Mobile device risk-based access and authentication governance

Demonstration on providing a higher level of security confidence for transactions using mobile devices

Discover how the IBM® Tivoli® Federated Identity Manager risk-based access capability can provide assessment decision and enforcement capabilities for device consent purposes and establish a high level of confidence for insurance purchase transactions. The article also showcases the use of OAuth mobile access and authorization with OAuth Access tokens when performing transaction- and risk-based access on mobile devices.

Jenny Wong (jenwong@au1.ibm.com), Staff Software Engineer, IBM

Photo of Jenny WongJenny Wong is an IT specialist working for IBM Software group. She is a member of the IBM Security Solutions Team based out of the Australian Development Lab on Gold Coast. She joined IBM in 2009 and is a customer facing engineer who works with the IBM Security product suite in Level 3 technical support, pre-sales and post-sales engagements, and delivering enhanced product enablement. She holds a dual degree in Bachelor of Applied Mathematics and Information Technology from Queensland University of Technology.



27 January 2014

Also available in Russian

Identity and access intelligence

Identity and Access Intelligence

Identity and access management infrastructures are becoming a major source of security intelligence information. Enterprise Management Associates (EMA) analysts have published a new report that describes the nature of identity and access intelligence and the factors driving this aspect of security evolution. To learn about this aspect of IT security, download and read "Identity and Access Intelligence: Transforming Enterprise Security."

Imagine you manage IT security for an automobile insurance company that is experiencing strong growth in the personal vehicle market segment. (You can substitute any services-as-products industry that transacts with any segment of external customers using public-facing points of entry to sensitive data.) Many of your customers will need to access your site and applications via mobile devices; the data resources you need to protect will be the individual personal information in a customer's account — you will also have to demonstrate to your customers that they can be confident their transactions will be secure.

The three areas of security you will need to implement are:

  • Identity access assessment and user experience. The company will want to enforce risk-based assessment to impact user experience for high-risk operations.
  • Device consent. The company will require context-based authorization on the device used.
  • Transaction confidence. The company will require context-based authorization as defined by specific application instance and transaction value.

In addition, customers must be able to self-manage registered devices in case of theft or loss and they must be able to disable any registered mobile application or browser devices.

In this demonstration, I'll showcase how the Tivoli Federated Identity Manager risk-based access capability can provide access decision and enforcement for device consent purposes and establish a level of confidence for transactions involving insurance purchases. Another primary focus I'll tackle is to showcase the use of OAuth mobile access and authorization with OAuth Access tokens when performing transaction- and risk-based access on mobile devices.

The video has three parts to it:

  • Part one of the demonstration will showcase how to register a mobile application as a trusted instance against to a user account.
  • Once the mobile application has been trusted, part two of the demonstration will showcase a user purchasing the car insurance packages via the mobile device (and the mobile app); the app is governed by a risk-based access policy with one-time password policy obligations.
  • Part three of the demonstration will showcase how it is possible, by using underlying IBM Security products, to disable a registered mobile instance to prevent others from making car insurance purchases on other phones.

This demonstration is designed for security and IT architects.

Demo: Mobile device risk-based access scenario

Video: IBM Security Identity and Access Demos: Risk-based Access Scenario
Transcript

The Tivoli Federated Identity Manager risk-based access feature provides access decision and enforcement that is based on a dynamic risk assessment or confidence level of a transaction. Risk-based access uses behavioral and contextual data analytics to calculate risk and can:

  • Improve security during authentication and authorization of transactions.
  • Assess risk based on static, contextual, and analytically calculated attributes.
  • Calculate a risk score based on multiple weighted attributes.
  • Provide policy rules that determine whether an access request must be allowed, denied, or challenged.

This feature can be configured to:

  • Silently register or require users to register devices that they commonly use.
  • Associate the registered devices with user credentials.
  • Present a challenge or request additional authentication if the user attempts to authenticate with the same credentials from another unregistered device.
  • Use the behavioral patterns of the user as a factor in risk-score calculation.

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.

Discuss

  • Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


  • Bluemix Developers Community

    Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.

  • Security

    Pragmatic, intelligent, risk-based IT Security practices.

  • DevOps Services

    Software development in the cloud. Register today to create a project.

  • IBM evaluation software

    Evaluate IBM software and solutions, and transform challenges into opportunities.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=960493
ArticleTitle=Mobile device risk-based access and authentication governance
publish-date=01272014