In the rapidly growing industry of advanced authentication, mobile solutions play a central role.
Mobile apps for authentication have growing in popularity for quite some time. Researchers at Gartner predicted in 2017 that the majority of users would implement some form of mobile authentication in the coming years.
Two important factors are driving this trend.
First is from the security angle. To put it bluntly, single factors such as the traditional password have been completely depreciated. Users at the private and enterprise level have become increasingly aware that adding an additional authentication factor is the only way to keep their digital identities safe.
The second force popularizing the mobile option is the user experience element. Integrating solutions with a mobile device means that users don’t need additional hardware for their authentication systems. From an organizational perspective, many mobile solutions are easily extendable to include as many users as necessary. Furthermore, a single device can often be used to authenticate multiple resources.
Understanding mobile authentication tools, how they work and the different application types available can give insight into the best mobile solution for your organization.
Honing in on the best authentication factors
Authentication factors of a multi-factor scheme are pretty varied, including some physical object in the possession of the user that supplies an access code, biometrics of the user such as eye and fingerprint scans, and secret PIN numbers that overlay on traditional passwords.
From this array of options, how does an enterprise develop the most effective mobile authentication strategy? Answering this question means identifying the solution that combines strength with ease of usability. Some solutions excel in security but are cumbersome and complex to use, interfering with workflow, and ultimately compromising employee effectiveness. Others are easy for users to engage with, but are fundamentally weak, and in the end, are leaving users exposed.
Let’s dive in.
SMS authentication, where a temporary code is delivered via text message, has become a popular solution for users, primarily because of its simplicity. SMS messages are already a function of all mobile devices, which means users don’t have to download an additional program to their phone. The familiarity of users with SMS makes for an easy transition when implementing a solution at the organizational level.
On the security end however, SMS is lacking.
Any authentication factor is only as secure as its channel of delivery to the user. In the case of SMS, hackers have discovered ways of exploiting flaws in the Signal System Seven (SS7) the internationally used set of protocols utilized by most telecommunications operators to direct text messages. A recent high profile series of online banking hacks in Germany, in which dozens of accounts were breached, highlighted just how vulnerable the SS7 is to attack. In light of this, vulnerability, it is no surprise that the American Institute of Standards and Technology (NIST) has recommended moving away from SMS as a second factor.
Software tokens, or soft-tokens for short, generate one time passwords (OTPs) using preset keys (“seed values”) and algorithms. In this way, soft tokens provide the security advantage of the more traditional hardware token, without requiring an additional device. The secureness of soft tokens lies in that OTPs are not transmitted to the phone, but are rather generated by the mobile device itself, meaning that there’s nothing for hackers to “intercept.”
These solutions are not impervious though. Soft tokens still have serious vulnerabilities. For one, the infection of a device by malware can compromise the generated passwords. Phishing attacks by hackers can also result in hackers getting their hands on OTPs, which can then be reused by the criminals for illicit logins.
New biometric tools such as Apple’s FaceID and Samsung’s Face Recognition have been making this method increasingly popular, especially on newer mobile devices. The security of biometric authentication stems from the fact that they are based on something the user “is” as opposed to something the user “has.”
While biometrics can be convenient, these tools may fail under unfavorable circumstances such as bad lighting. The technical barriers for secure biometrics are also pretty high at the moment, as most devices are not equipped with biometric reading capabilities. Even on the security end, biometrics are not full proof, as researchers have shown biometrics can be falsified using high definition cameras.
One of the relatively newer forms of two-factor authentication, push has been advocated for by big industry voices such as Gartner and NIST. Push apps work by a user initiating a connection with a central server, which then responds either with a challenge or message that authentication has taken place. Authentication is done transparently, with the device and server exchanging encryption information.
Secret Double Octopus’s Octopus Authenticator represents the cutting edge in mobile push. The Secret Sharing algorithms of Octopus Authenticator allows for virtually unhackable transmission of authentication data, by splitting communications into multiple differentiated “shares”, useless individually if intercepted by cybercriminals. The Authenticator also allows for a seamless user experience, and can completely dispense with traditional passwords.
The Bottom Line
The convergence of advances in mobile devices with authentication has made the industry of mobile apps a buyers’ market. Users today have a full range of solutions at their disposal, that are both strong and easy to use. With this trend firmly underway, mobile will certainly continue to make headway as the standard in user authentication.