A case study for healthcare leader, Aetna on how they are developing a digital competitive advantage. As part of their strategy to improve user experience and protect members, they have deployed FIDO Authentication.

1. Quality health plans & benefits
Healthier living
Financial well-being
Intelligent solutions
Abbie Barbir, Aetna Global Security
FIDO Opportunities in Healthcare
May 2017

2. © 2017 Aetna Inc.
Allow Aetna to establish a digital competitive
advantage by equipping Aetna web and mobile
applications with an unparalleled set of
behavioral and biometric authentication
technologies in a manner that empowers a
world-class user experience and assures the
integrity and confidentiality of member data.
Our Mission
Improved User Experience
Reduced Risk
Reduced Cost
2

3. © 2017 Aetna Inc.
What is Next Generation Authentication?
3
The Objective
Implement world-class capabilities to reduce risk and
enable a frictionless user experience.
Key Features
• Password elimination/reduced reliance
• Multimodal user authentication
• Context aware access control
• Real-time behavior analysis
• Continuous authentication
• Dynamic Authentication Assurance Levels (LOA)
• User across application and devices
NGA is driving a paradigm shift in mobile & web authentication

4. © 2017 Aetna Inc.
Key Drivers: Evolving user experience
4
Identity & Access
Management is Evolving
From: Providing the right
access to legitimate users
at the right time
To: Providing the best user
experience to legitimate
users and their things at
the right location & time
Binary Authentication
Creates a Poor User
Experience
• User frustration
• Forgotten passwords
interrupt interactions
• Reuse & abandonment
• Difficult to remember
• Provide a conduit to
member account
compromise
2FA and Other Mechanisms are
Imperfect, Provide Poor User
Experience and Suffer from Low
Consumer Adoption

5. © 2017 Aetna Inc.
Key Drivers: Member protection & fraud prevention
5
Phishing is Incredibly
Effective
• Phishing is a component of 95%
of incidents involving nation-
state threat actors
• 100 million phishing messages
distributed everyday
• Median time-to-first-click: 1
minute 22 seconds across all
campaigns
• $2B in business impact annually
Healthcare Organizations
& Consumers are an
Increasing Target for Fraud
• Sophisticated & targeted
attacks from nation-state &
crime syndicates
• Account takeover
• Fraudulent registration
• Payment Account Fraud
• Claims Fraud
PHI & PII Have Value on the
Dark Web
• 2016 – $.50->$1.00 per
record
• Readily available records
provide a conduit for
account takeover
• Increasing market value
drives threat actors to target
individual accounts for
PII/PHI harvesting
*Source: EY

6. © 2017 Aetna Inc.
Authentication is no longer an event…
it is integrated into the application
6
The way you use an application is
a better indicator of who you are
than knowledge of a password
Moving forward, authentication is continuous and
integrated natively into application interactions
Continuous
Behavioral
Authentication
Biometric
Authentication
Continuous
Contextual
AuthenticationIn the past, authentication has been a single event,
taking place only when an application is launched

7. © 2017 Aetna Inc.
Breaches that made the headlines
7

8. © 2017 Aetna Inc.
Backend
Analytics
&
Risk Engine
LOA
Real-Time (RT)
Authorization
ControlMonitor
Prevent @ Inception
Cognitive &
Device
Biometrics
Decentralized
Authentication
Aetna NGA’s core building blocks
11
Aetna Authentication Hub
Device stores
biometric and
validates it locally
(no central
database)
Examples:
Swipe speed,
geolocation,
typical application
usage patterns
Integrate
authentication
events into the
user experience
(not binary)
Big data analytics
create a risk score
for that
user/device
combination
• Adaptive
• Continuous
• Behavioral
• Analytics

9. © 2017 Aetna Inc.
NGA: Design principles
9
• Based on Open Specifications (i.e. FIDO)
• Easy SDK integration for web and mobile
• NGA’s centralized authentication hub
provides centralized analysis and decision
making across all NGA applications
• API-based architecture
• Lightweight and efficient
• Device and platform portability
• Flows and interactions designed to reduce
friction and improve user experience
• Eliminate fraud through increased friction
for threat actor interactions
• Support for dynamic authentication
through LOA

