How OneSpan Extends the Value of the ForgeRock Identity Platform

OneSpan Team,

In our recent webinar, Accelerating Bank Growth: Combining Proven Fraud Management & Next Gen MFA, we teamed up with ForgeRock to discuss digital banking security and how to ensure a safe and easy user experience.

Delivering a great customer experience starts with making it easy for legitimate customers to access their online and mobile accounts – while keeping cybercriminals out. ForgeRock enables this with its unified and extensive identity platform. ForgeRock’s solution helps organizations configure authentication experiences for online banking customers and employees that are simple. From social authentication to passwordless authentication, a financial institution can quickly configure the authentication process for customer onboarding, login, account maintenance, financial transactions, and more.

As one of ForgeRock’s digital security partners, OneSpan brings an additional layer of protection to ForgeRock’s platform with risk-based authentication, mobile app shielding, and a range of user-friendly authentication options.

In the webinar, I spoke with Ben Goodman, SVP of Global Business and Corporate Development at ForgeRock, about the value of these additional layers of security. In addition to protecting against threats like account takeover and unauthorized access, all of OneSpan's security technologies work together to deliver a quick and seamless authentication experience.

This is the core value of using OneSpan to do more with your ForgeRock platform. We give organizations the ability to evaluate the risk of each digital transaction in real time and dynamically adjust the authentication accordingly. This provides the best user experience to legitimate customers, while helping stop criminals at the door.

If you missed this webinar, here’s a summary.

Fraud Drives the Need for Better Authentication and Identity Management

Account takeover fraud (ATO) continues to be a massive problem across the financial industry. From 2019 to 2020, account takeover fraud increased by 250%. An estimated $15B was spent in 2020 on account takeover prevention. While the increase in fraud is heavily impacted by COVID-19, the trend towards increased attacks against financial institutions will only continue to rise as opportunistic fraudsters take advantage of weaknesses within security systems. In particular, vulnerabilities are clearly evident when it comes to the creation of new bank accounts. Bank accounts make up almost a third of the accounts taken over in 2020.

But why is the financial industry still struggling with account takeover fraud? We believe the reason is that financial institutions still lack the ability to balance ease of use and security. Ultimately many still favor user experience at the expense of security, when it is no longer a question of choosing an easy user experience over a secure user experience over. Today, with risk-based authentication, banks can have both.

In addition, there are various areas where financial institutions inadvertently introduce security vulnerabilities. One of them is through outdated authentication methods. For example, usernames and passwords are easily hacked and, as a result, lead to account takeover. Experts recommend modernizing with multi factor authentication (MFA) applied through risk-based authentication (also referred to as adaptive authentication or step-up authentication).

Adaptive authentication orchestrates all of your multi factor authentication methods, like one-time passwords (OTP), out-of-band push notifications, SMS, and biometrics. Making use of a broad array of multi factor authentication options optimizes the user experience, while protecting against fraud. For example, single-sign on (SSO) may be perfect for your employees, while passwordless authentication methods like biometrics are what consumers prefer most. Yet, not all consumer transactions require a fingerprint biometric or facial scan.

Financial institutions need the ability to dynamically adapt the authentication user experience in real time based on the risk level of the transaction. Higher risk activity should require additional authentication challenges, while low-risk actions might not require any authentication at all.

The ForgeRock Identity Platform

The ForgeRock Identity Platform

The ForgeRock Identity Platform has four components:

  • ForgeRock Identity Management is used for identity management processes, such as how to register and onboard a new customer.
  • ForgeRock Access Management determines how to authenticate a user under different circumstances. This capability is based on the original OpenAM open source project.
  • ForgeRock Identity Governance allows the platform to make sure that users only have access to the things they need. It essentially provides an identity gateway for web traffic and APIs.
  • ForgeRock Directory Services is an LDAP directory service. It includes tools that make it easy to integrate ForgeRock services through no-code SDKs and APIs. Note that ForgeRock’s capabilities are based on standards such as OAuth 2.0, OpenID Connect, SAML, FIDO2 and UMA.

