Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Apple Opens Up TouchID for Use With Apps

This week at WWDC, Apple announced that it will open up TouchID for use with apps, allowing app developers to extend Apple's biometric fingerprint authentication feature to their users. For a demo, click here.

This announcement not only extends a user friendly, more-secure-than-a-plain-password authentication solution to app developers, highlighting a collective recognition that the there is a real need to enhance security for mobile users on both their devices and their apps, but it is also testimony to the growing interest in biometric technologies for authentication. They address some of the critical challenges associated with passwords and PINs, which are often extremely easy to bypass by guessing.

Apple is now leading the way in distributing biometric technology to it's many users. From the article cited above: "For all Apple’s posturing, this is actually one of its minute design details that does have the potential to change everything.

 

Second Factor Now Required?

CNET reported this week that Google will be requiring second factor authentication for Google apps, even for users who have not specifically enrolled in the second factor feature Google currently offers.

"...Google is showing the growing necessity of owning a mobile phone -- and having it charged, connected to the network, topped up with access privileges, and working even when traveling. In effect, a person's phone number is becoming a sort of personal identifier.

Google plans 'to slowly roll out this feature for all domains over the coming weeks,' Google said in an update on Tuesday. For people who haven't told Google their phone numbers, Google will prompt them to share it if a suspicious login is detected."

"Dual-factor authentication requires two steps, typically a password and a code generated by a smartphone app or text message. It involves extra work to log on, but because it increases security significantly, it's arriving at sites including Google, Yahoo, Microsoft, Twitter, Dropbox, and LastPass as a way to better protect accounts." Google's recognition that mobile users require strong authentication is indicative of a growing realization that second and multi factor authentication are needed to secure the way we work, which includes a mobile-specific security strategy.

 

2FactorAuth.org Tells Us Who Is Missing Their Second Factor

TwoFactorAuth.org provides a useful list of widely used sites who have enabled 2 factor authentication (2FA) for their users. In an article on Wired, Josh Davis, the founder of TwoFactorAuth.org describes the site as "a single place to go when determining alternative services based on the care and engineering they have in place for their customers."

Scrolling through the list could be very concerning for users with accounts at some of the very well known and trusted companies who are being pointed out here as still not 2FA enabled. The sites who have already enabled some form of 2FA appear in green - but take a closer look - the 2FA approach they have implemented is described here too, and the majority seem to have done this with SMS, a one time password to the user's mobile device.

When considering the importance of 2FA, it's extremely important that end users understand not only that the companies they know and trust are taking steps to increase security, but what those steps are and what exactly they are securing. A one time password via SMS essentially makes a hardware token out of the end user's device, but does not validate the identity of the individual making the request and does not serve to protect activity on that device, at a time when the increase in transactions users are doing on their mobile devices is skyrocketing. 2FA is truly meaningful when it elegantly addresses the need for security while integrating successfully with user experience, which fuels widespread adoption. Before we breathe our sighs of relief when we see our sites in "green", we need to make sure we understand what is really being protected, and under what circumstances.

 

Mobile Security Shifts From Devices To Apps

As BYOD presents organizations with an ever increasing number of security challenges, CIOs are examining strategic benefits associated with moving beyond MDM (mobile device management) and controlling the actual devices, to a MAM (mobile application management) focused strategy that enables their users to continue to use their own devices, while protecting enterprise resources, data and applications.

"Cloud-based services can provide myriad security benefits, as many CIOs are realizing. According to Infonetics Research, cloud-based security is projected to increase at a compound annual growth rate of 10.8 percent from 2012 to 2017. Mobile apps that run through the cloud can be better protected, as cloud infrastructures offer enhanced encryption and safer enterprise mobility capabilities" said this article from MaaS360.

This trend speaks to the need to accommodate users of all kinds of devices, in any environment, as mobile devices become more entrenched in our day to day lives. Managing and distributing devices to employees carries challenges associated with scale, and the potential to turn off users who love their personal devices because of the great experience they offer. Enterprises and organizations who are creating security strategies for the mobile world should maximize their efforts and resources by enhancing the security and usability of their applications, instead of controlling the devices they run on.

 

Changing The Security Model for Mobile

 "...it's become so 'consumery' out there that the old security requirements on the desktop PC just haven't grafted over. It might be easier to change the security methods than change the user behaviour. Biometrics here we come" says I.D. Scales for TelecomTV. 

 

The challenges associated with BYOD, coupled with the capabilities of smart devices, are creating an environment that begs for innovative security solutions that secure the right content at the right juncture, without requiring users to change their behavior, or imposing outdated processes or workflow users are accustomed to on their PCs. Mobile devices are designed to enhance user experience - allowing an individual to access and interact with all kinds of applications on demand, and it makes sense to consider how standard features of these devices can be deployed to facilitate requirements like security. Biometrics fit into this use case because they leverage information that is already there - information about the user themselves, which a user always has at their disposal.

 

Successfully leveraging these capabilities will require a commitment to the user experience expected on a mobile device. It shouldn't feel like logging into a PC and going through the "old" requirements for security. It is absolutely worth exploring how features on the mobile device can be used to achieve a "new" kind of security for users.

 


Page 4 of 12