10. © 2017 Aetna Inc.
NGA: Mobile offering
10
NGA’s mobile integration capabilities provide a mechanism for implementing
consumer accepted and expected authentication capabilities in a manner that:
• Transparently and continuously authenticates the device and user
• Improves security and reduces the risk of fraud
• Removes barriers to application access
…while improving the user experience
Reduced reliance
on passwords
through enhanced
user & device
authentication
Continuous
Behavioral
Authentication
(i.e. swipe
attributes)
Continuous
Contextual
Authentication
(i.e. geolocation)
Biometric
Integration
Designed in
alignment with
FIDO Standards

11. © 2017 Aetna Inc.
NGA: Mobile user experience example
11
Enrollment
Subsequent
App Usage
• Behavioral & contextual
attributes collected
continuously
• Centralized
authentication hub
makes ongoing
authentication decisions

12. © 2017 Aetna Inc.
NGA: Web offering
12
Reduced reliance
on passwords
through enhanced
user & device
authentication
Browser & System
Fingerprinting for
each session
improves security
& usability
Associate members &
their devices through
Device Binding to
improve user
experience & security
Eliminates risk of
impersonation,
account takeover,
and registration
fraud
NGA’s web integration capabilities provide a mechanism for implementing
consumer accepted and expected authentication capabilities in a manner that:
• Improves member data security
• Reduces the risk of fraud
…while improving the user experience

13. © 2017 Aetna Inc.
NGA: Web user experience example
13
Let’s follow Aetna Member Pam as she uses an Aetna web application with NGA
Pam accesses her
online Aetna account
for the first time Pam is using this system for the first time, so she completes an easy
verification processes via SMS or email
Following validation, the NGA Authentication Hub adds her computer
is to her profile, along with the other devices she uses. She will not be
prompted again from this computer
Hacker Harold later
tries to gain access to
Pam’s account
Hacker Harold is unable to gain access to
the account, as the NGA Authentication
Hub identified that his system is not part
of Pam’s profile he does not have access
to Pam’s email or cell phone
Pam is comfortable with this process, as it is similar to what she is used to for the Financial Services
organizations she has accounts with, and aligns with her data protection expectations

14. © 2017 Aetna Inc.
FIDO modern authentication
14
IMPLICIT
AUTHENTICATION
EXPLICIT
AUTHENTICATION
• MUST eliminate symmetric shared secrets
• Address poor user experiences and friction
• FIDO is a building block
− complements federation solutions
Impact
• Identity binding is essential
• Strong identity proofing a must
Source FIDO

15. © 2017 Aetna Inc.
Federation
15
Second Mile
FEDERATION
SAML
OAuth
OpenID
Connect
Complicated
Authentication
NO
PASSWORDS
First Mile
• Standards are catching up on mile one
• Mile two is getting more mature
• Federation need improvement
• No prior relationship
• SAML: Dynamic AuthN/Z
• OAuth, OIC dynamic end point
• Blockchain Opportunity
• How about identity assurance?
− Poorly deploying strong authentication
is the same as weak authentication
• FIDO solves the PW problem but mandates
better identity binding at the relaying part
• Proper Identity vetting/proofing becomes
essential

16. © 2017 Aetna Inc.
Issue to consider
16
Identity proofing and account recovery
Account Login Current Pain Points
• I forgot my password
• I cannot find/lost my phone
• I am locked out of my account
Account Recovery Options
• KBA (static and/or dynamic)
• Email account (compromised)
− Password reset link
− Or a new password
− Enrolling back in FIDO
Identity Proofing
• Binding a FIDO authenticator to a user
account on relying party requires
performing an Identity vetting step
− Trust anchor (aka Bootstrapping
problem)
• Currently pre-established
Authenticators are used as anchors of
Trust (such as passwords)
Online identity proofing is challenging and still relies on something “you know”

17. © 2017 Aetna Inc.
Questions
Thank you