In order to understand what is happening inside a customer’s banking session, the ForgeRock platform ingests contextual data. Data enables dynamic, real-time decisions. 

One of the foundational aspects of the ForgeRock platform is Intelligent Access. ForgeRock Intelligent Access is a runtime workflow engine. It orchestrates identity actions, from onboarding and registration of a new user, to making sure they are using the most appropriate authentication at any given time. ForgeRock uses this to address the full customer journey, including registration, authentication, self-service, and personalization.

In the video above, we demonstrate a few authentication flows that can easily be configured using ForgeRock’s drag-and-drop authentication trees. Within the platform, financial institutions can easily select OneSpan’s capabilities and drag these into a workflow builder to more easily create new authentication workflows.

Within the user registration tree, there are a number of components, referred to as authentication nodes or decision nodes. These nodes can be configured to a bank’s requirements. Consider the following example. If a financial institution wants to include a social login from Facebook as part of the customer registration process, the bank could simply drag and drop the social login node onto the canvas, and the platform dynamically updates the workflow with this new feature in seconds.

OneSpan Addresses Risk with the Right Level of Security

OneSpan specializes in digital identity and anti-fraud solutions that create exceptional experiences. OneSpan's cloud solutions integrate with ForgeRock Access Management to better detect fraud and improve the user experience.

Risk analysis is at the core of OneSpan's integration with ForgeRock. OneSpan Risk Analytics provides the continuous ability to analyze and assess every user session, looking for anomalous behavior. It detects patterns in device, transaction, and user profile data, more quickly and accurately detecting fraud. Looking at different account takeover scenarios, for example, there are common indicators of compromise in the data. Examples include malicious headers, referrers from a phishing site, malicious cookies, a malicious device or IP address, inhuman speed, keyboard overlay, etc.

Risk Analytics is at the heart of OneSpan’s Intelligent Adaptive Authentication technology. Intelligent Adaptive Authentication integrates with ForgeRock Access Management to give financial institutions more options to authenticate customers while defending against attacks such as account takeover. It collects data on the integrity of the user's device and mobile apps, behavior, transaction details, and scores of other data to understand risk and orchestrate the appropriate level of authentication. Higher risk activity initiates additional authentication requirements, while low-risk actions might not require any authentication at all.

Continuous Client side Awareness and Scoring

Learn more about OneSpan and ForgeRock authentication use cases.

Adding Mobile App Security to Your ForgeRock Capabilities

The mobile environment is continuously evolving, and with any kind of progress comes new vulnerabilities and threats at every turn. According to Gartner’s review of the Sonatype DevSecOps Community Survey 2020, many app developers lack mobile security expertise and tend to focus on functionality, not app security.

This results in mobile banking apps being left vulnerable to security threats. According to a study of 30 financial services apps downloaded from the Google Play store and subjected to security audit:

  • 97% lacked defense against reverse-engineering
  • 90% stored data insecurely outside the app
  • 80% used incorrectly implemented or weak encryption

Mobile app shielding is a low-code technology that safeguards against the latest mobile banking

Trojans, reverse-engineering techniques, and several types of runtime threats. It also creates a secure execution environment, allowing mobile apps to operate safely even on untrusted mobile devices such as those that have been jailbroken.

This strengthens a mobile banking app against attack. Unlike endpoint security which actually safeguards the user's device, mobile app shielding protects the mobile banking app that's running on the user's device. This provides the most robust way to secure the mobile channel while still delivering a seamless user experience and defeating fraud.

OneSpan and ForgeRock Authentication and Identity Management

Together, OneSpan and ForgeRock offer financial service providers a comprehensive approach for authenticating customers and reducing the risk of financial fraud. Our combined capabilities enable banks to offer their customers secure and effortless digital experiences.

To learn more, visit our joint solution webpage.

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.