................................................................. 116 
8.3  Procedures .......................................................................................................... 116 
8.4  Results and Discussion ....................................................................................... 117 
8.4.1  Shim layer ........................................................................................................ 117 
8.4.1.1  EAI ................................................................................................................ 118 
8.4.1.2  Access .......................................................................................................... 119 
8.4.1.3  Login ............................................................................................................. 119 
8.4.1.4  Logout ........................................................................................................... 119 
8.4.1.5  RegisterUser / RegisterDevice ...................................................................... 120 
8.4.1.6  PushNotification ............................................................................................ 120 
8.4.2  Core authentication and authorization services ............................................... 120 
8.4.2.1  ResourceAccess2 ......................................................................................... 121 
8.4.2.1.1  Predictive scheduling of challenges ........................................................... 124 
8.4.3  Authenticators and Context / Risk Evaluators .................................................. 124 
8.4.3.1  Authentication Verifier ................................................................................... 124 
8.4.3.2  Authentication Enrollers ................................................................................ 126 
8.4.3.3  Context Evaluators ........................................................................................ 126 
8.4.4  Biometric fusion ............................................................................................... 127 
8.4.5  Authorization policy .......................................................................................... 127 
8.4.6  Administrative functions ................................................................................... 129 
8.4.6.1  Runtime configurable parameters ................................................................. 129 
8.4.6.2  Registries ...................................................................................................... 130 
8.4.6.3  Authentication and context / risk evaluators .................................................. 130 
8.5  Conclusions ........................................................................................................ 131 
9.0  References .......................................................................................................... 132 
9.1  Risk Perception and Communication .................................................................. 132 
9.2  Human-Computer Interaction .............................................................................. 133 
9.3  Biometrics ........................................................................................................... 133 
9.4  Risk-Based Access Control ................................................................................. 134 
9.5  Mobile Client and Security Services .................................................................... 136 
9.6  Network Authentication and Authorization Services ............................................ 137 

By: Larry Koved, Pau-Chen Cheng, Diogo Marques, Nalini Ratha, Kapil Singh, Cal Swart, Shari Trewin

Published in: RC25619 in 2016

rc25619.pdf

Questions about this service can be mailed to reports@us.ibm.com .