Mobilizing Multifactor

Verisign Masters of Internet Infrastructure

One of the most interesting developments in multifactor authentication is the rise of ubiquitous mobile access.  Ten years ago, most knowledge workers did not carry a mobile phone at all, or even a pager, let alone a smart phone with continuous access to a wealth of data services.  When everyone has a mobile phone, the conversation around multifactor authentication can change from “how do I get a token into the hands of everyone who needs one” to “how can I use the device they already have to deliver my services.” Between apps for really smart phones and SMS messaging to not-quite-so-smart phones, nearly any phone can be made to serve. Heck, a security service can even auto-dial and robo-read a code as a voice call.  One of my banks does this. 

However, raising the security utility of a mobile endpoint in this fashion also raises the stakes for securing it.  Basically, if a company uses mobiles as tokens, the attractiveness of those mobiles as targets for compromise increases enormously.  Consequently, enterprises need to think of the security of their users’ mobile platforms as a part of their multifactor security system.  This almost immediately puts “BYO” in a less attractive light. It also makes things like Android or iOS compromises of much greater concern.  The answer is either to force separate tokens on users, or to deal with mobile device management (MDM) robustly.  This might be by only working with secure platforms, or by running a secure container on semi-trusted devices, or (in the near future) by running a separate, secure virtual phone on the same hardware as an unsecured virtual personal phone. 

Bottom line: when phones are tokens, IT has to embrace MDM as a component of core systems security, since the mobile is the key to the core.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.