Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight

Slide 2 Vendor view of the FFIEC Guidance The recent strong authentication guidance was good – For the financial industry For vendors and providers For end users Unified guidance through the FFIEC was right way to do it Relieved concern of conflicting guidance Best approach for new significant changes going forward Strict vendor neutrality was appropriate One year deadline was about right Will be challenge for some, but a deadline was needed

Slide 3 Step 1: Determine What the FI’s Want FI attitudes towards changes in the End User Experience How intrusive? How much effort/burden for end user How complicated? Degree of sophistication required of end user How much user mobility? Allow end users to roam? How much inconvenience will roaming entail? How to address shared accounts? Shared authentication credentials allowed? How to register users for strong authentication?

Slide 4 Step 1: Determine What the FI’s Want FI administrative wants and needs How much security? Not all solutions offer equivalent protection Additional computer peripherals okay? Some solutions require additional peripherals on PC Implement more than one technology? Some solutions are complimentary Implement all users at once or one user at a time? Big bang vs. one by one Needed how soon in order to meet deadline? FI’s inertia will impact rollout effort What impacts are there to account aggregation? Secondary methods to back up the strong authentication? Non-mobile solutions, forgotten passwords, etc

Slide 5 Step 2: Clearly Establish your Objective What’s more important Prevent theft of credentials or… Prevent use of stolen credentials Phishing makes the headlines but…. Strong authentication doesn’t just address phishing Other important threats must be considered Remote access trojans Man in the middle attacks New emergent threats Going to solve only the authentication problem? What about authorization? Commercial, retail, administrative: All use same approach?

Slide 6 Step 3: Evaluate Technology Options Synchronous token Somewhat expensive, heavier administrative model, supports mobility very well, choice of early adopters USB token Commodity priced, moderate administrative model Smartcard Lacks supporting infrastructure in US, good authorization features Shared secrets Not as strong as other mechanisms, good for backup to primary method Asynchronous Password generating token Can lower cost of token (matrix cards, scratch lists, etc), moderate to high administrative model

Slide 7 Step 3: Evaluate Technology Options Biometrics Fingerprints infrastructure rolling out now, non-fingerprints have high infrastructure barriers. Proprietary lock-ins common in biometrics Out-of-band communications Convenience and availability could be issues, good for backup in event of failures of primary approach IP address and geo-location Weak as a primary method, but could strengthen primary means. ‘Spoofable’. Shortcomings called out by FFIEC Client computer/network ‘fingerprinting’ Could have moderately heavy administrative model, simple for end user. Good supplement to primary techniques Digital certs on client (SSL client certs etc) Strong security, cumbersome to use broadly

Slide 8 Step 4: Narrow Options, then Test and Negotiate Leave time to fully negotiate license arrangements Vendors tend to want to charge on per user basis Evaluate and size the integration task for product software Staff as required to meet established deadlines Test scalability of selected technology Test security of selected technology Test usability through a pilot to the extent possible Test results should flavor the decision making process

Slide 9 Step 5: Develop and Test Solution EXAMPLE - Digital Insight’s Solution and Priorities DI selected a solution that provided 3 levels of authentication Cookies Software download USB token Wanted sliding scale of protection without upgrades at server or client Wanted to protect against newly emerging threats, especially Man-In- The-Middle attacks DI expects man-in-the-middle attacks to become prevalent in 12 to 18 months DI is building a framework to support multiple technologies All FI’s may not be able to conform to a single technology selected by DI A framework will also serve authorization needs of financial services

Slide 10 Step 6: Roll Out the Solution Provide wide latitude for timing of rollout Flexibility is a must FI’s need many options in timing their rollout Not all FI’s will evaluate risk the same Not all have same product or risks Provide backup education to authentication failures well in advance E.g. DI provides 2 out-of-band mechanisms for unusual circumstance logins Provide consultative services for FI’s who will need the help

Slide 11 Step 6: Roll Out the Solution Broadly distribute communication to FI customers explaining implementation philosophy and process Roll out prerequisite infrastructure in advance of actual deployment of strong authentication technology to ease process Do it behind the scenes if possible Minimize impact on FI during the rollout itself Shorten lead time required of FI’s for their rollout Reduce work for FI to migrate to new solution Conduct focus groups through usability experts to establish helps for customers Create excellent Help text verbiage Help with collateral for FI’s to ‘sell’ end users on new technology Create FAQ’s designed to describe and educate at all levels