Identity Platform for External Users
Security & Privacy
Avoid the brand impact of exposing private data by using employing multi-factor authentication where needed, enforcing per service identity source, security & authorization policies and building in privacy by design.
Identity Broker Engine
Legacy access management products are typically designed for Employee / Workflow IAM where sharing explicit attribute data sent to 3rd party applications is not an issue. But sharing customer data is different, especially now GDPR requirements are defined, and organisations need to ensure that internal, classified information can be sent in a meaningful way to applications outside their own control.
The Platform’s Identity Broker Engine functionality enables that the party sending the user information (i.e. bank or mobile network operator) to 3rd party federated applications to maintain have fine-grained control of the information. The sender can also pseudononymise the internal user attribute names and obfuscate the specific values to appropriate format per target application. For example, instead of sharing a specific credit score of custscore=500, the Identity Broker modifies the data based on custom rules to send a target application something like custtype=gold.
- Attributes can be gathered from various sources, including user database, CRM, 3rd party APIs
- Minimal attribute set supports user privacy – granular control over which attributes are sent to target applications
- Pseudonymisation of attribute names and values as needed
- Step-up authentication when needed
- Username+password: ID+pwd, Windows SSO, AD integration, SQL integration, LDAP
- OTP: OTP TAN list self-service print-out & SMS OTP, 3rd party tokens and mobile apps
- Mobile: Mobile Connect, SMS+URL, USSD, Swipe/Click OK (app), PIN+PKI (app), biometrics+PKI (app), TOTP (app)
- Mobile PKI: ETSI MSS Wireless PKI standard (native client)
- PKI: Smartcards, tokens, soft certificates
Multi-Factor Authentication (MFA)
An increasing number of access control use cases require multi-factor authentication (MFA) – some combination of what you know, what you have and what you are. The Ubisecure Identity Platform allows you define policies around an MFA requirement to allow, deny, or require step-up authentication for access to applications based on contextual data.
The Platform supports many universal authentication services via phone swipes, one-time passcodes, SMS, email, biometrics, PKI / digital certificates and hardware tokens to provide compliance and strong security with exceptional user experience.
Step-up Identity Sources
Security requirements should not negatively impact convenience by demanding complex processes. Lower level methods such as social identities can facilitate prospect capture and conversion, but when conducting transactions, stronger security is often required. The Ubisecure Identity Platform supports over 20 different Bring Your Own Identity (BYOID) authentication methods from social identity to government issued electronic ID cards.
The centralised authorization policy includes authentication rules that can be deployed individually to each application or resource. This allows for higher levels of security only when needed. Some use cases will take advantage of convenient authentication using the BYOID social identity sources and for transactions and services requiring stronger security you can selectively deploy step-up authentication using a verified BYOID source (like a Bank ID).
- Numerous methods to authenticate a user from social identities to verified, rich identities
- Social: support for Facebook, LinkedIn, Google+, Amazon, Yahoo, Mixi, VKontakte
- Business: support for Microsoft O365, Google Apps for Business, Salesforce, Active Directory
- Verified: support for Goverment eIDs, BankIDs, TUPAS, BankID Sweden, EID2 Sweden, NemID Denmark
- Open standards: support for any OpenID, OAuth based identities
- Step-up authentication source based on application needs
Password policy & recovery/reset
Passwords remain the predominant method for simple user authentication to online services. Service providers can offer convenient first time authentication through social media identities or strong identities, but where existing identities cannot be used, service providers still rely on passwords.
In most cases the end user will define the password. The Ubisecure Identity Platform allows you to define and enforce password policy when the password is being created, resulting in stronger and more secure password access control. Password policy for external users can be enforced from a central location for all connected applications.
The Platform also offers out-of-the-box support for password management, recovery/reset and verification.
Role Based Access Control / Attribute Based Access Control
Access control is a binary decision. Either the user has access, or not but how the decision is derived can be based on a multitude of factors. It can be as simple as a correct authentication method, or it can be a complex authorisation policy that evaluates the strength of the authentication method, time of the event, location, identity attributes, roles, operating system and the version, browser version etc… Role Based Access Control or Attribute Access Control can be one of the evaluation criteria when you build an authorisation policy for an application using the centralised authorisation policy management feature of the Ubisecure Identity Platform. The platform can then deliver the correct role(s) or attribute(s) to the target system.
If the target system has its own logic for evaluating access decisions, the Platform first properly authenticates the user and collects all the relevant information to be passed on to the target system for further decision making.
WebSSO and identity management standards enable quick integration and removes the risk of vendor lock-in. Ubisecure is committed in supporting and developing open standards and we are active in e.g. Kantara and MODRNA.
Supported protocols include SAML, OpenID Connect, OAuth, Mobile Connect, ADFS 2 & 3 (WS-Federation), TUPAS.
Privacy by Design
Trust is a basic building block of business, and privacy enhances trust. Customer Identity and Access Management is tool to create online services that follow the Privacy by Design principle. With the Ubisecure Identity Platform you can truly empower your customers and allow them to control the (identity) data, and more importantly consent to the usage of the information.
Privacy is also a good business practice. With the Platform you can tightly control the information delivered to target systems or applications. It will ensure that only the minimal viable data set will be sent both to your own applications and external federated systems out of your control.
Ubisecure solutions provide highly secure, highly available mission critical services to our customers. Identity Platform solutions can be deployed as on-premise IAM software or as cloud based managed services.