The mobile device is reinventing the computing platform, much the same way the laptop untethered end-users who then left their desktop computer in the dust bin. Devices are now doing a similar flip-flop with laptops while introducing a range of new options for security and application deployment and use. These include new authentication techniques and controls for centralized access that reside right on the device.
These developments are coming along as enterprises are losing their grip in the explosion of devices, many of which end-users own and IT does not control. This year alone, Gartner predicts the shipment of 1.8 billion mobile phones and more than 260 million ultramobile tablets. Next year, those numbers will rise to nearly 2 billion phones and 324 million ultra-mobiles.
Access control improvements are lining up behind these devices, including multifactor authentication, mobile-only authentication architectures and ultimately an Internet of Things component. These improvements hold the promise of restoring IT control to computing concepts enterprises care about most - namely security and data protection.
Three buckets: know, have, are
According to the old cliche, authentication mechanisms can be categorized into one of three buckets -- something you know, something you have, or something you are. "Know' refers to some remembered secret, "are" some biometric characteristic or pattern of the user, and "have" refers to some physical object, the demonstrated possession of which serves as proof of identity.
Historically, in practice the "have" category has meant "something 'extra' you have," i.e., something tailor made for authentication that the user wouldn’t otherwise have in their possession, such as hardware tokens or smart cards. But these factors place a burden on users -- a "something you have" is of little value for authentication if the user doesn’t actually have it with them.
Far better for authentication is "something you 'already' have," i.e., a mobile phone that provides the user with value in its own right and is secondarily an authentication factor (at least from the user’s PoV). We don’t need to remind users to bring their phones with them as they leave the house -- for most of us that would be as unthinkable as leaving the house undressed. It’s through our phones that we access email, business applications, social media, games, news, etc . It’s precisely that phones are so useful that makes them a great "have" factor -- the attachment that user’s feel for their device ensures they will be carried (and available for authentication purposes).
Networking, on board storage
The phone as a networked computer with on-board storage is what makes it useful for authentication. Different mobile-based authentication schemes leverage different combinations of the above features. SMS systems (where a code is sent via SMS) leverage the connectivity, time-based OTP systems like Google Authenticator use the ability to run native applications in the OS; push systems such as accells technologies, (a Ping Identity acquisition I recently helped orchestrate), and solutions from other vendors including Duo Security and Authy, take advantage of the connectivity and native apps; and emerging standards like Fast Identity Online (FIDO) take advantage of all three (plus more and more phone-based biometrics).
Each authentication model offers different trade offs between usability, cost and security and, to a certain extent, mitigates different threats. A next generation authentication platform will need to be smart enough to choose between the different mechanisms based on current context, past history, and the resource being accessed.
Regardless of their specific characteristics, all of the above authentication models assume a ‘login’ event, in which the user performs some explicit operation via the phone in order to authenticate. But the phone, given its tight binding to the user, has the potential to be a rich source of context that can either supplement or replace such explicit logins.
For instance, the phone's geolocation is an excellent proxy for the user's location, and by comparing current values to the previously recorded pattern, could identify risk flags ("why is he in Nigeria when his calendar says he has meetings all day?" or "she never drives this fast" etc). Of course, there are privacy concerns with this sort of passive ‘monitoring’ -- user opt-in, as enabled by OAuth and OpenID Connect, will be critical.
Mobile phones might not be the only authentication device users carry. Today, more and more people have fitness trackers and smart watches on their wrists, or Google Glass on their brows. All these things share many of the characteristics that make phones so useful for authentication. A colleague of mine at Ping recently demonstrated how, by flicking sleep mode on/off when prompted, a JawBone UP wristband can be used as a second factor.
Is bring-your-own-wearable the next opportunity (and challenge) for enterprise IT? Consider how much more likely will be the scenario of passive contextual authentication described above when the context of multiple "some 'things' we have" can be aggregated together.