the future is decentralized - Showstoppers

THE FUTURE IS DECENTRALIZED A HYPR published study jointly written by Sean Connolly of HYPR and Alan Goode of Goode Intelligence

The Future is Decentralized

CONTENTS CENTRALIZATION IS THE PROBLEM 04 Another Day Another Data Breach 05 The Need For Decentralization 06 Passwords Are Not The Problem 07 Is Two Factor Authentication the Solution? 07 The Rise of Biometrics

DECENTRALIZED AUTHENTICATION AS A SOLUTION 08 Enter Decentralization 09 Three Industry Trends That Support Decentralization

EMPOWERING DECENTRALIZATION WITH HYPR 10 Introducing HYPR 12 HYPR Technology 13 Solution Features 15 Advanced Biometric Orchestration 16 Conclusion

2 . www.HYPR.com . ©2017 HYPR All Rights Reserved

INTRODUCTION Now more than ever, the world is watching how companies manage consumers’ data. We believe this creates a unique opportunity for you to stand out from the crowd, protect your customers and be a leader in cyber security. Large-scale data breaches are avoidable. The technology exists, and it is ready to implement. This white paper, jointly written by Sean Connolly of HYPR and Alan Goode of Goode Intelligence, details why decentralized authentication is the way forward for enterprises wanting to solve a critical security challenge.

THE FUTURE IS DECENTRALIZED

©2017 HYPR All Rights Reserved . www.HYPR.com . 3


ANOTHER DAY ANOTHER DATA BREACH As a result of a staggering increase in identity theft and identity related breaches, attention has firmly turned towards how organizations manage user authentication. According to Verizon, in its 2017 Data Breach Investigations Report (DBIR), 80% of hacking related breaches are the result of weak or stolen passwords.

80% 80% of hacking related breaches are the result of weak or stolen passwords.

Source Verizon - 2017 Verizon Data Breach Investigations Report

Yahoo, LinkedIn, Sony and Equifax are just some of the large global companies that have been hit with hacks that have led to widespread identity theft long after the initial breach. A digital identity is often a combination of a user ID and password with the password usually being encrypted and stored in a central database. Hacking tools will be used in an attempt to decrypt the passwords and if successful the plaintext password files will be sold to the highest bidder, often on the dark net. A combination of poor security management and weak password protection, often a result of poorly implemented hashing and encryption techniques, is leading to the recent rise in identity related breaches. Referred to as credential stuffing, criminals will attempt to use the stolen identities, along with their decrypted passwords, in an attempt to take over other accounts used by the same user.

CYBER SECURITY IS NOW A C-SUITE PROBLEM CEOs must make cyber safety a top priority to protect their customers, their share prices and themselves. The European Union has established legislation to that effect. Any company that does business in the EU and has EU citizens as customers will have to adhere to The European Union’s General Data Protection Regulation (GDPR). This regulation may prove to be the blueprint for data protection and privacy legislation around the world. Non-compliance with the GDPR may lead to hefty fines of up to four percent of a company’s annual revenue (up to about 24 million dollars).


THE NEED FOR DECENTRALIZATION Centralized authentication models, which store identity credentials including user IDs and passwords in a central database, are one of the biggest factors in the rise of identity theft and identity related breaches. If a central database is breached, thousands or even millions of identity credentials could be compromised. That’s what happened with the LinkedIn breach. The user IDs and passwords of 100 million members were stolen because LinkedIn was poorly protecting them – with SHA1 hashing and no salting – and because all 100 million were centrally stored. LinkedIn initially claimed that the breach only affected six million identities, but four years after the first notification, they had to inform more than 117 million users to reset their passwords after reports that cyber criminals were offering to sell 117 million stolen records. Storing, securing, and maintaining a centralized repository of passwords carries high costs for what is essentially a prime target for hackers. The 2017 breach of Equifax may be the most severe example of the dangers of centralization. Over 143 million consumers potentially had their social security number (SSN) compromised. Additionally the 2015 U.S. Office of Personnel Management (OPM) breach saw over 5 million fingerprint records compromised and shined a spotlight on the risks of centrally storing biometric data.

