Case Study: Aetna Advances User Authentication Based on the FIDO Standard
Aetna is a leading health care organization serving about 37.9 million people.
Better authentication for Aetna’s online services customers, partners, and employees. Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and avoid costly fines and lawsuits due to data exposure.
Aetna has adopted the FIDO standard for user authentication, using biometrics to verify customers and its next-generation authentication process (behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app).
- Within two weeks of app usage, Aetna was able to set user baselines for behavior.
- Aetna is using the behavioral data to help protect users, feeding it into the FIDO NGA risk engine that continuously inputs data, then ultimately discarding it. The risk engine is protected with six layers of security controls.
The FIDO Solution
Aetna needed user authentication integrated within the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that their data is safe. Aetna is proud to be using the FIDO standard for user authentication, biometrics, and next-generation authentication.
The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.
“The FIDO Alliance develops user authentication based on open standards so companies like Aetna can adopt the best modern technologies without being tied into their proprietary offerings,” said Brett McDowell, executive director, The FIDO Alliance, “Standards-based architectures can evolve with the market, are less costly to operate and reduce the risk of operating and maintaining end-of-life systems.”
Health care organizations are seeking to evolve user authentication for a new era of risks and threats. Health care data is highly valued by cybercriminals, because it provides rich personal, financial and medical data that can be used for multiple types of fraud, including insurance claims, health savings accounts, flexible savings accounts and more.
Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and to avoid costly fines and lawsuits due to data exposure.
Health care security leaders also want to avoid account takeovers, where cybercriminals use the personal demographic information to bypass password reset functions. After several major data breaches, including Anthem, Equifax, Yahoo and others, cybercriminals are able to assemble rich profiles they can use to impersonate users at scale. “The reality is that the industry is getting more and more account takeover attempts,” said Jim Routh of Aetna, who serves as the health care company’s chief security officer (CSO). “Binary authentication [using passwords] has reached obsolescence today.”
Creating Phishing-Resistant Security in the Health Care Industry
Solution: Routh wanted to find a better way to authenticate the customers, partners and employees who use Aetna’s online services. The company is rolling out next-generation authentication (NGA) across its mobile and web platforms, taking a two-phased approach to improving the security and usability of its online services.
First, Aetna has adopted the FIDO standard for user authentication, using biometrics, rather than passwords, to verify customers. Biometric capabilities are evolving rapidly and Aetna wanted to empower consumers with choice while using a standard interface across software and devices. In addition, standards-based architectures cost less to operate versus non- standards-based architectures.
FIDO Authentication Future-Proofs and Simplifies User Authentication
“Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process,” says Routh. “FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer, so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, a member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”
Developing user authentication based on open standards also “future- proofs” solutions, so that companies like Aetna can adopt the best modern technologies without being tied into a vendor’s proprietary offerings.
Standards-based architectures can evolve and scale with the market, are less costly to operate than proprietary architectures and also reduce the risk of operating and maintaining systems.
Aetna Uses Up to 60 Behaviors to Authenticate Users During Online Sessions
In the second phase of the program, Aetna rolled out its next-generation authentication process: behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app. Aetna continuously reviews 30 to 60 different behaviors, such as location, time of access, thumbprint and keystroke style, to ensure that the user remains constant. Thus, for example, if an individual handed a phone to a friend, the app would recognize the new user and ask for another form of authentication.
Setting a New Standard for Security with FIDO
The FIDO standard supports the continuous input of behavioral data into the NGA risk engine. It took Aetna one to two weeks of app usage to set user baselines for behavior. Aetna is using the behavioral data solely to help protect users, feeding it into a risk engine and then ultimately discarding it. The risk engine is protected with six layers of security controls.
Aetna understands that user authentication can be part of the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that Aetna takes protecting their data seriously. Numerous analysts have stated that exceptional information risk management capabilities and practices (which includes multi-factor authentication) can help differentiate a company in an era of constant hacks and data breaches.
“We have an opportunity to improve security, while also significantly improving the way Aetna joins consumers by eliminating the need to remember passwords,” said Routh.
MORE Building the Business Case
Javelin Research’s State of Strong Authentication 2019 Report
As data breaches and increasingly sophisticated phishing attacks continue to...February 8, 2019
Javelin Research’s State of Strong Authentication 2019 Report
As data breaches and increasingly sophisticated phishing attacks continue to...