Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Patrick Harding
Patrick Harding
Connect Directly
E-Mail vvv

NextGen Authentication: There's A Really Smart Phone In Your Future

The mobile device is the latest platform to reinvent access controls, and it's putting enterprise IT back in the driver's seat of security and data protection.

The mobile device is reinventing the computing platform, much the same way the laptop untethered end-users who then left their desktop computer in the dust bin. Devices are now doing a similar flip-flop with laptops while introducing a range of new options for security and application deployment and use. These include new authentication techniques and controls for centralized access that reside right on the device.

These developments are coming along as enterprises are losing their grip in the explosion of devices, many of which end-users own and IT does not control. This year alone, Gartner predicts the shipment of 1.8 billion mobile phones and more than 260 million ultramobile tablets. Next year, those numbers will rise to nearly 2 billion phones and 324 million ultra-mobiles.

Access control improvements are lining up behind these devices, including multifactor authentication, mobile-only authentication architectures and ultimately an Internet of Things component. These improvements hold the promise of restoring IT control to computing concepts enterprises care about most - namely security and data protection.

Three buckets: know, have, are
According to the old cliche, authentication mechanisms can be categorized into one of three buckets -- something you know, something you have, or something you are. "Know' refers to some remembered secret, "are" some biometric characteristic or pattern of the user, and "have" refers to some physical object, the demonstrated possession of which serves as proof of identity. 

Historically, in practice the "have" category has meant "something 'extra' you have," i.e., something tailor made for authentication that the user wouldn’t otherwise have in their possession, such as hardware tokens or smart cards. But these factors place a burden on users -- a "something you have" is of little value for authentication if the user doesn’t actually have it with them.

Far better for authentication is "something you 'already' have," i.e., a mobile phone that provides the user with value in its own right and is secondarily an authentication factor (at least from the user’s PoV). We don’t need to remind users to bring their phones with them as they leave the house -- for most of us that would be as unthinkable as leaving the house undressed. It’s through our phones that we access email, business applications, social media, games, news, etc . It’s precisely that phones are so useful that makes them a great "have" factor -- the attachment that user’s feel for their device ensures they will be carried (and available for authentication purposes).

Networking, on board storage
The phone as a networked computer with on-board storage is what makes it useful for authentication. Different mobile-based authentication schemes leverage different combinations of the above features. SMS systems (where a code is sent via SMS) leverage the connectivity, time-based OTP systems like Google Authenticator use the ability to run native applications in the OS; push systems such as accells technologies, (a Ping Identity acquisition I recently helped orchestrate), and solutions from other vendors including Duo Security and Authy, take advantage of the connectivity and native apps; and emerging standards like Fast Identity Online (FIDO) take advantage of all three (plus more and more phone-based biometrics). 

Each authentication model offers different trade offs between usability, cost and security and, to a certain extent, mitigates different threats. A next generation authentication platform will need to be smart enough to choose between the different mechanisms based on current context, past history, and the resource being accessed.

Regardless of their specific characteristics, all of the above authentication models assume a ‘login’ event, in which the user performs some explicit operation via the phone in order to authenticate. But the phone, given its tight binding to the user, has the potential to be a rich source of context that can either supplement or replace such explicit logins.

For instance, the phone's geolocation is an excellent proxy for the user's location, and by comparing current values to the previously recorded pattern, could identify risk flags ("why is he in Nigeria when his calendar says he has meetings all day?" or "she never drives this fast" etc). Of course, there are privacy concerns with this sort of passive ‘monitoring’ -- user opt-in, as enabled by OAuth and OpenID Connect, will be critical.

Mobile phones might not be the only authentication device users carry. Today, more and more people have fitness trackers and smart watches on their wrists, or Google Glass on their brows. All these things share many of the characteristics that make phones so useful for authentication. A colleague of mine at Ping recently demonstrated how, by flicking sleep mode on/off when prompted, a JawBone UP wristband can be used as a second factor.

Is bring-your-own-wearable the next opportunity (and challenge) for enterprise IT? Consider how much more likely will be the scenario of passive contextual authentication described above when the context of multiple "some 'things' we have" can be aggregated together.

Patrick Harding is responsible for the Ping Identity product and technology strategy. He brings more than 20 years of software development, networking infrastructure, and information security to the role, which includes oversight of the Office of the CTO and Ping Labs. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/7/2014 | 12:00:46 PM
Too good to be true?
I, for one, welcome this vision of the future. But realistically, Patrick, when do you think nextgen authentication will be part of our daily lives? Are we talking one year? three years? five years? What does your chrystal ball tell you...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.