Transcript slides

Five Easy Steps to Tech Transfer
Using Knowledge Based Authentication in New Account Registration on KP.org
Tim McKay, Ph.D., CISSP, SOUPS 2010
What Kaiser Permanente Did
In 2008, KP.org began using Knowledge Based
Authentication (KBA) as the main security control for the
online establishment of new accounts on KP.org, a
transactional consumer health portal with over 3 M
accounts, which adds 60K to 80K new accounts each
month. On the portal, users can view parts of their medical
records and lab test results, securely email physicians,
refill prescriptions and complete other sensitive
transactions. Using KBA, accounts can be established and
used within one Web session. The process, from
exploration to full implementation, took approximately 18
months.
Step 1: Define a Problem
•
•
•
•
What is the problem?
Who thinks this is a problem?
Who has money to solve the problem?
What constraints are there to solving the
problem?
• What new problems will be created by solving
this problem?
Step 2: Propose a Solution
•
•
•
•
•
•
So what do you know?
So who do you know?
So how can you know?
So what will it cost?
So who has to weigh in?
So can you get approval?
Step 3: Complete a Purchase
•
•
•
•
•
•
•
Invite
Select
Negotiate
Interrogate
Agree
Comply
Buy
Step 4: Make it Work
• Create requirements: happy and unhappy paths
 Technical
 User interface
• Run proof of concept: happy and unhappy paths
 Technical
 User interface
• Build/Test/Refine
• Prep the System: totality of workflow
• Launch
 Soft
 Progressive
 Full
Step 5: Keep it Working
• Watch
• Talk
• Tweak
(repeat)