While the proliferation of smartphones and tablets as well as the BYOD (bring your own device) phenomenon have caused many sleepless nights for IT departments in terms of securing information, this technology could serve as a critical component toward the evolution of security. Granted, this is counterintuitive as mobile devices might seem inherently vulnerable because they are utilized outside the scope of primary network security.
However, in reality, mobile platforms are still relatively new and have not been a focal point for cybercriminals to the scale of traditional technology. With so much fertile ground to create malicious code for PCs, and mobile having a fundamentally more secure architecture with application sandboxing and vetted app stores, attacking mobile simply hasn’t been lucrative from a time-and-resource perspective. The threat to mobile will grow as more devices saturate the market and more transactions shift to the mobile channel; but in the meantime, this is an area where ground can be gained for the good guys.
Combining the traditional and next generation
When it comes to security, there is a delicate balance between being user friendly and providing the strongest level of protection possible. Ease of use is critical because if security measures are too time-consuming or cumbersome, individuals, as the weakest point in the security chain, will inherently find a workaround such as using basic passwords like “password1234.”
In contrast, the very features that make smartphones and tablets so popular can be leveraged to support powerful security while maintaining convenience. Biometric analysis and detection is now possible with typical applications already on a device, including the camera, microphone, Near Field Communication (NFC) transmitters, Bluetooth or GPS applications. As a result of the sophistication of this technology, what was once the purview of science fiction and spy movies can not only strengthen security, but offer a significant “cool” factor.
There is a tremendous amount of research underway to apply biometric security to mobile devices. A few “real world” examples include:
- Facial Recognition — Facial recognition consists of requiring a user to conduct a facial scan with the mobile device’s camera to verify their identity before conducting a financial transaction or accessing network data. By requiring a three-dimensional perspective, using someone’s photo won’t be a reliable subterfuge.
- Voice Recognition — Everyone’s voice is unique. Speaking into the phone to confirm identity can be a very effective mode of authentication, but safeguards will need to be in place to ensure that a recording of someone’s voice cannot be utilized instead, such as using dynamic, context-based phrases rather than canned, pre-recorded phrases.
- Thumbprint analysis — While still in its early stages from a mobile standpoint, there is exploration underway for using a device’s display screen to analyze thumbprints rather than relying upon a peripheral device. This technology is already in place at physical locations in a variety of industries.
- Geolocation — Geolocation capabilities can be used for authentication with a device’s GPS technology to pinpoint a person’s location and determine if they are within their typical geographic scope. For example, if a person usually remotely accesses their network from New York City and suddenly shifts to somewhere in Asia, a red flag can be raised. A text can be sent from a network administrator to alert the person that a data request has been initiated. At that point, the activity can be declined because fraud is taking place or accepted because someone happens to be out of town.
- Near Field Communication (NFC) — Another aspect to geolocation requires the transmission of the user’s digital identity over an encrypted NFC signal from a person’s mobile device before they can log into their enterprise computer terminal. Mobile phones are increasingly being used to facilitate physical access to buildings in lieu of swiping a card, so this is a natural progression.
- Bluetooth — Geolocation can also be utilized for physical facility access with the same encrypted signal transmitted via NFC or Bluetooth. Since each mobile device is unique and assigned to the individual, it can replace traditional building access cards. When combined with the logical access of the network, this physical security aspect of a mobile device creates a comprehensive security strategy.
There is no question that the possibilities this technology presents are exciting for both today and tomorrow. The opportunities for utilization span both personal, for bank transactions, etc., and the enterprise, to securely access computers and networks, as well as facilities. When combined with current measures such as passwords and soft tokens or better yet, smart credentials, a formidable layered authentication protocol could be here sooner than anyone might think.
What the future holds
Technology leaders like Apple are already taking huge leaps to apply biometrics to the mobile experience. With the company’s recently announced partnership with AuthenTec, a company that specializes in biometrics, the tech giant is exploring a myriad of applications. Because of its popularity with consumers, Apple’s entrance to this realm will dramatically hasten adoption. Acceptance should likewise be accelerated in the enterprise because users will come to expect the same experience in the workplace.
Up to this point, applying security elements to existing mobile features has been a welcome bonus. Moving forward, it is reasonable to expect that we will see hardware, software and security vendors collaborating to conceptualize and develop solutions that are solely focused on security from the outset, bringing together the best attributes of each. As a result, we’ll see secure, convenient and cost-effective solutions continue to expand exponentially. Eventually, this biometric-driven security combined with a smart credential on the mobile device has the capacity to not only supplant passwords and hardware tokens, but also physical security devices such as access cards, keys and passports.
Mobile is not only pushing the limits of communications and information sharing, it is creating exciting ways to secure personal data that will be more difficult to compromise. Based on its level of convenience and sophistication, this trend will only continue. As this momentum is sustained, it’s conceivable that the mobile device will become the leading authentication method over the course of the next decade.
With a career spanning more than 25 years across numerous high-tech industries, Bill Conner is among the most experienced security and infrastructure executives worldwide. He has served as president and CEO of Entrust, a global leader in identity-based security, since 2001. Prior to Entrust, he held executive positions at Nortel Networks. From 1992 to 2001, he was president of Enterprise Networks and e-Business Solutions, where he managed its $9 billion acquisition of Bay Networks. For more information, contact: entrust@entrust.com.