Developing a successful mobile authentication strategy

Travis Greene, NetIQ

While the rise of mobile enterprise adoption and BYOD means more flexibility for employees and generally higher productivity for organisations and businesses, it also poses security challenges, in particular around identity and access management (IAM).

Escalating security threats and widely publicised data breaches have driven the adoption of IAM systems to unparalleled levels, particularly among large organisations. In line with this trend, IDC has projected that the identity and access management market will reach $6.9 billion by 2017.

In order to minimise data breaches, IT needs to ensure that the appropriate access control is in place. The best approach is to take what’s already working well and extend it to mobile devices, rather than try to create something completely new. This allows the organisation to apply all the existing policies and rules on how employees can access information that are already in place, to control access from mobile devices.

Controls need to be extended to the mobile device, based on who the user is, and not what the device is. Building policies around devices will fail as there are simply too many devices to manage. Instead, control what the user has access to, regardless of where they connect from, while elevating authentication methods appropriately, and the risk of a breach is greatly reduced.

Why Single Sign On is key
In today’s environment where employees own several mobile devices, Single Sign On is key to giving users access to the information and services they need to do their job efficiently.

If an employee has to sign in multiple times from their smartphone for access to various business applications, not only does this become a real barrier to productivity, it might also encourage the employee to work around the security controls in place simply to make access easier, such as storing passwords on the device itself. So Single Sign On provides not only an improved user experience, but improved security too.

The best way to implement Single Sign On for mobile devices is to establish a service within the business to which the mobile device connects, in order to centralise the management of the access rights. The user simply authenticates with one password for access into a single app on their mobile device, which then presents all the business applications available, either in the business data centre or up in the cloud. It’s far safer than managing all the connections possible directly from the mobile device.

If the user accesses sensitive information, then additional steps or factors for authentication can be added, such as including a biometric factor if necessary.

If a device is lost or stolen and there aren’t centralised access controls, then an attacker could gain access to many systems before the security organisation has time to shut off access – even assuming they are able to do so. This is why it’s far safer to have a single, centrally managed access point regardless of the device, which can more easily be closed off in the event the device is lost.

Read more: OAIC data breach guidelines emphasise importance of notification

What you need to know about mobile authentication systems
There are three important aspects that you need to be mindful of when using mobile authentication systems across the enterprise:

• Make access easy to manage for the security organisation. That way it can be easily monitored, and quickly revoked in the event of the device being compromised.

• Make it as easy as possible to access business applications from the mobile device. Single-sign on is especially powerful from a mobile device as it improves the usability of mobile platforms for the business user – which is a powerful enabler for faster business responsiveness.

• Ensure that your mobile authentication platform is flexible enough to match the needs of different users and the data they access. For example, some users may need only minimal authentication because they access only non-critical data.  Others might need additional factors of authentication, including one-time passcodes, biometrics, etc. if they regularly need access to sensitive data and systems from a mobile platform.

How important is biometric authentication on mobile devices?
Security is always a balancing act between making it difficult for an attacker to get in, and making it simple enough for a user to do their job. Authentication is a perfect example of this – while some biometric methods may be very secure, they can be seen as barriers to access because they may require multiple attempts to access, difficult to manage and deploy, and so on.

There is currently a lot of work going on in developing simpler biometric authentication methods above and beyond fingers, retina, iris scans, and so on.Gartner predicts that by 2016, 30 percent of organisations will use biometric authentication on mobile devices, up from five percent today.

What is perhaps more important is that the use of mobile technology actually makes it easier to deploy additional factors of authentication, such as using out of band passwords. This means that overall mobile authentication methods should actually improve security for far more users and make accessing information from mobile devices at least as safe as other methods.

There is no one size fits all when it comes to which authentication method is the best for your organisation. It should be deployed depending on the users, the situation and the types of data being managed. More importantly, your chosen method(s) should be integrated and, as far as possible, managed centrally, otherwise your organisation runs the risk that incorrect decisions will be made, that policies will not be properly applied, and that the cost and expense of management becomes a barrier to deployment.

Read more: Better voice recognition driving customer-friendly mobile authentication

Travis Greene is the senior solution strategist, identity management at NetIQ

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile authenticationsingle sign-onSingle Signauthenticationbiometric factormobile devicesBYODflexibility for employeesdata breachesGartnerNetIQIAM systems

More about GartnerNetIQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Travis Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts