There has been quite a bit of interest in the announcement Oracle made last week regarding the acquisition of Bharosa (some interesting posts can be found here, here and here). Here is an overview of what the acquisition adds to the Access Management capabilities of our IAM suite.
Contextual & Software-based Strong Authentication & Authorization
Oracle Access Manager is the SSO solution already available in the suite to provide username-password (1-factor) authentication capabilities. The Bharosa acquisition bolsters that area of the suite by adding contextual authentication and authorization plus software-based strong authentication (2nd and 3rd factor).
Strong Authentication has traditionally been equated with hardware based mechanisms like one-time password (OTP) tokens, biometric devices or smart cards. All of these come with significant deployment cost and an impact on application usability by changing end-user behavior. A new generation of solutions (including those by Bharosa) is providing strong authentication using software based mechanisms that are easier to deploy and manage, and offer minimal end-user impact.
The Bharosa Tracker product does this by relying on real-time risk analysis and rule-based intervention. It sits in the background, monitoring user activity to build up a per-user profile of what is considered normal behavior. This profile consists of user specific characteristics like device forensics (authorized computers or personal devices), IP geolocation, time of day, normal workflow patterns, etc. It then compares any user activity against this profile to build a risk score of that activity in real-time (which is the only way to go, and so cool).
Customers can configure Tracker with a set of rules that define the actions to be taken based on the risk characteristics and on the context of the activity being done. These actions can cover the gamut, prompting the user for re-authentication, requiring stronger authentication, prompting for answers to challenge questions, or even preventing the transaction from proceeding altogether. This is what we call contextual authentication & authorization based on risk characteristics.
Bharosa Tracker Real-Time Interaction
Another aspect I found interesting is that the use of Tracker does not
preclude hardware-based strong authentication from playing a role.
Tracker can be integrated with other strong authentication mechanisms
like OTP tokens to pull them in at key points in the workflow as
configured in the rules. In fact, this flexibility is particularly compelling for organizations seeking to deploy a hybrid of different authentication mechanisms that cater to different user/application populations.
Activity Monitoring and Fraud Detection
The activity monitoring and analysis capabilities in Bharosa Tracker are also leveraged to do fraud detection. Based on the workflow patterns and rules configured in the system, it can identify user behavior that deviates from the norm. It can then prevent any transactions from proceeding while firing off notifications to administrators when it detects potential fraudulent activity. And of course, it audits all activity, providing forensic analysis capabilities of the audited data.
Identity Theft Prevention
The Bharosa Authenticator product provides some pretty interesting ways to prevent identity theft, some of which you may have already seen in action at a website near you.
It provides a way to do Mutual Authentication between the site and the user. Most authentication schemes allow the site to validate who the user is, but not the other way round. The user cannot necessarily detect whether they are interacting with the actual site, or a fake site put in the middle to pharm PINs and passwords. Mutual authentication introduces a mechanism by which the user can verify that they are interacting with the site that they mean to interact with.
The mechanism that Bharosa Authenticator provides is starting to become fairly commonplace (3 institutions that I have credit cards with use it today). It is called the personalized image authenticator. During a fully validated session between a user and the website, the site asks the user to select an image of their choice from what is usually a large set. From that point on, every time the user wishes to authenticate to the site, they will be displayed the image, to prove that they are indeed interacting with the site they originally set up the image with. It is a simple, cost-effective way of providing mutual authentication.
Authenticator also includes a set of secure Virtual Authentication Devices that protect PIN/password entry from keyloggers, OCR programs and other malicious trojans. These devices provide a number of different ways to enter passwords, the most interesting of which render a completely randomized PIN pad or keyboard on the screen that the user clicks on using their mouse in order to enter their PIN or password. In this way, a key logger cannot read the password based on the keystrokes entered by the user since it is all mouse clicks. The really neat thing is that because the placement and order of the keys on the screen is randomized each time, there is no way for a trojan to steal and remember the mouse click pattern either, since it is forever changing. It really is kind of cool.
Bharosa Authenticator Virtual Authentication Devices
Bharosa also has a product called VoicePad that enables out-of-band authentication based on a “Voice Token“, which combines phone device recognition with biometric voiceprint recognition of the user pre-registered to the phone. But I know a little less about this product and its usage, so I won’t go too much into it.
You can get a lot of information about the acquisition and its value (including FAQs and white papers here).