For the past few decades, two-factor authentication has been used by businesses to enforce entitlements to access sensitive corporate applications and data. It provides an extra layer of security beyond username-and-password authentication mechanisms, which are notoriously insecure and burdensome for users to remember. Now, as the use of mobile devices in the workplace increases, this method of authentication has important implications for mobile security measures.
Password Problems With Mobile Devices
Keeping credentials safe on mobile devices is essential for overall network security. According to the Verizon 2015 Data Breach Investigations Report, 95 percent of Web application attacks involve credentials stolen from user devices. As the use of mobile proliferates, these devices will increasingly be a target for malicious actors looking to break into enterprise networks.
Mobile's rise within the business world only contributes to the problem-because the mobile form factor is not ideally suited to typing, it adds another obstacle to password complexity. The keypads on mobile devices can be difficult to use, which makes it problematic to type in complex passwords. As a result, users are more apt to employ passwords that are simple to type and remember. This issue is compounded by the fact that mobile keypads are limited in size, forcing users to switch to another screen for characters beyond alphanumeric symbols. To make life simpler, users gravitate toward basic passwords that contain solely alphanumeric symbols.
Two-Factor Authentication for Protecting Credentials
The use of multifactor authentication goes a long way toward protecting mobile credentials. It also gets around some of the problems associated with passwords, such as the use of easy-to-guess passwords or excessive use of the same password. However, the ease of two-factor authentication is paramount-users do not want to be burdened with traditional forms of two-factor authentication, such as carrying around a separate hardware-based security token.
Luckily, this does not need to be the case with mobile devices, which can function as an additional factor of authentication themselves. The term "two-factor authentication" refers to the use of two forms of identification, generally something a user knows (such as a password) and something the user has (such as a mobile device). With mobile devices, one authentication alternative is to use soft security tokens. These can either reside on the device itself or be sent to users via a text message. Both of these alternatives are cheaper and easier to use than hardware token methods, making them a win-win for both the user and company.
Mobile Devices Drive Interest in Biometrics
Biometric identifiers are increasingly being used as another form of stronger authentication. In particular, newer smartphone models are delivered with built-in biometric sensors. Recent data from Acuity Market Intelligence states that "mobility is the driving force that will unleash the long-awaited biometric revolution." The source estimates that demand for mobile devices with built-in biometric sensors will grow to 4.8 billion devices by 2020. Some models are even beginning to support application-level fingerprint sensors.
The inclusion of biometric sensors makes authentication easier for users and makes the process more secure. Biometric identifiers are unique to individuals, and biometric details remain on the devices, rather than being stored remotely in databases that could be hacked.
Contextual Authentication as an Alternative
Another emerging method of multifactor authentication for mobile devices is contextual authentication. This bases authentication on factors such as the location of the device. Restrictions can be placed on access when the device is trying to view resources from an unsecured location, such as a hotel Wi-Fi network, and require additional forms of authentication, such as the use of a one-time password. This method provides higher levels of security for older smartphones or tablets that are not equipped with biometric sensors.
With security breaches in the news almost daily, every organization should do what it can to ensure its sensitive data is not lost or stolen. Because mobile devices are increasingly the work medium of choice for employees, the use of more convenient forms of two-factor authentication will go a long way toward ensuring sensitive data is safeguarded.
Category: RSA Fundamentals, Blog Post
Keywords: 2F Authentication, Biometrics, Contextual Authentication, Two Factor Authenitcation