What is it about the human spirit that makes us fascinated with mobility? We don’t sit still very much anymore. We travel across the globe for an important meeting, even though the technology exists to telecommute. We vacation far from home to “get away from it all.”
With the rise of mobile people comes a desire to bring our technology with us. As manufacturers have generally reduced mobile device size and weight, and increased their speed and power, a shift towards a mobile-first approach to business is on.
Executives don’t want to carry laptops when they travel anymore – they want to access sensitive financial data from the tablet that their 16-year old was using to play games with last weekend. Product managers visiting customers are reviewing patent applications on their mobile phones in-between meetings. Doctors are accessing patient records from the golf course. Official Olympic records are entered from hand-held devices as soon as the snowboarder finally lands.
This should terrify anyone with even a modicum of concern for security or privacy.
The shift to enterprise mobility
Since the advent of the smartphone, the focus has been on enabling secure consumer interactions. Banks provide check depositing using a camera and an app. We can sell almost anything to almost anyone on the planet, and receive payment for it, all from a device that fits in one hand. The providers of these apps have had to address the mobile identity concerns to ensure secure transactions by authorized users.
But enterprises have been slow to “mobilize” the enterprise applications that their employees and contractors rely on.
That is partly because developing mobile apps for people internal to the business diverts resources away from servicing customers, which is understandably a higher priority. But many businesses have already produced their customer-facing app and are starting to turn their mobile developers inward. As they do so, there are risks to consider when extending access out to devices that can easily fall into the wrong hands. Mobile identity is vital to addressing those risks.
The pitfalls of mobile identity
Some of the challenges of mobile identity are shared with other platforms, such as malware that can allow an attacker to control a device or impersonate a user. But there are pitfalls specific to identity on mobile devices:
Theft - The biggest issue with mobile identity is knowing whether the user is who they say they are. This is a problem with any means of access, but is particularly problematic with a device that many have with them at all times – in secure and unsecure locations. It’s not just the credentials that can be stolen, but the entire device, which often has locally stored passwords.
Inconvenient access - Authentication methods for mobile devices that rely on passwords tend to discourage use, due to the inconvenience of typing on small glass screens. Users will abandon sessions if they are asked to re-authenticate over and over again.
Eavesdropping – Mobile devices by their nature have multiple communication methods and some are weaker than others. A quick web search will expose a wealth of information on mobile device surveillance by unauthorized parties. Bluetooth seems to be a favorite attack vector, but weaker encryption over wireless networks doesn’t help.
Excessive information – Mobile devices have become something like extensions of ourselves. With photos, GPS tracking, contact lists, social interactions, entertainment, and so on, an attacker has access to a gold mine of information about you if he can access your mobile device.
The opportunities of mobile identity
Though there are unique risks associated with identity and access from mobile devices, there are also opportunities that mobile devices bring to address identity concerns:
Bring your own Smart Card – Rather than issuing and managing smart cards for users, certificates can be maintained on SIM cards, with a PIN required for use. In effect, the phone itself is an identity tool, reducing the administrative burden of managing smart cards separately. This is already in use with online banking, and operators such as Swisscom have introduced products to use PKI-based mobile signature secure encryption technology stored on SIM cards.
Biometric hardware – Biometric authentication using fingerprint readers, facial recognition or voice recognition is made common with the hardware built-in to today’s mobile devices. While not completely foolproof, when used in conjunction with other factors, biometrics provide more certainty that you are who you say you are.
Location awareness – Mobile devices provide location-based services that are used to tailor content for consumers, such as weather, traffic, locating nearby services, and so on. Location is determined through a variety of means such as GPS, wireless tower localization or Wi-Fi availability. That information can be used from an identity perspective to trigger a requirement for step-up authentication. For example, if a user is trying to access sensitive information from outside an office or other known location, that user could be challenged to provide additional authentication by answering a pre-set question – ideally one that is not easily determined by searching the contents of the mobile device.
Mobile identity leads to multi-factor authentication
One approach to address the pitfalls and take advantage of the opportunities of mobile identity is to adopt multi-factor authentication (MFA). MFA requires the use of two or more independent authentication factors. Those factors are:
• Something only the user knows (such as a password, or answer to a question)
• Something only the user has (such as a smart card or a mobile device)
• Something only the user is (a biometric characteristic, such as a fingerprint)
The more factors that are used, the stronger the authentication. Independent factors are critical, though, because asking a user multiple questions would only use one of the factors. Mobile devices provide the platform to collect all three factors, even when the device is owned by the user. So mobile identity becomes financially attractive for enterprises to use for MFA for accessing mobile, cloud and enterprise applications or information.
The ultimate desire of business users is to access information from wherever they want with a minimum of hassle. So if MFA is required, it should be paired with single-sign on (SSO) technologies to reduce the friction of multiple authentication challenges. Mobile identity has the potential to satisfy both the convenience that users demand and the security that the organization needs.
While there are inherent challenges we face with any new disruptive technology, mobile identity presents the opportunity to improve the security of accessing sensitive corporate information. It’s inevitable that business users will demand mobile access; thoughtful delivery can result in reduced risk.