The
company turned to a behavior-based security system that knows users by what
they use and how they use it.
By Bill Siwicki
July 14, 2017
03:21
PM
Aetna has launched a new security system for its
consumer mobile and web apps that, in something of a twist, makes passwords
optional.
Instead of a password or fingerprint being the only
barrier to entry, Aetna’s new behavior-based security system monitors user
devices and how and where a consumer uses that machine. Consumers can add
biometric protection available on their devices.
“Passwords are a mainstay of conventional online
authentication and are considered to be a binary control - if a consumer has
the user ID and password, they are enabled to use the application,” said Jim
Routh, chief security officer at Aetna. “Binary authentication controls work
well when the assumption is that only the consumer has the password and
remembers it. That assumption, however, is no longer valid.”
In 2016, more than three billion passwords were
harvested from breaches by criminals in the U.S., according to Shape Security.
“Criminals exchange passwords on the Dark Web and
use a technique called credential stuffing to apply passwords to targeted web
domains and automatically attempt authentication for tens of thousands of
compromised passwords,” Routh explained. “Criminals are able to achieve a two
percent hit ratio of account takeover using credential stuffing, helped by the
fact that consumers reuse passwords across sites.”
Consequently, passwords are becoming obsolete as a
primary means of authentication. Enterprises need to change their thinking on
the use of binary controls in an authentication event at the initiation of an
online interaction with a consumer and consider using many different attributes
to confirm authentication, Routh said.
Aetna enables consumers to choose which biometric
factors they prefer on their device and then apply that selection as one of the
authentication attributes considered by a risk engine.
That risk engine takes in data from many attributes
of the device (software configuration, operating system version, etc.), in
addition to benign attributes of consumer behavior (for example, how a mobile
device is held when texting and location of the device), and matches these
attributes against a device signature and a model based on previous behavior.
The risk engine binds a consumer to one or more of
the devices they typically use. If they use a new device, the authentication
request may include a PIN or biometric to confirm the consumer wishes to bind
their identity to a new device. The risk engine compares the benign behavioral
attributes to the existing behavioral model and determines a risk score based
on the match.
“The behavioral attributes are used to compare with
the baseline model and are not stored or used for other purposes,” Routh said.
“The risk engine produces a risk score to the application and if it is within
the risk threshold for the application then the consumer has full
functionality. If the risk score changes during interaction and is outside of
the established threshold then the consumer may receive a request to enter a PIN
or verify with a biometric control.”
Put more simply, the risk engine is comparing
attributes to an established pattern. The attributes have a weighting so if an
attribute is not available then the other attributes are used by the risk
engine to consistently produce a risk score. Some attributes have a higher
weighting than others, and comparing attributes to a model to determine a risk
score is something that is done consistently well with the risk engine, Routh
said.
So how does the behavior-based security system get
to know users so well?
“The risk engine is using unsupervised machine
learning to match attributes to the existing model, so the more data provided
into a model the better it performs over time,” Routh explained. “Therefore,
the more often the consumer uses the application, the more effectively the risk
engine performs. Aetna provides consumers with choices on how they wish to
interact and which types of biometric controls they prefer on their devices. Giving
consumers choices gives them more convenience while also providing them with
better security to protect their information.”
Topics:
Link Source: http://www.healthcareitnews.com/news/aetna-replacing-security-passwords-machine-learning-tools
No comments:
Post a Comment