BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Don't miss all of the installments in this series on mobile device security:
- Asserting control with mobile device management
- Managing mobile authentication methods
- Establishing secure mobile communication
When mobile devices connect to business networks, user and endpoint authentication play critical roles in preventing misuse, abuse and attack. In this tip, we identify mobile authentication methods and discuss how to leverage authenticated identities to control what mobile laptops, PDAs and smartphones can and cannot do inside your network.
Who goes there? Explaining mobile authentication
Authentication verifies that users or systems are who they claim to be, based on identity (e.g., username) and credentials (e.g., password). Most highly publicized breaches are attributed to weak or absent authentication -- from unlocked laptops to wireless networks with cracked passwords. Many expensive and embarrassing incidents could be avoided by requiring robust authentication to mobile devices and the networks they use.
Mobile devices are easily lost or stolen, requiring protection against unauthorized access to their data, applications and connectivity. However, mobile users require frequent access for brief periods, making repeated password entry inconvenient. While most mobile laptops are set to require logins, the majority of PDAs and smartphones are not. Mobile passwords are widely available but rarely used unless employers enforce them.
How to authenticate identity
When planning your mobile authentication strategy, strive to combine strength and enforceability with usability. Consider both device and network access credentials and how well each method can satisfy your platform, security and user requirements.
Passwords: If office desktops log into your Windows domain, you'll be tempted to reuse those passwords for users who connect from laptops and PDAs. Because simple passwords are easily guessed, you might enforce length, complexity and timeout rules. But this can make a handheld device very hard to use. If you choose passwords, combine them with policies that cater to mobile needs -- for example, let users receive calls and appointment notifications without password entry and provide a mobile password recovery process.
Non-text passwords: Entering text on a mobile can be awkward. Alternatives can require the user to tap symbols within a randomly generated matrix or a sequence of points on a photo. Unlocking a device this way could also decrypt other credentials stored on that handheld so the authenticated user can access his company's network. Symbols are handy on PDAs and tablets without keyboards but are not suitable for devices without a mouse or touch-screen.
Certificates: Digital certificates bind an identity to a public/private key pair and are considerably stronger than passwords, so long as the owner's private key is protected. Combining a device lock with certificate-based network authentication is increasingly common -- for example, a Wi-Fi laptop that is unlocked with a password and then uses a certificate on that device for WPA-Enterprise authentication. This method requires a public key infrastructure (PKI) to request, issue, distribute and revoke certificates, but that investment will provide a very strong foundation for access control.
Smart cards: Certificates can also be used to unlock a device, but doing so requires a way to store and "enter" the owner's private key. This is essentially what a smart card does. A smart card is a security chip, embedded in a credit card, badge or MMC/SD memory. That chip provides safe storage for cryptographic keys used by authentication and encryption algorithms. For example, a laptop may be unlocked by inserting an employee's badge into the laptop's card reader. When that employee launches a VPN tunnel or Wi-Fi connection, a certificate on the smart card can be automatically used for network authentication. Handset identity modules: Smart card-like methods have long been used for cellular network authentication. GSM handsets and data cards contain subscriber identity module (SIM) cards. 3G mobile devices authenticate themselves with universal services identity modules (USIMs), CSIMs (CDMA subscriber identity modules) or removable user identity modules (RUIMs). These identity modules can be leveraged during enterprise network authentication, either alone or in conjunction with user authentication.
Hardware tokens: Many companies authenticate laptop users with small physical devices (hardware tokens) that generate one-time passwords. Each password is part of a series generated from a cryptographic seed known to the network and the user and is valid for only about a minute. The user typically enters his text password, followed by the string displayed by his token. This approach avoids crackers and keyloggers, since passwords are not reused. Furthermore, hardware tokens (and other physical methods like smart cards) prevent password sharing. However, they also incur per-user cost for hardware purchase, distribution and replacement.
Biometrics: Like tokens and smart cards, biometrics are typically used for multi-factor authentication. Multi-factor authentication combines at least two of the following: something you know (e.g., password), something you have (e.g., token) and something you are (e.g., fingerprint). Biometric authentication covers everything in that last category: fingerprints, voiceprints, iris scans, handwritten signatures, and so on. Enterprises have resisted biometrics because of cost, but some new business laptops and PDAs include fingerprint readers, and security programs can easily leverage standard handheld features to accept voice input. Biometrics are very convenient on frequently used mobile devices, but environment (e.g., dirt, noise) must also be considered.
Proximity: A few mobile security products have started to support proximity-based authentication. For example, a PDA or smartphone may stay unlocked indefinitely while communicating with the user's Bluetooth headset. RFID tag readers are being used for proximity-based authentication, permitting connections with mobile devices that pass through a checkpoint and denying connections outside that area. Proximity authentication is not yet common but has the potential to provide more transparent mobile authentication in the future.
Using identity to control access
Many network access controls rely on unauthenticated identities such as MAC and IP addresses that are vulnerable to spoofing. But when a mobile user and/or device has been authenticated, that identity can be safely used to control network access by mobile laptops, PDAs and smartphones.
- If mobile devices connect through on-site Wi-Fi, authentication occurs after association, before getting an IP address. WPA-Personal only supports passwords (PSKs), but WPA-Enterprise supports most authentication methods described in this tip. You must choose an Extensible Authentication Protocol (EAP) type that is compatible with your authentication method and integrate your WLAN infrastructure with your authentication server. Wi-Fi access is binary -- a device is either accepted or rejected. You can map authenticated Wi-Fi devices onto VLANs, however, for more granular access control.
- When mobile devices connect over an IPsec, SSL or Mobile VPN, authentication occurs during tunnel establishment, before routing data through the VPN gateway. Standard IPsec authentication is limited to passwords (pre-shared keys) or certificates, but vendor extensions usually support additional methods like tokens. Small businesses can configure users into the VPN gateway itself, but most enterprises integrate VPNs with external authentication servers (e.g., Active Directory, ACE Server). Attributes returned by that server are often used by the VPN gateway to control which network resources an authenticated user can reach.
- If devices connect through an application gateway like a Web portal or mobile server, authentication occurs during session establishment. How authentication works and methods that can be used depend on the gateway. For example, the BlackBerry Enterprise Server can authenticate mobile devices with passwords or smart cards. Authenticated users typically gain access only to selected resources within the target application/server. Clearly, there are many ways that mobile devices can connect to your network -- see our next section on securing mobile network communication. But all of those ways depend upon determining the identity of the person and/or device at the far end of the connection. Selecting authentication methods for your workforce will have a major impact on mobile device usability and corporate network security. For best results, consider all of your options, conduct field trials, assess vulnerabilities, and obtain user feedback before settling on a mobile authentication strategy.