ENTERPRISES ARE TRANSITIONING AWAY FROM THE CENTRALIZATION OF BIOMETRICS, PINS, AND PASSWORDS



PASSWORDS ARE NOT THE PROBLEM Commentators are wrongly accusing passwords of being part of the problem and recommending the death of password-based authentication. But the password is not to blame. The issue is central storage of poorly protected personal information – including passwords, biometrics, credit card numbers and other personal information. The password isn’t perfect. (Its biggest downside is that it is difficult to maintain integrity when users are responsible for creating and remembering their own passwords). But passwords are not to blame for the large-scale breaches we’re seeing today. Passwords have proven to be an effective method of authenticating users for decades. Passwords and PINs are still included as part of twofactor or multi-factor regulation and technology standards including those issued by National Institute of Standards and Technology (NIST) and included by the European Banking Authority (EBA) as part of its Strong Customer Authentication (SCA) technology standards for the PSD2 payment regulation. The EBA’s standards provide clear guidance on how consumers must be authenticated and requires the use of at least two independent elements from Knowledge (passwords and PINs), Possession (token or mobile) and Inherence (biometric). Passwords are part of the solution here for a modern authentication standard generated with industry input. Password based authentication used in either single or two-factor authentication solutions are engrained in technology. It would take a monumental effort to completely eliminate them – if in fact that was the most pragmatic method in which to improve the security of authentication systems.


The industry is struggling to solve the authentication challenge with a number of technology and educationbased initiatives that have been similar to applying a Band-Aid to a serious wound. This has included password managers, advice on what is the most secure password (combinations of special characters, password length and even pass phrases), adding two or multiple factor authentication methods such as knowledge-based authentication (KBA) and generation and receipt of one-time-passwords (OTP). Two-Factor Authentication (2FA) is often lauded as the solution to the authentication challenge but it alone cannot prevent the large scale breaches we’re seeing today.

CENTRALIZATION IS THE PROBLEM – SINGLE POINT OF FAILURE – HIGH RISK OF BREACHES – EXPENSIVE IT COSTS

THE SHORTCOMINGS OF TWO FACTOR AUTHENTICATION 2FA has become the industry’s response to concerns with the password. There has been a steady, but not stellar, rise in the adoption of 2FA with many of the leading digital service providers including Apple, Google, Facebook and Twitter giving users the option to activate 2FA – or two-stepverification (2SV) as it is often called. 2FA adds another step before users can gain access to their services, and it is typically not mandatory so many users ignore it.

There is a perception that 2FA has failed or is not the right technical solution, and it does have its shortcomings. In July 2016 NIST deprecated the use of SMS as a strong second factor due to weaknesses in the carrier network that delivers the SMS OTPs and it being prone to man-in-the-middle (MiTM) attacks. 2FA is not scalable or convenient for users. It is a quick fix that doesn’t solve the real problem at hand. 2FA alone is not the solution.

THE RISE OF BIOMETRICS Biometric authentication has shaken the industry and helped solve the security versus convenience conundrum, but does it really solve the authentication challenge? Since Apple introduced Touch ID on its iPhone in 2013, we have witnessed wide-scale adoption of biometric authentication primarily on smart mobile devices. According to industry analysts, there are more than two billion devices including mobile phones, tablets, desktops, laptops and wearables that support biometrics. Biometrics offer convenient frictionless user authentication and work well with the prominent endpoint, the smartphone. But as with passwords, their effectiveness in preventing identity theft and data breaches is tied to how well they are designed and implemented. Centralized biometric databases are liable to the same threat as centralized password repositories in that they can be stolen and re-used. In the 2015 OPM breach, millions of fingerprints were stolen because they were centrally stored. There are also weaknesses in some implementations of device-based biometric systems such as Touch ID and now Face ID. As with two-factor authentication, biometrics can improve security for the individual session, but fail to address the underlying challenge of centralized access.

Knowing this, service providers often implement biometrics as a convenience feature rather than a security control. A Touch ID authentication may be a significant UX improvement over typing a 30 character password, but if the user’s fingerprint is linked to a password, then we are still dealing with the same centralized repository of credentials. Many implementations of Touch ID simply unlock the usage of a stored password and do not perform a biometric authentication. Touch ID and other mobile-based on-device solutions can be leveraged to create a secure end-to-end authentication solution based on either Fast Identity Online (FIDO) standards or other similar asymmetric cryptographic systems – leveraging on-device biometric technology as part of a secure standards-based authentication solution. It’s time to start focusing on the fundamentals. In theory passwords, 2FA and biometric security should be more than enough; but they all fall short when authentication is centrally architected. The security industry can burden the user with as many layers of authentication as desired – but so long as a centralized credential store persists, service providers are faced with maintaining a fundamentally flawed architecture. ©2017 HYPR All Rights Reserved . www.HYPR.com . 7


