Secure. Seamless. Passwordless.

Rohan Ramesh | Director of Product Marketing | Entrust

1
PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Platform Windows can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Experiencing technical difficulties? Try REFRESHING your browser!

 CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING
• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.
• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.
• Please be patient. This process could take up to 48 hours for your CPE Certificate and the CPE credit to be applied to your account.
• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate documents to your personal records.
TODAY’S SPEAKER
• Rohan Ramesh

• Director of Product Marketing | Identity and Access Management

• Entrust
BY THE NUMBERS
At $18.3M per year, per company, cost
Mobile banking fraud has increased
of cyberattacks is highest in banking
by 41%, incurring financial losses
valued at $21.6 million.

Global identity fraud losses reached a

90% of consumers worry about digital
whopping $56 billion with financial
bank fraud
institutions, businesses and
consumers all suffering

81% of hacking-related breaches leveraged either stolen and/or weak passwords

DIGITAL TRANSFORMATION IN FINANCIAL SERVICES

Compliance Consumer Technology Competitive Pandemic

mandates expectations enablers Landscape
DIGITAL CHALLENGES AND RISKS

Rising New data privacy Use of Connected Digital payments &

cyberattacks regulations smart devices everything CNP transactions

Need for a complete trust environment with strong trust anchor

IT IS ALL ABOUT THE CONSUMER EXPERIENCE
(CX)
Trust, transparency, convenience and
security
Personalization
Real-time card issuance
Mobile banking
Digital payments
Seamless, simple and consistent –
Omnichannel experience
Behavioral analytics
The modern banking consumer Expectations of privacy and security
Mobile first experience

Protection from fraud Advanced cyber attacks

Frictionless and fast access Personalization in digital engagement

 CUSTOMER DIGITAL JOURNEY
Sign up

• Fake IDs
• Compromised
devices
 CUSTOMER DIGITAL JOURNEY
Sign up Log in

• Fake IDs • Compromised

credentials
• Compromised
devices • Password fatigue
• Weak passwords
• Phishing and
other password
stealing
techniques
• MFA fatigue
 CUSTOMER DIGITAL JOURNEY
Sign up Log in Transact Contact Support

• Fake IDs • Compromised • Fraudulent • User Impersonation

credentials transactions
• Compromised
devices • Password fatigue • User impersonation
• Weak passwords • Unsecure
communication
• Phishing and other
channels
password stealing
techniques
• MFA fatigue
ROADMAP FOR A SEAMLESS & SECURE CONSUMER EXPERIENCE

Verify consumer identities

Issue secure consumer credentials
Apply strong customer authentication (SCA)
Take consumers passwordless
Employ continuous authentication
Secure financial infrastructure
Safeguard transactions and payments
CHECK
Check for
DEVICE REPUTATION
1 Device Reputation 2 Safe 3 TOR/Proxy

Prevent compromise of valid credentials

SECURE DIGITAL ONBOARDING WITH MOBILE
ID PROOFING

BANK

SIGN UP FOR
NEW ACCOUNT

With successful identity

verification, user signs up
for banking services

Capture & Facial Validation / Secure Account Creation

Classify Recognition Identity Creation
REMOTE DIGITAL SIGNATURES
Remote signing service

AGREEMENT

SIGN
LOGIN SSO
AUTHORIZATION
Signature REQUEST
request

User Application

SIGNED

Signed agreement
 TIME TO MOVE AWAY FROM PASSWORDS

Weakest form of Security Reduces Productivity Poor user experience

73% of passwords are duplicates1 20% time spent on managing passwords3 1/5 users fail to authenticate4
80% breaches involve passwords2 Complex policies + difficult recovery Change passwords every 60 / 90 days
ATTACKS AGAINST PASSWORDS
Keylogger attacks

Credential Stuffing Password spraying

Phishing Copying passwords

Brute force attacks Shoulder Surfing

Man-in-the-middle
MOBILE PUSH NOTIFICATION
FIDO2 FOR CONSUMER
Online Banking
PASSWORDLESS
FIDO Token

eBank

Passwordless BYOK

Signed Native Browser

Transactions Support
FIDO2 + QR CODE
ENABLE MULTI-FACTOR AUTHENTICATION
(MFA) Mobile Centric
Secure Push Notification

Passwordless

FIDO2

Social Login
 MFA ATTACKS
• Man-in-the-middle (MitM)
• SIM swapping
• MFA Fatigue / prompt bombing
ADAPTIVE RISK-BASED AUTHENTICATION

