Developing a successful mobile authentication strategy
- 07 October, 2014 09:46
While the rise of mobile enterprise adoption and BYOD means more flexibility for employees and generally higher productivity for organisations and businesses, it also poses security challenges, in particular around identity and access management (IAM).
Escalating security threats and widely publicised data breaches have driven the adoption of IAM systems to unparalleled levels, particularly among large organisations. In line with this trend, IDC has projected that the identity and access management market will reach $6.9 billion by 2017.
In order to minimise data breaches, IT needs to ensure that the appropriate access control is in place. The best approach is to take what’s already working well and extend it to mobile devices, rather than try to create something completely new. This allows the organisation to apply all the existing policies and rules on how employees can access information that are already in place, to control access from mobile devices.
Controls need to be extended to the mobile device, based on who the user is, and not what the device is. Building policies around devices will fail as there are simply too many devices to manage. Instead, control what the user has access to, regardless of where they connect from, while elevating authentication methods appropriately, and the risk of a breach is greatly reduced.
Why Single Sign On is key
In today’s environment where employees own several mobile devices, Single Sign On is key to giving users access to the information and services they need to do their job efficiently.
If an employee has to sign in multiple times from their smartphone for access to various business applications, not only does this become a real barrier to productivity, it might also encourage the employee to work around the security controls in place simply to make access easier, such as storing passwords on the device itself. So Single Sign On provides not only an improved user experience, but improved security too.
The best way to implement Single Sign On for mobile devices is to establish a service within the business to which the mobile device connects, in order to centralise the management of the access rights. The user simply authenticates with one password for access into a single app on their mobile device, which then presents all the business applications available, either in the business data centre or up in the cloud. It’s far safer than managing all the connections possible directly from the mobile device.
If the user accesses sensitive information, then additional steps or factors for authentication can be added, such as including a biometric factor if necessary.
If a device is lost or stolen and there aren’t centralised access controls, then an attacker could gain access to many systems before the security organisation has time to shut off access – even assuming they are able to do so. This is why it’s far safer to have a single, centrally managed access point regardless of the device, which can more easily be closed off in the event the device is lost.
What you need to know about mobile authentication systems
There are three important aspects that you need to be mindful of when using mobile authentication systems across the enterprise:
• Make access easy to manage for the security organisation. That way it can be easily monitored, and quickly revoked in the event of the device being compromised.
• Make it as easy as possible to access business applications from the mobile device. Single-sign on is especially powerful from a mobile device as it improves the usability of mobile platforms for the business user – which is a powerful enabler for faster business responsiveness.
• Ensure that your mobile authentication platform is flexible enough to match the needs of different users and the data they access. For example, some users may need only minimal authentication because they access only non-critical data. Others might need additional factors of authentication, including one-time passcodes, biometrics, etc. if they regularly need access to sensitive data and systems from a mobile platform.
How important is biometric authentication on mobile devices?
Security is always a balancing act between making it difficult for an attacker to get in, and making it simple enough for a user to do their job. Authentication is a perfect example of this – while some biometric methods may be very secure, they can be seen as barriers to access because they may require multiple attempts to access, difficult to manage and deploy, and so on.
There is currently a lot of work going on in developing simpler biometric authentication methods above and beyond fingers, retina, iris scans, and so on.Gartner predicts that by 2016, 30 percent of organisations will use biometric authentication on mobile devices, up from five percent today.
What is perhaps more important is that the use of mobile technology actually makes it easier to deploy additional factors of authentication, such as using out of band passwords. This means that overall mobile authentication methods should actually improve security for far more users and make accessing information from mobile devices at least as safe as other methods.
There is no one size fits all when it comes to which authentication method is the best for your organisation. It should be deployed depending on the users, the situation and the types of data being managed. More importantly, your chosen method(s) should be integrated and, as far as possible, managed centrally, otherwise your organisation runs the risk that incorrect decisions will be made, that policies will not be properly applied, and that the cost and expense of management becomes a barrier to deployment.
Travis Greene is the senior solution strategist, identity management at NetIQ