Mobile phones are becoming increasingly multi-purpose. Not so many years ago, a mobile phone was for making calls and sending text messages; the arrival of smartphones meant they could also be used to play games and browse the web; now we rely on them for almost everything – from navigating cities to making payments in shops.
So why not use them for security too? For years, banks have relied on hardware tokens to provide an extra layer of authentication for online banking. These supply one time passcodes that are required alongside a user name and password to complete a transaction. Many businesses also issue smartcards and key fobs that give employees access to buildings.
Smartphones today are capable of carrying out all these functions and more – plus they come with the added convenience of being always at hand. A survey by market research firm IDC back in 2008 found that a third of workers would choose their mobile phone over their wallet or keys if they had to leave the house for 24 hours and could take only one item.
The mobile phone is now so central to most people's work and personal lives that they simply can't get by without it. And it is for this reason that mobiles make such good security tokens, according to Mike Byrnes product manager at identity-based security ID company Entrust.
“I believe mobile strong authentication will become the leading type of authentication,” he said in an interview with Techworld. “Over the past 10 years we saw hardware tokens become the de facto standard for strong security. I believe mobile will be that hard token over the next ten years.”
Byrnes said that this evolution will be driven primarily by consumers, as part of the bring-your-own-device (BYOD) trend. This is because employees now expect to be able to do everything from one device. However, there are advantages for enterprises too.
“Enterprises have accepted that consumers are bringing their devices to work, and have let those devices on the network, but now they want to leverage those mobile devices to help improve business and to bring better security to the table,” he said.
Beyond hardware tokens
Byrnes said that while traditional hardware tokens that generate one-time passcodes of eight digits are effective security against password theft and some forms of security hacks, more advanced forms of criminal activity work, such as putting malware on users' computers, can defeat the purity of one-time passcodes.
Mobile phones provide what is known as a “second channel” – in other words it does not rely on the computer but is a totally independent communication channel. This means that, in the case of the user's computer being infected with malware, transaction details or authentication requests can be sent to their mobile device.
“Imagine you receive a notification on your mobile device, telling you that you are trying to log into the corporate HR system, but you are doing something else, so you know right away that something is going on,” said Byrnes.
“You would click decline because you know it’s not you trying to access that system. So you have just defeated an advanced malware attack because your mobile device was contacted in real time to try and confirm a login prior to it happening.”
In the banking world, mobile authentication also helps to protect against advanced man-in-the-browser attacks like Zeus, which have been used to successfully steal cash from corporate bank accounts.
For example, a corporate cash manager who is attempting to transfer £50,000 would receive a confirmation request on his device before the transaction is completed, checking that it was not fraudulent.
“Whatever the transaction context, that information is sent to your phone. When you click the OK button, your computer will then launch forward and the login will be complete,” said Byrnes.