ENTER DECENTRALIZATION Decentralized authentication will become standard practice for securing digital experiences. The password is not dying, it is evolving; and with such an evolution the structure of authentication will change. The departure from a centralized credential store presents freedom and opportunity for service providers to accommodate the familiarity of the password or deploy next-generation user experiences secured with biometrics, behavioral and contextual data. Just as credit cards evolved from static 16-digit numbers to EMV based chips, so will login experiences transition from centralized credentials to decentralized credentials. We believe the industry will enter a rapid paradigm shift away from centralized authentication. The evolution of IoT will further emphasize this point as we will not be able to rely on centrally stored mechanisms when authenticating billions of Internet enabled devices. Business leaders and IT organizations must take a proactive approach to prevent large scale breaches and ensure public trust. From financial services to the healthcare sector, large enterprises are adopting decentralized systems at a remarkable pace. From the technology sector, we already see wide adoption among industry leaders. Popular biometric sensors such as the Samsung Galaxy S8 and Microsoft’s Windows Hello are utilizing decentralized authentication powered by the FIDO standard. FIDO (Fast Identity Online) is the most prominent open standard for decentralized access. FIDO and standards like it will define how we build trust between a user and their service(s) of choice.


Notably, Microsoft has taken steps in this evolution with both the Windows Device Companion Framework and the Windows Hello PIN. This PIN is in fact a password, but it is an evolved one. As a FIDO-enabled credential, this PIN is decentralized. The PIN always remain safe on the user’s device and is never centrally stored.

DECENTRALIZED AUTHENTICATION – REDUCED RISK OF CREDENTIALS BREACH – ELIMINATE FRAUD – LOWER IT COSTS

THREE INDUSTRY TRENDS EMPOWERING DECENTRALIZED AUTHENTICATION:

STANDARDS adoption of pki-based standards to establish trust with applications

SENSORS integration of biometric sensors to authenticate users

ADOPTION OF PKI-BASED STANDARDS The FIDO Alliance provides the most prominent example of what a decentralized authentication framework should embody. FIDO protocols build upon industry trusted PKI standards and seek to decentralize the process of authentication by storing a private key on a user’s device. Only a public key is stored centrally by the service provider. Should there be any form of a database breach on a company’s server infrastructure, there is nothing a hacker could use to impersonate its users. In fact, a true decentralized authentication implementation would possess no personally identifiable information at all. BUILD VS BUY With the rapid adoption and influence of FIDO, some enterprises have been inspired to build their own decentralized architectures. The most basic example of this is the integration of biometrics such as Touch ID with PKI-based authentication. More extensive examples are banks that have attempted to build proprietary decentralized protocols similar to FIDO. Using open standards can eliminate the millions of dollars required to develop and maintain your own decentralized solution. FIDO is an example of a protocol which establishes decentralization and more open standards will follow. As these standards evolve, we will be better prepared to ensure security and privacy with each application.

SECURITY utilization of hardware security modules to store credentials on trusted devices

PROLIFERATION OF BIOMETRIC SENSORS AND AVAILABILITY OF TRUSTED HARDWARE The need for more advanced, secure hardware is increasing with the rise of biometrics and decentralization. With the device becoming our primary source of user verification, the sensitive information it contains must be properly protected. This shift in security is quickly becoming an industry standard. Apple implementing Touch ID which is built upon the Secure Enclave within their iOS devices; Android is pushing for hardware based security through the Trusted Execution Environment (TEE); Intel has introduced SGX, Qualcomm has introduced the MSM and the list goes on. These technology leaders have embedded their devices into our lives. With these strides forward in hardware security, today’s consumer is authenticating in a whole new way. Authentication credentials including private keys and biometric data always remain safe within the trusted environment on these devices and also offer a very difficult attack vector. Rather than target individual devices, there are easier, lower-hanging fruits for criminals to focus on such as centralized credential databases. As service providers adopt decentralized standards, the role of trusted devices has never been so prominent or accessible. These devices are not only enhancing user experience with biometrics, but when combined with open standards such as FIDO, they enable secure decentralized authentication at a mass scale. ©2017 HYPR All Rights Reserved . www.HYPR.com . 9

INTRODUCING HYPR HYPR secures decentralized access to our connected world. Designed for large enterprises, the HYPR solution has empowered secure and rapid deployment of decentralized authentication across millions of users. HYPR ensures that personal credentials such as biometrics, PINs and passwords always remain safe on users’ devices. By eliminating the need for a centralized credential store, the risk of a breach is greatly reduced while security, privacy and usability are enhanced. HYPR EMPOWERS DECENTRALIZED AUTHENTICATION FOR ENTERPRISES

Centralized Auth

Decentralized

Out-of-Band Auth

APP LAYER

AUTH LAYER


SECURE OMNI-CHANNEL EXPERIENCES HYPR enables large enterprises to deploy decentralized security across all lines of business with ease. The solution provides one simple framework for deploying a consistent omni-channel authentication experience across consumer, employee, and IoT applications.

