Endpoint
5/6/2014
12:00 PM
Patrick Harding
Patrick Harding
Commentary
Connect Directly
Twitter
Google+
LinkedIn
RSS
E-Mail
50%
50%

NextGen Authentication: There's A Really Smart Phone In Your Future

The mobile device is the latest platform to reinvent access controls, and it's putting enterprise IT back in the driver's seat of security and data protection.

The mobile device is reinventing the computing platform, much the same way the laptop untethered end-users who then left their desktop computer in the dust bin. Devices are now doing a similar flip-flop with laptops while introducing a range of new options for security and application deployment and use. These include new authentication techniques and controls for centralized access that reside right on the device.

These developments are coming along as enterprises are losing their grip in the explosion of devices, many of which end-users own and IT does not control. This year alone, Gartner predicts the shipment of 1.8 billion mobile phones and more than 260 million ultramobile tablets. Next year, those numbers will rise to nearly 2 billion phones and 324 million ultra-mobiles.

Access control improvements are lining up behind these devices, including multifactor authentication, mobile-only authentication architectures and ultimately an Internet of Things component. These improvements hold the promise of restoring IT control to computing concepts enterprises care about most - namely security and data protection.

Three buckets: know, have, are
According to the old cliche, authentication mechanisms can be categorized into one of three buckets -- something you know, something you have, or something you are. "Know' refers to some remembered secret, "are" some biometric characteristic or pattern of the user, and "have" refers to some physical object, the demonstrated possession of which serves as proof of identity. 

Historically, in practice the "have" category has meant "something 'extra' you have," i.e., something tailor made for authentication that the user wouldn’t otherwise have in their possession, such as hardware tokens or smart cards. But these factors place a burden on users -- a "something you have" is of little value for authentication if the user doesn’t actually have it with them.

Far better for authentication is "something you 'already' have," i.e., a mobile phone that provides the user with value in its own right and is secondarily an authentication factor (at least from the user’s PoV). We don’t need to remind users to bring their phones with them as they leave the house -- for most of us that would be as unthinkable as leaving the house undressed. It’s through our phones that we access email, business applications, social media, games, news, etc . It’s precisely that phones are so useful that makes them a great "have" factor -- the attachment that user’s feel for their device ensures they will be carried (and available for authentication purposes).

Networking, on board storage
The phone as a networked computer with on-board storage is what makes it useful for authentication. Different mobile-based authentication schemes leverage different combinations of the above features. SMS systems (where a code is sent via SMS) leverage the connectivity, time-based OTP systems like Google Authenticator use the ability to run native applications in the OS; push systems such as accells technologies, (a Ping Identity acquisition I recently helped orchestrate), and solutions from other vendors including Duo Security and Authy, take advantage of the connectivity and native apps; and emerging standards like Fast Identity Online (FIDO) take advantage of all three (plus more and more phone-based biometrics). 

Each authentication model offers different trade offs between usability, cost and security and, to a certain extent, mitigates different threats. A next generation authentication platform will need to be smart enough to choose between the different mechanisms based on current context, past history, and the resource being accessed.

Regardless of their specific characteristics, all of the above authentication models assume a ‘login’ event, in which the user performs some explicit operation via the phone in order to authenticate. But the phone, given its tight binding to the user, has the potential to be a rich source of context that can either supplement or replace such explicit logins.

For instance, the phone's geolocation is an excellent proxy for the user's location, and by comparing current values to the previously recorded pattern, could identify risk flags ("why is he in Nigeria when his calendar says he has meetings all day?" or "she never drives this fast" etc). Of course, there are privacy concerns with this sort of passive ‘monitoring’ -- user opt-in, as enabled by OAuth and OpenID Connect, will be critical.

Mobile phones might not be the only authentication device users carry. Today, more and more people have fitness trackers and smart watches on their wrists, or Google Glass on their brows. All these things share many of the characteristics that make phones so useful for authentication. A colleague of mine at Ping recently demonstrated how, by flicking sleep mode on/off when prompted, a JawBone UP wristband can be used as a second factor.

Is bring-your-own-wearable the next opportunity (and challenge) for enterprise IT? Consider how much more likely will be the scenario of passive contextual authentication described above when the context of multiple "some 'things' we have" can be aggregated together.

Patrick Harding is responsible for the Ping Identity product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/7/2014 | 12:00:46 PM
Too good to be true?
I, for one, welcome this vision of the future. But realistically, Patrick, when do you think nextgen authentication will be part of our daily lives? Are we talking one year? three years? five years? What does your chrystal ball tell you...
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report