Q&A: User Authentication Challenges, Best Practices, and the Future
Mobile computing is challenging security administrators in new ways. Usernames and passwords are no longer enough to protect your data. We explore the benefits and costs of more advanced end-user authentication for both mobile and desktop devices with Terry Hartmann, vice president for security portfolio and mobility solutions at Unisys. Terry has 30 years of experience in the IT industry and is an internationally recognized authority in the identification and biometrics industry. At Unisys, Terry is responsible for the company's people identity, location/perimeter/surveillance, law enforcement, and integrated courts/justice programs.
Enterprise Strategies: What does end-user authentication encompass and why is it so important as a component of an organization's mobility solution.
Terry Hartmann: User authentication verifies that the person accessing a service is actually the person who originally enrolled and is entitled to use that service. In the context of a mobility application, you are determining whether the person who is using that application is the same person who has registered for it and been granted rights to use it.
Typically, authentication is done with a user name and password, but that's no longer enough. Passwords are very easily compromised and they are difficult to remember. We need to move beyond passwords to have greater assurance about the authentication.
User authentication is also important for preventing fraud and verifying the right person is using an application in a trusted environment. It's not about identifying a person's mobile device type -- the device is irrelevant. Rather, the issue is whether the person is authorized to do what they are doing.
Does the explosion that we are seeing in the use of mobile devices create a greater need for this kind of activity?
It just creates a slightly different version of the same problem. When everyone had desktops and traveled to the office for work, they had to show a badge and unlock a door to get to their desks where their endpoint devices were. Getting into the building to your desk was a form of authentication.
Now if you take that away, it creates a broader problem. A person could be anywhere at any time -- employees are no longer sitting at their desks 9:00 to 5:00 in a secure building. The question becomes: do mobile devices allow you to do other things to replace physical authentication? For example, you can identify a particular device via the unique "serial number" and make sure it is registered to access your network. Another option is to use the GPS location functionality in the device to determine the country from which that device is accessing your applications.
It's a form of security that's again verifying entitlement, verifying that the person who is doing this has the authorization to be doing it, and that their identifying information has not been compromised.
What's the best way for organizations to authenticate the identity of a mobile user? Does this vary by type of device?
The best way is to have multiple channels of verification. One could be that the device's ID is registered to the network. Another can be to have a user ID and password in addition to an external token that comes up with a "one-time password" number that you key in. You can also have biometrics, such as face photo or voice recognition, for identifying mobile device users.
Biometrics most specifically identifies the person using the device and can confirm that it's not just somebody else in the same area. If someone knows your user ID and has possession of your external token for example, they can log on. There's no absolute verification that it's the same person.
The other option is a shared secret; something that only you know and you can type in -- for example, the make and model of your first car. However, this can still be compromised, so it's best to have multiple channels of authentication.
Does this vary by type of device? It can vary by the device operating system. For example, you might choose to allow Apple devices into your network and not other devices. Authentication typically won't vary across tablets versus smartphones, but it will vary across say tablet and smartphone versus laptop because your VPN access could be different between those two means. Additionally, there might be a GPS built into a smartphone or a tablet that you wouldn't have built into a laptop. You might have a USB port on a laptop that you are relying on for your verification method, but without a USB port, you can't use that same method on a mobile device.
What's required by these solutions? For example, does an agent have to run on the mobile device or is everything handled at the network security level?
It depends on the implementation and the mobile device management (MDM) system. If you have a MDM system that stores or relies on authentication via the device and the ability for data to be on the device, then you would run an agent on the device. If it's a cloud-based MDM solution, then everything can be handled at a network security level.
I think either of those methods can be used depending on your environment. It depends on whether your MDM implementation is cloud-based or if it relies on putting data on the device.
Are these types of solutions in wide use today?
The use of passwords to authenticate someone's identity is the most widely used user authentication method today. I would also say tokens, such as an RSA token or a smartcard token, are prevalent, but when you get to a third level around the adoption and use of biometrics or GPS, then that's very much in its infancy. The technologies exist now in the devices to capture a facial image or a voice, but it's tough getting people to start using that. Usually, it takes some large-scale early adopters such as banks to create the momentum. Wide-scale use can also result when biometrics capabilities are built into the devices themselves.
Remember, taking photos via phone wasn't ubiquitous 10 years ago, but it is today, so if a device was built into a phone -- if Apple suddenly put a fingerprint device into an iPhone for user authentication purposes -- it could become ubiquitous very quickly.
What are the challenges related to implementing these solutions? What best practices can you recommend to overcome these challenges?
In terms of biometrics, the challenges become multiple operating systems requiring different apps to be developed for Android vs. Apple vs. BlackBerry.
Guarding against spoofing is another issue -- for instance, making sure that a facial image or voice isn't a video or a voice-recording playback. Implementing these solutions cost-effectively also remains challenging.
It's important to pilot and test the technologies you are using with a small group of users. It's also important to implement layered security so you don't have vulnerabilities or you're not single-point sensitive on the authentication.
With regard to cost, you have to accept that there is a price to doing these things and there is a price to the risk of not doing them. The risk of security being compromised can be high in terms of data theft or personal data falling into the hands of people who shouldn't have it.
All of that has a cost to your organization. You need to be aware and look at those costs when you are creating your security strategy; it's crucial to your business case.
You also have to understand that if you have a token-based solution, you have to buy those tokens and you have to periodically update them. However, if you make use of mobile devices via the features that are built into the devices (microphone, camera, GPS, etc.), that cost goes away. You have to treat that cost as a true offset when you are implementing the solutions that use more sophisticated devices.
What about securing mobile devices to run a cloud implementation or cloud applications? Can this be effectively managed?
Cloud implementations are no different. Whether your application is within your VPN or you are running it as a cloud application, you still have the same access and identification issues. This raises the question: who is running the cloud. Are you running it in your organization, is the cloud outsourced, and what's the security of the applications in the cloud?
How do you see this technology evolving over the next year or two?
I see the use of biometrics and the use of stronger authentication improving in the next year or two. It's certainly going to become more widespread, and devices will move to facilitating it as well. You are going to start to see things that are built in or easily added onto devices such as iPhones and iPads.
We are already starting to see some of these where you will have a sleeve or a shell that you can attach to your phone for identity authentication. For example, at the Apple Store, they've attached a credit card reader to an iPhone and you are making your purchase through that credit card reader. The same thing is happening with biometrics, where you can attach a shell to your device and capture a fingerprint or an iris pattern. Voice and face are already built into the smartphone, and we might see that adopted a little bit more as well.
In the next couple of years, we will see add-on devices to facilitate authentication, and apps that capture biometrics will become more widely available and recognized. Banks are starting to use them more, and that will drive mainstream adoption. I think that those kinds of solutions will start to replace tokens because people are moving around with their phones all the time and may forget their token. Then, when you are out and about and you want to do that bank transfer, you get a little bit annoyed.
What solutions or services does Unisys offer to help its clients address the challenge of authenticating mobile users?
Unisys provides Mobile User Authentication Services to help our clients protect their business-critical resources by authenticating users' identities. This is based on multiple factors, such as passwords, location, or biometrics, which leverage inbuilt mobile device cameras and microphones. Based on these and other factors, mobile users can be granted or denied access to Web portals, corporate applications, or physical checkpoints. The organization can require different authentication methods for different people depending on user roles, usage patterns, and the type of transaction they are undertaking. We offer this as part of a comprehensive set of application development and maintenance services for mobile devices across multiple platforms.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).