CONSUMERS Every day millions of consumers enjoy fast, frictionless and secure user experiences powered by HYPR. Online banking, mobile payments, credit cards, call centers and ATMs now offer consumers an unprecedented level of trust and user experience made possible by decentralized authentication.

EMPLOYEES Whether at the desk or remote, employees experience improved productivity, certainty and speed in a HYPR_Secure environment. Secure VPN/VDI access, remote desktops, employee workstations, and SSO with the push of a button.

IOT HYPR extends decentralized access to connected cars, locks, homes and throughout the IoT, transforming connected things into secure things. HYPR is the first IoT authentication solution to deploy decentralized, FIDO® Certified authentication.

GREATLY REDUCE RISK OF BREACHES HYPR’s decentralized authentication solution enables enterprises to reduce the risk of breaches and eliminate fraud while at the same time reducing cost.

ELIMINATE FRAUD Protect your organization, customers and employees by drastically reducing the opportunity for a mass credentials breach. HYPR reduces the risk of a breach by eliminating the need for a centralized credential store.

LOWER IT COSTS Decentralized authentication prevents remote compromise of customer accounts. Eliminate fraud from the consumer experience and see your bottom line grow by millions of dollars.

GROW REVENUE WITH ENHANCED USER EXPERIENCES Delivering authentication within milliseconds, HYPR speeds users through a pristine experience that keeps them secure. Faster authentication speed means more transaction volume and lower cart abandonment rates.



HYPR TECHNOLOGY The HYPR platform is comprised of three core components that enable decentralized authentication. By combining a suite of pre-integrated biometric algorithms with FIDO® Certified architecture and advanced hardware-backed security, HYPR provides enterprises all the elements necessary to easily deploy decentralized authentication.

DECENTRALIZED CLIENT

INTELLIGENT

The Decentralized Client integrates HYPR functionality into mobile, desktop and IoT applications, allowing enterprises to easily push decentralized authentication to millions of users with a simple app update.

HYPR provides a fully API-driven architecture that integrates easily with any existing environment. Enterprises leverage a simple framework to enable decentralized authentication within existing Identity Access Management (IAM) architectures.


EXTENSIONS

A U T H E N T I C AT I O N

SERVER

HYPR’s Authentication Server provides a scalable server-side component required for decentralized authentication on cloud or on-premise.

SOLUTION FEATURES HYPR’s approach to securing privacy and usability with one easy to use solution has proven to scale decentralized security to millions of users across the Fortune 500.

SECURITY

PRIVACY

USABILITY

HYPR leverages a powerful FIDO® Certified Open Architecture combined with Advanced Hardware Level Encryption (TEE, SGX, SE) to eliminate the need for a centralized credential store.

With HYPR, users are assured that their personal credentials always remain in their possession, instead of a third party.

HYPR enables faster transaction speeds and removes friction from the omnichannel authentication experience. A usercentric and context-aware interface allows administrators to select the best authenticator based on environment, application, and level of assurance.

INCLUDING Intel SGX. Samsung KNOX. Qualcomm MSM. Apple Secure Enclave. ARM TrustZone and Trusted Execution Environments

FLEXIBILITY

SCALABILITY

FIDO® CERTIFIED INTEROPERABILITY

The only out-of-the-box biometrics platform with dozens of biometrics pre-integrated and ready to deploy across billions of supported devices. As new biometric sensors are launched, they are continuously integrated, pen-tested and secured by HYPR.

Proven to scale with millions of users secured across the Fortune 500. HYPR supports thousands of authentications per second through a lightweight, decentralized architecture.

The HYPR client is FIDO® Certified and supports any FIDO validation server. This level of flexibility allows service providers to obtain the advantages of HYPR decentralized authentication with existing IDP environments, vendors and frameworks.



INSTANTLY DEPLOY MOBILE BIOMETRICS – ONE SIMPLE SDK, BILLIONS OF DEVICES – DOZENS OF PRE-INTEGRATED AUTHENTICATORS – FULLY CUSTOMIZABLE USER EXPERIENCE HYPR’s lightweight client is available as a standalone app or SDK for easy integration with any application or service. By providing fully customizable SDK, HYPR ensures enterprises can deploy decentralized authentication to consumers and employees with one simple framework.

