12:00 PM
Patrick Harding
Patrick Harding
Connect Directly
E-Mail vvv

NextGen Authentication: There's A Really Smart Phone In Your Future

The mobile device is the latest platform to reinvent access controls, and it's putting enterprise IT back in the driver's seat of security and data protection.

The mobile device is reinventing the computing platform, much the same way the laptop untethered end-users who then left their desktop computer in the dust bin. Devices are now doing a similar flip-flop with laptops while introducing a range of new options for security and application deployment and use. These include new authentication techniques and controls for centralized access that reside right on the device.

These developments are coming along as enterprises are losing their grip in the explosion of devices, many of which end-users own and IT does not control. This year alone, Gartner predicts the shipment of 1.8 billion mobile phones and more than 260 million ultramobile tablets. Next year, those numbers will rise to nearly 2 billion phones and 324 million ultra-mobiles.

Access control improvements are lining up behind these devices, including multifactor authentication, mobile-only authentication architectures and ultimately an Internet of Things component. These improvements hold the promise of restoring IT control to computing concepts enterprises care about most - namely security and data protection.

Three buckets: know, have, are
According to the old cliche, authentication mechanisms can be categorized into one of three buckets -- something you know, something you have, or something you are. "Know' refers to some remembered secret, "are" some biometric characteristic or pattern of the user, and "have" refers to some physical object, the demonstrated possession of which serves as proof of identity. 

Historically, in practice the "have" category has meant "something 'extra' you have," i.e., something tailor made for authentication that the user wouldn’t otherwise have in their possession, such as hardware tokens or smart cards. But these factors place a burden on users -- a "something you have" is of little value for authentication if the user doesn’t actually have it with them.

Far better for authentication is "something you 'already' have," i.e., a mobile phone that provides the user with value in its own right and is secondarily an authentication factor (at least from the user’s PoV). We don’t need to remind users to bring their phones with them as they leave the house -- for most of us that would be as unthinkable as leaving the house undressed. It’s through our phones that we access email, business applications, social media, games, news, etc . It’s precisely that phones are so useful that makes them a great "have" factor -- the attachment that user’s feel for their device ensures they will be carried (and available for authentication purposes).

Networking, on board storage
The phone as a networked computer with on-board storage is what makes it useful for authentication. Different mobile-based authentication schemes leverage different combinations of the above features. SMS systems (where a code is sent via SMS) leverage the connectivity, time-based OTP systems like Google Authenticator use the ability to run native applications in the OS; push systems such as accells technologies, (a Ping Identity acquisition I recently helped orchestrate), and solutions from other vendors including Duo Security and Authy, take advantage of the connectivity and native apps; and emerging standards like Fast Identity Online (FIDO) take advantage of all three (plus more and more phone-based biometrics). 

Each authentication model offers different trade offs between usability, cost and security and, to a certain extent, mitigates different threats. A next generation authentication platform will need to be smart enough to choose between the different mechanisms based on current context, past history, and the resource being accessed.

Regardless of their specific characteristics, all of the above authentication models assume a ‘login’ event, in which the user performs some explicit operation via the phone in order to authenticate. But the phone, given its tight binding to the user, has the potential to be a rich source of context that can either supplement or replace such explicit logins.

For instance, the phone's geolocation is an excellent proxy for the user's location, and by comparing current values to the previously recorded pattern, could identify risk flags ("why is he in Nigeria when his calendar says he has meetings all day?" or "she never drives this fast" etc). Of course, there are privacy concerns with this sort of passive ‘monitoring’ -- user opt-in, as enabled by OAuth and OpenID Connect, will be critical.

Mobile phones might not be the only authentication device users carry. Today, more and more people have fitness trackers and smart watches on their wrists, or Google Glass on their brows. All these things share many of the characteristics that make phones so useful for authentication. A colleague of mine at Ping recently demonstrated how, by flicking sleep mode on/off when prompted, a JawBone UP wristband can be used as a second factor.

Is bring-your-own-wearable the next opportunity (and challenge) for enterprise IT? Consider how much more likely will be the scenario of passive contextual authentication described above when the context of multiple "some 'things' we have" can be aggregated together.

Patrick Harding is responsible for the Ping Identity product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/7/2014 | 12:00:46 PM
Too good to be true?
I, for one, welcome this vision of the future. But realistically, Patrick, when do you think nextgen authentication will be part of our daily lives? Are we talking one year? three years? five years? What does your chrystal ball tell you...
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.