TrustedX Adaptive Authentication

Operation

The authentication platform acts as an identity provider for the applications and enables customizing the authentication in each case using:

• Adaptive authentication policies, which form a highly configurable authentication workflow that can request an additional step (deployed OTPs, SMS, etc.) when a threshold of acceptable risk is exceeded.
• Context analysis policies, which analyse the user's device, location and connection habits to assess the risk of the authentication. Each policy is highly configurable and supports establishing which factors are considered and their weightings.
• Authentication method classification, which determines the security level reached in each authentication.
• Single sign-on (SSO), which streamlines the authentication of the users in multiple applications while respecting the security requirements.
• Intuitive server authentication, which safeguards users against phishing and pharming attacks and entails the users having to recognize a customized image in the authentication interface.

The following are the characteristics of the context analysis:

• TrustedX keeps a profile for each user. This profile is updated progressively and transparently after each access.In the interest of privacy, profiles can be abstracted from the explicit user identities.
• Users can explicitly register trusted devices.TrustedX can recognize the devices registered by a user and any other devices used by that user.
• TrustedX can recognize the user's keystroke dynamics, even for devices it has not been explicitly trained on. Keystroke dynamics is a biometric factor that does not affect the user experience.
• Network information can be used to obtain the geographic location of the user, recognize locations the user has previously visited and even check whether the user accessed with the same device from this location. It can even check if the user could have physically traveled between two consecutive access locations.
• The risk assessment of an authentication can be determinant if the user is required to pass a set of factors. Alternatively, the risk can be assessed globally using a weighted combination of several factors. Optional factors can be used to detect minor anomalies.
• An application is provided in which users can speed up the learning of some factors related to their authentication.
• To facilitate configuring policies in the pre-production stage, TrustedX can operate in observation mode without interfering in the usual authentication.
• The platform provides detailed reports and graphs on the authentication factors analyzed in each access, both for auditing purposes and for fine tuning the policies applied in each use case.
• The capture of all the context factors uses browser and server technologies that do not require applets or plug-ins or the installation of software in the user devices.

Applications can invoke authentication functionality using the SAML 2.0 (e.g., Google Apps and Salesforce) and OAuth 2.0 (adapted for mobile applications) protocols, both HTTP based. In each authentication response, TrustedX includes the identity attributes required for applications to establish their own sessions. The platform also supports the applications invoking the TrustedX signature and encryption services.

Architecture

TrustedX acts as an agent between the user applications and the identity services. The applications use the OAuth 2.0 or SAML 2.0 protocols to invoke TrustedX. LDAP/AD, RADIUS and PKI identity services are supported.

The platform provides several strategies for integrating the authentication, which even includes participating in existing deployments:

• Standard, which uses TrustedX's end user authentication interface.
• Delegated graphical interface, which provides a user experience that is more harmonious with the applications.
• Externalized in other identity providers, which is complemented with TrustedX's adaptive authentication and SSO functionality.