As the industry continues to expand the availability of biometry, enterprises are faced with the challenge of continuously integrating, securing and deploying new biometrics. The HYPR platform was designed with a strong emphasis on the use of biometric sensors. HYPR is the only biometrics platform with dozens of modalities and authenticators available out-of-the-box for easy deployment across billions of devices. As new sensors are launched they are instantly integrated, pentested and secured by HYPR.


Pre-integration of authenticators allows enterprises to eliminate the need for manual development at the application level and save millions of dollars in development costs. Whether available on-device or through an Intelligent Extension, HYPR ensures that any user is able to use multiple biometrics. For enterprises this feature removes the friction and development costs of manually integrating, securing, and designing experiences around biometric sensors. For the end user, any combination of biometrics present a much faster and easier experience than the use of legacy authentication methods such as long passwords, verification phone calls, or OTPs.

ADVANCED BIOMETRIC ORCHESTRATION HYPR provides an advanced biometrics orchestration engine designed to deliver any administrator literal real-time control over authentication policies. Biometric sensors can be enabled or disabled across large populations of users in real-time with fallback authenticators to ensure the user experience remains flawless.

– PROVISION, MANAGE AND DEPLOY MILLIONS OF USERS IN REAL-TIME – EASILY MAP BUSINESS LOGIC TO NEW ANY BIOMETRIC AND DEVICE – FULLY API-DRIVEN INTEGRATION WITH ANY IAM / IDP

Large organizations have spent significant effort on defining risk profiles and business logic unique to their transaction models. Today the digital experience is more fragmented than ever before. With the rise of biometric sensors, mobile devices and IoT systems, enterprises are faced with a growing challenge to unify and secure numerous applications across various lines of business. The Authentication Server provides enterprises an elegant solution for empowering decentralized security while defragmenting the omnichannel authentication experience.

Activate biometrics and assign existing business logic to new authenticators. HYPR integrates with fraud prevention and customer approval platforms. By interfacing with the Decentralized Client, the HYPR Authentication Server ensures that policy management is easily accomplished without requiring any changes at the application level. STATELESS, EASILY SCALABLE INFRASTRUCTURE SUPPORT MILLIONS OF USERS WITH MINIMAL FOOTPRINT EXTREMELY HIGH THROUGHPUT WITH THOUSANDS OF TRANSACTIONS / SECOND IN PRODUCTION SUPPORTS VMWARE, CITRIX, REDHAT, LINUX DISTRIBUTIONS AND OTHERS HYBRID DEPLOYMENT VIA RAPIDLY DEPLOYABLE VIRTUAL APPLIANCES



CONCLUSION THE FUTURE IS DECENTRALIZED We cannot continue to store credentials in central repositories where they are currently being stolen at an alarming rate. The age of the mega breach should be history and only a decentralized architecture can make that the case. HYPR’s decentralized model secures identity credentials in a trusted environment on a user’s mobile device to reduce the attack surface and change the whole business model for cyber criminals who logically target centralized identity stores. A criminal attack on a decentralized authentication system would compromise a single user but has the potential to save millions. For more information about HYPR’s decentralized authentication solution please visit www.HYPR.com

TRUST EVERYONE


ABOUT HYPR CORP HYPR Secures Decentralized Access to Our Connected World. Designed for the enterprise, HYPR decentralized authentication ensures that personal credentials such as biometrics, PINs and passwords always remain safe on users’ devices. By eliminating the need for a centralized credential store, the risk of an enterprise breach is greatly reduced. With millions of consumers and employees secured across the Fortune 500, HYPR is the first authentication solution to unite frictionless user experiences with decentralized security. Trust Everyone.

GOODE INTELLIGENCE Goode Intelligence is an independent analyst and consultancy company that provides quality advice to global decision makers in business and technology. Goode Intelligence works in information security, mobile security, authentication and identity verification, biometrics, enterprise mobility and mobile commerce sectors. Founded in 2007 by Alan Goode and headquartered in London Goode Intelligence helps both technology providers, investors and IT purchasers make strategic business decisions based on quality research, insight and consulting. Goode Intelligence works with a cross-section of clients, from global brands that are ranked on the FTSE/Fortune 100 to start-up technology companies.

www.goodeintelligence.com

THANK YOU HYPR CORP 45 W. 34TH ST. SUITE 710 NEW YORK, NY 10001 646.503.5366 [email protected]
