Mobile phones are becoming increasingly multi-purpose. Not so many years ago, a mobile phone was for making calls and sending text messages; the arrival of smartphones meant they could also be used to play games and browse the web; now we rely on them for almost everything – from navigating cities to making payments in shops.
So why not use them for security too? For years, banks have relied on hardware tokens to provide an extra layer of authentication for online banking. These supply one time passcodes that are required alongside a user name and password to complete a transaction. Many businesses also issue smartcards and key fobs that give employees access to buildings.
Smartphones today are capable of carrying out all these functions and more – plus they come with the added convenience of being always at hand. A survey by market research firm IDC back in 2008 found that a third of workers would choose their mobile phone over their wallet or keys if they had to leave the house for 24 hours and could take only one item.
The mobile phone is now so central to most people's work and personal lives that they simply can't get by without it. And it is for this reason that mobiles make such good security tokens, according to Mike Byrnes product manager at identity-based security ID company Entrust.
“I believe mobile strong authentication will become the leading type of authentication,” he said in an interview with Techworld. “Over the past 10 years we saw hardware tokens become the de facto standard for strong security. I believe mobile will be that hard token over the next ten years.”
Byrnes said that this evolution will be driven primarily by consumers, as part of the bring-your-own-device (BYOD) trend. This is because employees now expect to be able to do everything from one device. However, there are advantages for enterprises too.
“Enterprises have accepted that consumers are bringing their devices to work, and have let those devices on the network, but now they want to leverage those mobile devices to help improve business and to bring better security to the table,” he said.
Beyond hardware tokens
Byrnes said that while traditional hardware tokens that generate one-time passcodes of eight digits are effective security against password theft and some forms of security hacks, more advanced forms of criminal activity work, such as putting malware on users' computers, can defeat the purity of one-time passcodes.
Mobile phones provide what is known as a “second channel” – in other words it does not rely on the computer but is a totally independent communication channel. This means that, in the case of the user's computer being infected with malware, transaction details or authentication requests can be sent to their mobile device.
“Imagine you receive a notification on your mobile device, telling you that you are trying to log into the corporate HR system, but you are doing something else, so you know right away that something is going on,” said Byrnes.
“You would click decline because you know it’s not you trying to access that system. So you have just defeated an advanced malware attack because your mobile device was contacted in real time to try and confirm a login prior to it happening.”
In the banking world, mobile authentication also helps to protect against advanced man-in-the-browser attacks like Zeus, which have been used to successfully steal cash from corporate bank accounts.
For example, a corporate cash manager who is attempting to transfer £50,000 would receive a confirmation request on his device before the transaction is completed, checking that it was not fraudulent.
“Whatever the transaction context, that information is sent to your phone. When you click the OK button, your computer will then launch forward and the login will be complete,” said Byrnes.
Security vs usability
Of course, using a mobile device for authentication in this way relies on the device itself being well protected. If anyone can just pick up a phone and approve a transaction in the owner's name, then mobile authentication is not going to win the support of enterprises.
According to Byrnes, however, the risk of this happening is extremely small.
“The person would have to hack your computer account, steal your phone and also crack the four-digit PIN that is protecting the transaction verification application. Unless it’s an extremely targeted attack where that person knows you and has been following you and has the time and the money to track you down and grab your phone and steal your PIN, it’s very difficult,” said Byrnes.
“I’m not trying to defeat or say that it’s not a valid capability – there’s no silver bullet for pure protection. But if you PIN-protect the application you have an extra level of security.”
Byrnes said that organisations are increasingly looking to leverage biometrics, so that even if a phone is stolen, the thief will not be able to pass speech, fingerprint or facial recognition. As well as providing stronger security, biometrics also improve usability, because pressing your finger to a screen or taking a picture of your face is easier then remembering a 4-digit PIN.
He said that, while Entrust's mission is to bring strong security to the market, equally important is to make sure that security is easy to use for the end user.
“There’s a real balance there because if security is too challenging or too difficult or too frustrating, a company’s employees – or even worse a company’s customers – will revolt against the security that’s been implemented,” he said.
Entrust's IdentityGuard software authentication platform therefore supports over 15 different authentication approaches, so that customers have the flexibility to deploy the authentication approach that meets the user community, ranging from hardware tokens to grid cards.
New mobile capabilities
The company is also experimenting with newer technologies that are present in mobile phones, such as geolocation, near field communications (NFC) and digital signage, to find new methods of authentication. For example, if someone is trying to conduct a transaction in London, England, and their mobile device is in Ottowa, Canada, then a red flag will be raised.
Byrnes said that, as customers roll out mobile authentication to their employees and customers, they can tag on new features and capabilities. For example, a doctor visiting patients in a hospital could write a prescription on a computer, and then digitally sign that prescription using his mobile phone.
Similar use cases arise in the legal profession and law enforcement, where high levels of security are needed, and the technology will have an increasing role to play outside the enterprise.
“In ten years I will tap my mobile phone on my front door to get into my house, I’ll tap it to my car to start my car, I’ll tap it on my desk to login to my computer, and I’ll tap it to my friend's phone to pay him £20 because he bought me lunch two days ago,” said Byrnes.
All this is being enabled by the smartphone revolution. However, there is still a lot of work to do on standards before mobile identity authentication becomes ubiquitous. Organisations also need to accept the role of the mobile phone as a security device.
“People are realising that they need to move forward, as the security that we’ve been using for ten or more years is no longer really effective,” said Byrnes.
“Organisations need to get to the point where they are ready to move away from their legacy investment in technology and move forward to leverage these mobile devices.”