By Steve Watts, Co-Founder and Sales & Marketing Director, SecurEnvoy
Back in 1984, just 30 years ago, the first mobile phone was launched. Today it is estimated that there are more than seven billion phones, tablets and other mobile devices active in the world. That’s as many devices as there are people.
Thanks to the rapid growth of mobile technology, we are now able to access e-mails, internet and apps on the go. Never before have we seen a generation of workers so tech-saturated, yet many organisations are failing to take advantage of this valuable resource, namely by using their employee’s own devices as authentication tools to connect – securely – to their business data whilst on the move.
As soon as the latest must-have model comes out, it’s commonplace for people to swiftly upgrade their mobile phones.
Take the iPhone 6 for example, launched in September 2014. It was predicted that the iPhone 6 would sell 70 million in its first quarter. But Apple didn’t just eclipse the 70 million mark, it smashed it, with the US giant reporting the biggest quarterly profit ever made by a public company.
Samsung is hoping its Galaxy S6 and S6 Edge will have the same effect. The new models, launching at Mobile World Congress this week, are shaping up to be true powerhouses of the smartphone scene. But what does the changing modern day Bring Your Own Device (BYOD) landscape mean for time-sapped IT departments?
Historically, the transition from old device to new would be a huge headache for CISOs in large organisations, especially when a whole “fleet” of mobile devices need updated as soon as the new model comes on the market. It would lead to a substantial queue outside the CISO’s door, with everyone wanting their access credentials moved to their new device, causing frustration to an already under pressure IT department.
Yet why do they need to be the ones responsible? The belief that employees aren’t capable of being trusted to keep their part of the security bargain is outdated. The days of staffers having their password noted down on Post-it notes stuck to their monitors are long gone. Most are now used to undertaking their banking, shopping and multiple daily social interactions online, so are well aware of the dangers of bad password management and endpoint security even if it is on a subconscious level.
The catalyst to this movement towards more trust for your staff is from the immergence of two-factor authentication (2FA), that makes the transition to new devices easier than ever. 2FA is an extra layer of security that requires not only a username and password, but also something that only the user has on them (i.e. a physical token) to generate a one-time passcode (OTP). With digital crime and internet fraud an increasing concern, such methods of authentication have become increasingly prevalent.
However, whilst physical 2FA tokens can be easy to lose and expensive for companies to distribute and maintain, tokenless 2FA solutions just need an existing device, such as a phone or tablet, to provide employees with passcodes via e-mail, SMS or an app. In other words, workers don’t need to worry about carrying around an additional physical token; they can just make use of the devices they already have.
But this is not just a convenience issue; this is a security one too. 2FA doesn’t necessarily guarantee bullet-proof security as any manufacturer that creates cryptographic keys, also known as a seed records, must trust that their copy of the keys can’t be accessed by hackers.
A solution to this would be to use tokenless 2FA technology, which makes it impossible for malware on a smartphone to capture the seed records because they are split into two parts: one created on the client server and one generated using characteristics of the mobile device e.g. information that is unique to the SIM card.
Going back to the earlier example, let’s say an employee wanted to upgrade their iPhone 5 to an iPhone 6. With tokenless 2FA technology, users can seamlessly move their single identity between devices without leaving traces behind on an obsolete device. First, they would log in, via an app or via SMS, from their iPhone 5 to the “Manage My Token” portal using 2FA. Next, the employee would scan the QPR code that is displayed using their new iPhone 6 in order to provision it with a new seed record. The security server would then automatically delete the old seed record meaning that the old iPhone 5 can be re-deployed or offered for resale.
Looking to the future, the use of biometric authentication processes will put technology more at our fingertips – literally. Natwest, the UK’s biggest bank, recently introduced Touch ID, allowing customers to access their accounts at a swipe of the finger, whilst Apple Pay has made paying in stores and within apps easier than ever. Google’s answer to Apple Pay, Android Pay, provides users with a way to store their payment information locally and make it available securely to third-party apps via API. Gone are the days of searching for cash in your wallet or going into the bank.
With more and more transmission channels becoming available, soon all employees will need to do is select the device that best suits the working environment to their company’s needs.
It makes sense to put employees in control in a world where almost everyone possesses a mobile device. By empowering staff to protect their endpoints, giving them the ability to authenticate their way on their own phone or tablets, IT departments can save valuable time and resources.