Transaction Time of day/ IP address Geo

attributes day of week location

Known Trusted Velocity Device

location devices reputation
 PREVENT USER IMPERSONATION AND FRAUD
Malware inspector Device profiler
DOM analysis Device fingerprint (ID) OS & browser
Form structure Color depth IMEI
iFrame content # CPU Installation ID
Malware signatures Device pixel ratio Audio/video formats
Script inspector Screen resolution Time zone
Device total disk/RAM Language

Threat intelligence
Network intelligence
Botnets NETWORK
Fraudster devices IP address Domain
INTELLIGENCE
Fraudster geolocation Connection speed/type ASN
C&C Wi-Fi SSID/BSSID Country
Tor, VPN & proxy intelligence ISP name City

Behavioral biometrics Behavioral analytics

Double click Touchscreen User journey
Mouse scrolling Gyroscope Velocity checks
Special keys Keystroke patterns Date/time of connection
Mouse movements Transaction intelligence
EMPLOY CONTINUOUS AUTHENTICATION
Data & Context Insight & Engine Policy Intelligent Authentication
(users, devices, things)
Emerging Biometrics

Emerging Contextual
Face
Elements Self-Learning

Advanced Device
Finger
Reputation

User Behavior Mobile with PKI

Block
HTTP Traffic
Mobile OTP & SMS
Analysis
Challenge
Geolocation FIDO + QR code

Device Fingerprint Allow Hardware Tokens

Data Predictive
Analysis Auth & Access
Velocity Soft tokens

Grid Cards
3-D SECURE V2 FOR CARD-NOT-PRESENT
TRANSACTIONS
 Risk-based authentication of CNP transactions
• Device ID & reputation, shipping address, previous transaction history,
3D Secure transaction size, geo-location…
 Higher risk transactions flagged, and additional verification applied to both
transaction and consumer identity BEFORE transaction is completed
 Benefits
• Reduces amount of CNP based fraud
• Improves confidence in on-line purchases for Banks, Merchants and
Consumers
• Meets PSD2 requirements for Strong Customer Authentication
3-DS 1

Cardholder makes CNP

Transaction
2

3DS Program forwards Service

transaction details
Consumer
Card Issuer Bank
Merchant
3

3DS service assesses

transaction risk

Authentication Options
• Mobile Smart Credential
• Mobile Soft Token
• Challenge Response Token
• Camera Token 5
• SMS DL OTP
Challenge response Low Risk
provided No further
authentication required

Consumer Bank
App

4
Identity as a Service Provider High Risk
Authentication challenge sent Authentication required
to Consumer
 SECURE THE CUSTOMER DIGITAL JOURNEY AND FIGHT FRAUD
Sign up Log in Transact Contact Support

• Device reputation • Single Sign-on (SSO) • Secure high value • Verify Identity
• transactions when contacting
ID Proofing • Passwordless
support
• • 3-DS for CNP
Create secure • Multi-factor
digital identity transactions
Authentication
• Digital signature (MFA)
and secure remote • Continuous Step-up
document signing risk-based
authentication
 Questions?

30
 ENTRUST IDENTITY AND ACCESS MANAGEMENT PORTFOLIO

Authenticate Authorize
High assurance credential-based identity Passwordless access
Multi-factor authentication Unified SSO – cloud, on-prem, hybrid, Social Login
Identity Proofing Access VPN, systems, portals

Secure Identities

Workforce | Consumer | Citizen

Zero Trust Framework
Manage Transact
User provisioning & policy management Email & file encryption
Workflow orchestration Document signing
Self-service password resets Transaction confirmation
Adaptive risk-based authentication Non-repudiation
In compliance with KYC/ AML processes and regional regulatory
standards (PSD2, GDPR, etc.)

Broadest Range of Authenticators | Comprehensive Integrations | Flexible Deployment Options | Mobile SDK
THANK YOU FOR ATTENDING
This training content (“content”) is provided to you without warranty, “as is” and “with all
faults”. ISACA makes no representations or warranties express or implied, including those of
merchantability, fitness for a particular purpose or performance, and non-infringement, all of
which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and therefore
the content should not be deemed either to set forth all appropriate procedures, tests, or
controls or to suggest that other procedures, tests, or controls that are not included may not
be appropriate; ISACA does not claim that use of the content will assure a successful outcome
and you are responsible for applying professional judgement to the specific circumstances
presented to determining the appropriate procedures, tests, or controls.
Copyright © 2022 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).