Endpoint
5/6/2014
12:00 PM
Patrick Harding
Patrick Harding
Commentary
Connect Directly
Twitter
Google+
LinkedIn
RSS
E-Mail
50%
50%

NextGen Authentication: There's A Really Smart Phone In Your Future

The mobile device is the latest platform to reinvent access controls, and it's putting enterprise IT back in the driver's seat of security and data protection.

The mobile device is reinventing the computing platform, much the same way the laptop untethered end-users who then left their desktop computer in the dust bin. Devices are now doing a similar flip-flop with laptops while introducing a range of new options for security and application deployment and use. These include new authentication techniques and controls for centralized access that reside right on the device.

These developments are coming along as enterprises are losing their grip in the explosion of devices, many of which end-users own and IT does not control. This year alone, Gartner predicts the shipment of 1.8 billion mobile phones and more than 260 million ultramobile tablets. Next year, those numbers will rise to nearly 2 billion phones and 324 million ultra-mobiles.

Access control improvements are lining up behind these devices, including multifactor authentication, mobile-only authentication architectures and ultimately an Internet of Things component. These improvements hold the promise of restoring IT control to computing concepts enterprises care about most - namely security and data protection.

Three buckets: know, have, are
According to the old cliche, authentication mechanisms can be categorized into one of three buckets -- something you know, something you have, or something you are. "Know' refers to some remembered secret, "are" some biometric characteristic or pattern of the user, and "have" refers to some physical object, the demonstrated possession of which serves as proof of identity. 

Historically, in practice the "have" category has meant "something 'extra' you have," i.e., something tailor made for authentication that the user wouldn’t otherwise have in their possession, such as hardware tokens or smart cards. But these factors place a burden on users -- a "something you have" is of little value for authentication if the user doesn’t actually have it with them.

Far better for authentication is "something you 'already' have," i.e., a mobile phone that provides the user with value in its own right and is secondarily an authentication factor (at least from the user’s PoV). We don’t need to remind users to bring their phones with them as they leave the house -- for most of us that would be as unthinkable as leaving the house undressed. It’s through our phones that we access email, business applications, social media, games, news, etc . It’s precisely that phones are so useful that makes them a great "have" factor -- the attachment that user’s feel for their device ensures they will be carried (and available for authentication purposes).

Networking, on board storage
The phone as a networked computer with on-board storage is what makes it useful for authentication. Different mobile-based authentication schemes leverage different combinations of the above features. SMS systems (where a code is sent via SMS) leverage the connectivity, time-based OTP systems like Google Authenticator use the ability to run native applications in the OS; push systems such as accells technologies, (a Ping Identity acquisition I recently helped orchestrate), and solutions from other vendors including Duo Security and Authy, take advantage of the connectivity and native apps; and emerging standards like Fast Identity Online (FIDO) take advantage of all three (plus more and more phone-based biometrics). 

Each authentication model offers different trade offs between usability, cost and security and, to a certain extent, mitigates different threats. A next generation authentication platform will need to be smart enough to choose between the different mechanisms based on current context, past history, and the resource being accessed.

Regardless of their specific characteristics, all of the above authentication models assume a ‘login’ event, in which the user performs some explicit operation via the phone in order to authenticate. But the phone, given its tight binding to the user, has the potential to be a rich source of context that can either supplement or replace such explicit logins.

For instance, the phone's geolocation is an excellent proxy for the user's location, and by comparing current values to the previously recorded pattern, could identify risk flags ("why is he in Nigeria when his calendar says he has meetings all day?" or "she never drives this fast" etc). Of course, there are privacy concerns with this sort of passive ‘monitoring’ -- user opt-in, as enabled by OAuth and OpenID Connect, will be critical.

Mobile phones might not be the only authentication device users carry. Today, more and more people have fitness trackers and smart watches on their wrists, or Google Glass on their brows. All these things share many of the characteristics that make phones so useful for authentication. A colleague of mine at Ping recently demonstrated how, by flicking sleep mode on/off when prompted, a JawBone UP wristband can be used as a second factor.

Is bring-your-own-wearable the next opportunity (and challenge) for enterprise IT? Consider how much more likely will be the scenario of passive contextual authentication described above when the context of multiple "some 'things' we have" can be aggregated together.

Patrick Harding is responsible for the Ping Identity product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/7/2014 | 12:00:46 PM
Too good to be true?
I, for one, welcome this vision of the future. But realistically, Patrick, when do you think nextgen authentication will be part of our daily lives? Are we talking one year? three years? five years? What does your chrystal ball tell you...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.