Entrust IdentityGuard

User Authentication Methods

Organizations require a range of user authentication capabilities that allow them to move beyond single-factor authentication (username/password) and address a wider audience of users than they do today. Entrust IdentityGuard is a versatile authentication platform that provides one of the widest ranges of authentication capabilities on the market today. It helps enable organizations to layer the appropriate user authentication method to match a particular transaction risk — all from a single platform.

These layers of user authentication can be applied to a wider audience of users in ways that can help reduce the impact to the user experience, defend the transactions that are at risk to fraud and reduce the expenditure on strong authentication technologies.

As a key component of a layered security model, the Entrust IdentityGuard versatile authentication platform can help detect and defend users by:

Versatile Authentication Options

Versatile authentication platforms deliver strong authentication security commensurate with the risk of fraud as assessed by these organizations for accessing a given online application. These platforms also help prevent identity fraud by making the user's identity more difficult to steal — even if the user falls victim to some form of identity fraud such as phishing or man-in-the-middle attacks. Entrust IdentityGuard delivers several different versatile authentication options:

  • Username & Password
  • IP-Geolocation
  • Machine Authentication
  • Knowledge-Based Authentication
  • Grid Authentication
  • One-Time-Password (OTP) Lists
  • Out-of-Band Authentication
  • Entrust IdentityGuard OTP Tokens

Username and Password
One of the most common, yet widely accepted and understood, authentication methods is the use of usernames and passwords. As a central authentication service, Entrust IdentityGuard may be called upon to validate all authentication requests, including the validation of username and passwords. Entrust IdentityGuard includes not only validation of a user's password, but also enforcement of password composition, as well as password change policies. This authentication capability can help remove the need for any application to require the native implementation of username and password.

IP-Geolocation
Entrust IdentityGuard delivers the ability to assess a user's identity, in conjunction with another of the platform's authenticators, based on IP-geolocation technology. The platform enables organizations to define white and black lists of Internet protocol (IP) addresses that can be used in an assessment of whether the authentication should proceed or require a stronger form (i.e., step-up) of authentication.

It also includes the ability to profile users intelligently, storing a history of not just what machine the user logs in from, but also their typical geographic location. Leveraging the Entrust Open Fraud Intelligence Network (OFIN) for feeding regular updates of IP data into the product, Entrust IdentityGuard's IP-geolocation capabilities can strengthen authentication and help to better assess the risk of a transaction being undertaken by a user.

Although typically thought of in consumer environments, Entrust IdentityGuard also provides IP-geolocation authentication for use with remote access environments, allowing a unique way of strongly authenticating users without having to deploy a physical component.

Machine Authentication
This method provides validation of the user's computer — via a specific machine "fingerprint" — in a transparent manner that defends against a variety of threats in a low-impact manner. This is an especially effective method of strengthening user authentication where users typically access their account from a regular set of machines, allowing for stronger authentication to be performed without any significant impact to the user experience.

Knowledge-based Authentication
One of the simplest mechanisms for gaining additional confidence in a user's identity, knowledge-based authentication challenges users to provide information that an attacker is unlikely to know (e.g., place of birth, mother's maiden name, first car). Based on "shared secrets," this allows the organization to question the user when appropriate to confirm information that is already known about the user through a registration process or based on previous transactions.

Grid Authentication
Grid authentication provides organizations a means to implement simple, effective, two-factor authentication by leveraging a security grid card. Users receive a security grid that contains a series of numbers and letters in easily marked columns and rows. These security grids can be delivered to users as credit card-sized cards, or printed on the backs of access badges, credit or ATM cards, or even printed on billing statements and other confidential communications.

To perform strong user authentication with a security grid, in addition to existing usernames and passwords (something you know), users would be required to respond to random Entrust IdentityGuard challenges requesting information that they would locate on their security grids (something you have).

One-Time-Password Lists
One-time-password lists, or OTPs, are an alternative to deploying a security grid for user authentication. With this approach, end-users are provisioned with a list of randomly generated passwords that are typically printed on a sheet of paper, or hidden under "scratch cards" that are distributed to and carried by end-users.

When stronger user authentication is required, users are prompted to enter one of the passwords from their OTP list. This can be done during account login in addition to the user's normal user name and password, or when performing a specific transaction as shown in the example:

To reduce susceptibility from phishing, man-in-the-middle or malware attacks, which OTP to be prompted for is randomly generated and is used only one time. This renders the OTP useless should it be captured by an attacker.

Out-of-Band Authentication
A security measure that takes advantage of alternate channels of communication, out-of-band authentication leverages an independent means to communicate with the user to defend against attacks that have compromised the primary channel. This is a very effective means of guarding against man-in-the-middle attacks where a legitimate online session may be used to piggy-back fraudulent transactions.

Out-of-band user authentication is also very convenient because it can leverage channels that already exist and are easy to access for customers, including voice calls to a telephone, SMS to a mobile phone, or email to a computer or mobile device.

Entrust IdentityGuard supports this user authentication capability by allowing the generation of one-time confirmation numbers that can be transmitted along with a transaction summary to the user.

Entrust IdentityGuard OTP Tokens
Available at an industry-first $5 price point, the Entrust IdentityGuard Mini Token, often referred to as a one-time-password (OTP) token, is a proven and accepted way of strongly authenticating users via a second factor of authentication. They have primarily been deployed in enterprise environments, as tokens have traditionally been cost-prohibitive for large-scale deployments.

The Entrust IdentityGuard Mini Token is a high-quality, one-time-password device designed to help provide strong, versatile authentication to enterprises, governments and consumers. The token offers easy-to-use, time- and event-synchronous capabilities that can be deployed alone, or in a layered strategy, in combination with other authentication methods as part of the Entrust IdentityGuard versatile authentication platform.

Entrust offers multiple options for token-based authentication, including OATH and 3DES-based mini tokens, as well as the Entrust IdentityGuard Pocket Token for challenge-response capabilities.

As a versatile authentication platform, Entrust IdentityGuard also supports third-party OTP tokens — such as Vasco OTP tokens, for example — enabling organizations to leverage an open platform to manage all authentication requirements. This range gives deploying organizations a choice on how they want to strongly authenticate users, regardless of the authenticator.

Helping Reduce the Risk of Fraudulent Transactions
With one, or a combination, of these user authentication methods provided by the Entrust IdentityGuard versatile authentication platform, organizations can layer strong authentication to help reduce the risk of fraudulent transactions in a way that fits the user experience and risk. However, additional protection needs to be provided to help users from inadvertently providing personal information to fraudulent Web sites. This is especially true given the ever-increasing rates of phishing, including sophisticated attacks that can direct users to fraudulent sites, even if the user enters the correct URL.

Organizations want to provide easy-to-use tools for users to authenticate the Web site they are visiting to be confident that they are not disclosing personal information to fraudulent sites, individuals or organizations. Mutual authentication methods are designed to provide this confidence by providing the user information they can use to confirm they are on the legitimate web site.

Learn more about how Entrust delivers a range of mutual authentication methods.