introduction
In addition to the benefits of being able to access business systems anytime and anywhere, the rapid adoption of mobile devices has also brought about the problem of mobile fraud, so identity authentication has become the most important part of security. There are many types of existing password authentication methods, and their performance in security and use friction (i.e., user experience) is different, such as "you know" type of password authentication, which has low security and high friction; The hardware security key authentication in the "you have" type is extremely secure and frictional. The "you are" type of fingerprint authentication is in the middle of the way with minimal security.
Is there a certification scheme with a high level of security and low friction?
Zero-factor authentication is a user-imperceptible authentication technology. Compared with traditional authentication methods based on passwords, verification codes, or biometrics, zero-factor authentication is performed based on the user's behavior pattern, device information, geographic location, and other data, without user intervention. The core of its technology is to realize a non-perceptual authentication process through the analysis of user behavior and environmental characteristics, which not only improves security, but also reduces user friction.
The following will introduce the solutions and cases of zero-factor authentication.
scheme
Today's mobile devices contain many sensors that provide unique and important signals that can communicate with telecom base stations, connect to Wi-Fi networks, communicate with GPS, and collect data such as user screen touchpoints. Because users carry them with them, these sensors can continuously collect data in the background that can deeply characterize user behavior patterns, including user behavior data and device data, which can not only be used in the login process and sensitive business access authentication, but also in what Gartner calls zero-factor authentication to achieve user silent authentication.
At the implementation level, the following five steps are included:
There are many kinds of signals on the data collection mobile device that can be used for fraud detection, including: motion data: including mouse movements, typing speed, etc.
Location data: The most important signal for mobile is location behavior. Everyone basically carries a mobile phone with them, and everyone's location movement data is unique, which constitutes a person's unique location behavior fingerprint. The data shows that 90% of mobile logins occur in trusted locations, and 95% of sensitive transactions that occur in trusted locations are legitimate.
Specifically, the following location data can be used: "GPS
GPS signals are easy to be faked, including GPS fake apps, VPNs, proxies and simulators, and the accuracy of positioning depends on atmospheric conditions, signal blocking (poor signal indoors), and receiver quality, usually between 10 meters and 100 meters.
IP address
Wi-Fi information
Wi-Fi location is useful for indoor location with poor GPS performance, detecting and identifying the reputation and size of the Wi-Fi network for easy analysis of location, devices, and the correlation of fraudulent activity.
Bluetooth information
Bluetooth has an accuracy of 1-2 meters and can be used in indoor positioning systems, and smartphones can determine their location from the built-in BLE signal.
Cellular network data
Base station signals can be used for geolocation, but they are not as accurate as GPS, usually only to the extent that the error is in the range of about 100 meters to thousands of meters.
A single location data is easy to be forged, and there are data inaccuracies, so "trusted location" usually needs to be combined with multiple location information data, which is more accurate, and it will be much more difficult to forge multiple location data at the same time.
Terminal information: including hardware configuration, operating system, browser information, etc.
The data collected by behavioral modeling needs to use machine learning for risk analysis, and the model is the core, and the modeling process includes: determining features: feature vectors are the collected data information. Pattern recognition: Identify users based on their login location, device information and browser information, and user operation habits. Establish a baseline of behavior.
risk analysis
Based on the individual data received, combined with the user's current and historical location behavior, device sensor data, and fraud monitoring lists, a risk score and confidence rating need to be calculated in real time based on a set of algorithms to distinguish legitimate users from fraudsters.
Dynamically adjusting a user's behavior pattern is not fixed, for example, if the user goes to work in another city and the user spends more time taking care of the family, if the behavior pattern is not adjusted, it may trigger frequent enhanced authentication and affect the user experience.
Incremental learning mechanism
The key to incremental learning is that each time new data arrives, the system recalculates the baseline based on the new data and adjusts the existing model. This process does not require full data retraining, so it can run efficiently in a real-time environment. This process can effectively adjust baselines in the following situations:
Changes in device or network environment: If a user changes devices, logs in to a new network, or changes to a VPN, the system needs to incorporate these changes into the user behavior model, rather than judging them as high-risk behaviors every time.
Location changes: Users log in to the system during a business trip or travel, and the system will need to put these new geographic locations into the baseline.
Changes in operating habits: Behavioral characteristics such as a user's typing speed and mouse movement trajectory may change over time.
Feedback mechanisms
The user's feedback can be used to confirm the correctness of the operation behavior, and then adjust the baseline, for example, when the user is required by the system to perform additional authentication, the user can confirm whether the operation is performed by the user:
Confirm Identity: The system records that the operation is normal and adjusts the baseline based on the information from the operation, such as a new device or a new geographic location.
Confirm non-personal actions: If a user reports that an action was not performed by the user, the system increases vigilance for similar actions and further tightens the baseline to prevent similar attacks in the future.
Based on the real-time calculated risk score level, you can design a corresponding security response strategy: Low risk: When the user's behavior matches the behavior baseline, zero-factor authentication is performed, that is, direct release. Medium risk: You can send alerts to users in a timely manner. High risk: Triggers actions such as multi-factor authentication or account locking.
Case
For the financial and insurance industry, in order to ensure the identity security of multiple channels such as mobile, WEB, branches and call centers, whether it is for transfer transactions or balance inquiries, it is necessary to provide users with a secure and frictionless user experience.
With the help of mobile network, location, and smart device data (Wi-Fi, Bluetooth, etc.), zero-factor authentication solutions can silently detect the occurrence of account hijacking, and can detect attacks such as large-scale emulators simulating device fingerprints, and the false positive rate is much lower than that of common identity authentication schemes. Specifically, the following problems can be solved:
1) Addressed by risk-based authentication signals:
Passwordless login
Equipment replacement
Reset your password
Change your email and mobile phone number
2) Smart location signals can help solve:
Account hijacking protection
New Account Fraud Detection
Transaction fraud detection
GPS Forgery Detection
summary
Zero trust emphasizes "continuous verification, use or distrust", but because continuous verification will cause a lot of interference to the user's business access process, few products can truly achieve continuous verification, and zero factor authentication technology is expected to improve the situation on mobile terminals. The zero-factor authentication solution on mobile has the following benefits:
1) It only collects location information and device data in the background of the mobile terminal, and has no sense for the user. 2) Because of the zero friction, it can be ideal as a continuous authentication strategy, providing risk-based, real-time authentication that can be used as both a primary and secondary authentication factor. 3) High security, multi-factor authentication based on behavior patterns and device characteristics, due to the great difficulty of forgery, can effectively prevent identity theft and network attacks.
With the further development of data analysis technology, zero-factor authentication is expected to be widely used in more fields in the future.
https://mp.weixin.qq.com/s/vaXFsMflgcIrPjFJRhSzrQ