DOC RABE Media - Fotolia

Manage Learn to apply best practices and optimize your operations.

Why mobile user authentication is more important than ever

Encrypting data is a good first step, but if you don't properly authenticate users, sensitive information can still fall into the wrong hands.

Getting user authentication right is essential to IT success, but with today's focus on mobility, the risks are increasingly complex.

When IT discussions turn to matters of security, the focus is almost always on encryption. Scrambling sensitive data to protect it from eavesdroppers and thieves is certainly a great place to start. But of equal importance is user authentication, in which at least one party in a given connection -- and ideally, both parties -- must prove their identity/identities to the other.

As is the case with encryption, authentication is no guarantee of absolute security. (There is no such thing.) Credentials -- most often usernames and passwords -- can be stolen or otherwise fall into the wrong hands. Given that these credentials often factor into determining the keys used in encryption and decryption, a failure in authentication can have disastrous results. Once sensitive digital information is compromised, it remains such forever. Recovery from such a breach can be time-consuming, costly and even impossible.

Here are some tips to keep in mind as mobile user authentication becomes more important in the enterprise:

Devise user authentication policies

Security and authentication policies are often unique to a given organization; effective security is never a one-size-fits-all proposition. A basic security policy -- defining what information is sensitive, who can have access to this information and under what circumstances, and what to do in the event of a breach -- is a must. Simple and obvious elements, like requiring PIN codes on mobile devices and regular password changes, are essential. Policy can go further to explain what a given user/device combination can do based on credentials and context. Only after policies are set and tested in an isolated or pilot setting should specific user authentication technologies be considered.

Consider two-factor mobile user authentication

Of increasing importance is two-factor authentication, which is loosely described as requiring "something you have plus something you know" before granting user access. The "something you know" is typically the traditional username/password combination. The "something you have" is a security token generated by a dedicated hardware device, a mobile app like Google Authenticator or an SMS message. The tying of a specific user to a specific device is key, and it's far more secure than the username/password combination alone.

The threat of malware is another reason to enhance your mobile user authentication processes. The challenge of knowing exactly what a given app or application is doing always remains, and thieves' ability to surreptitiously capture credentials further motivates the requirement for two-factor authentication.

Take the identity management leap

Contemporary user authentication implementations are often referred to identity management, which defines classes of users and grants specific permissions to each -- from guests and knowledge workers to system administrators, senior management and beyond. Most identity management products take advantage of existing directory services, minimizing implementation headaches and eliminating potentially harmful redundancies.

As consumerization and mobility take hold, and workers demand access to corporate assets from a mix of employee- and employer-owned devices, the demand for identity management has grown. Providing a central repository of capabilities based on user, device, credentials and context makes a lot of sense, and also decreases the load on administrative staff, consequently lowering operating expenses.

How do you know the proper security measures are in place, and how can you verify functionality and effectiveness? Sadly, security is the one aspect of IT where no job is ever done. Continual diligence is necessary, no matter what policies and solutions are in place.

This was last published in November 2014

Dig Deeper on Enterprise mobile security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization authenticate mobile users?
Cancel
At the risk of sounding glib - with every tool and means at our disposal. Our IT manager has instituted a two-tier authentication system for mobile users to access the company's cloud, data and office systems. This is done with a finger scan on the mobile device and then a passphrase. We use passphrase versus passwords as the phrase system is much more secure and harder to crack than passwords.
Cancel
A user should be in control of all parameters belonging exclusively to him - mobile number, email address, debit card number, ATM PIN, Password, Signature, Fingerprint, Gesture, Voice Sample, Face imprint, Iris Pattern, Hardware Token etc. Suitable tools may be developed at Point-of-Sales so that he can identify in multiple ways depending on his choice or preference, time-of-the day, location, context, business sensitivity, risk, amount of transaction, bank involved, past history, charges applicable. Welcome to AaaS - Authentication as a Service.
Cancel
I am afraid that excessive expectation of 2-factor authentication may backfire. The more websites require it, the heavier the users' burden will grow. It should be offered only by the sites that require the high security.

And, 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password.


Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close