Serious Mobile Security: We Need Two-Factor Authentication for Handsets

I really like the idea of a handset as the second factor in a two-factor authentication scheme, but what about a second factor to gain access to the handset itself? I see this need having increasing importance, even if the lack of such isn’t the End of the World.

I spent some time at Interop discussing what I think is a critical requirement for mobility, hardware-based two-factor authentication. Note that we already have a form of two-factor authentication via certificates, but a software solution isn't the same as applying hardware here. And I'm not talking here about using the handset itself as the second factor in an authentication scheme, which remains a good idea, but rather about using yet another second factor to gain access to the handset. This is of increasing importance as all manner of sensitive corporate (and personal) information is now regularly stored on handsets, and handsets, as little computers, have all manner of vulnerabilities. Two-factor authentication could secure basic access a lot better than a PIN code, which few use anyway, and could also serve as the basis for data encryption, VPN keys, and more.

Among the possibilities here could be a hardware token along the lines of an RF-based DoD Common Access Card (CAC), or similar based on Bluetooth (particularly Bluetooth Low Energy, and possibly as some form of enhanced headset), Wi-Fi (Direct Connect), RFID, DASH7, ZigBee, ZWave, and even near-field communication (NFC) assuming this catches on for retail and financial/banking purposes, as it just might, even though I personally see it as redundant with the Bluetooth and Wi-Fi capabilities we already have, and a few others.  Or we might have another use for the wireless ignition key now standard on so many cars, an interesting limited-range wireless application all by itself. Regardless, building such a token shouldn't be too difficult, and the need, IMHO, is obvious. Many of the security firms I spoke with at Interop thought this was a good idea, so we might even see products at some point here. I'm surprised we've not seen such a solution already, and one can only hope. Perhaps the required culture of security is still immature. That's probably it.

Oh, and, in case you missed it, the world did in fact end as predicted, last Saturday night at 6 PM. I noticed a very brief interruption in cellular service at that time, and then everything went back to as it was before. Except - I'm pretty sure we were all simply transported, instantaneously, to heaven, and, while I find it a little odd and perhaps a bit disappointing that heaven is just like what came before, I don't get to make the rules here. So, this blog, and everything else, as far as I can tell, anyway, will continue. OK, I can only speak for the blog, but it's looking good so far.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies