Tackle mobile device authentication with modern methods
Mobile user authentication should require more than a password. New technologies enable authentication methods that IT should consider for its mobile deployment.
Over half of end users reuse the same password across multiple accounts, according to a recent survey from LastPass.
The issue with this habit is obvious: Once hackers learn a password for one account, they can access a number of that user's logins or accounts. Users may have access to corporate data, trade secrets or important internal communications with their work devices, so password reuse can put organizations in danger.
IT pros may have an authentication plan in place for laptops and PCs, but mobile devices require a unique approach to authentication. There are several methods and tools that IT professionals can employ, but they must know which practices are best for mobile device authentication.
What is the best method for authenticating a mobile device?
Authentication factors fall into one of three categories: something you know, something you are and something you have. Something you know is a password that users commit to memory. Biometric authentication is an example of something you are and verifies a user's identity with a fingerprint scan, iris scan or another genetic identifier. Something you have authenticates via a factor users have access to, such as an email address or a mobile device. Users can receive a one-time authentication code or a security key, a small token that the device reads via a USB input or an RFID chip.
The latest mobile devices have the hardware to enable various mobile device authentication methods just to access the device itself. Users can secure their devices with the traditional passcodes with numbers, letters or symbols; a pattern that the user recreates by dragging his or her finger across the screen; or biometric factors.
The three authentication categories
Devices such as Google Pixel 2 and Samsung Galaxy A9 have fingerprint scanning hardware built into the device, and devices such as Apple iPhone X have iris scanning hardware built into the camera. The Samsung Galaxy S9 is an example of a device that can do both.
For simply accessing a device, organizations should consider biometric authentication as the user's method to unlock the device itself. IT can enforce biometric authentication or a different mobile device authentication factor through identity and access management tools, such as Windows Hello for Business and VMware Workspace One. Scanning a user's iris or fingerprint works well from a usability standpoint because users can forget passwords and lose security keys, but their fingerprint and iris will stay the same.
There are concerns with biometric authentication, such as a faulty camera, the fingerprint scanner locking users out and potential false positives granting outsiders access to a device, but it is a good option for mobile users.
For simply accessing a device, organizations should consider a biometric authentication factor as the user's method to unlock the device itself.
This single-factor authentication is generally sufficient for accessing a device, but organizations should consider multifactor authentication (MFA) to protect critical data and applications on a mobile device.
How should IT protect important apps and data?
One common approach to secure mobile devices is to focus on applications that have access to internal data. With this approach to mobile authentication, hackers that gain entry to a device still can't access much other than contacts and unprotected apps, such as a calculator or a social media application. Admins should prepare for that scenario with a company portal that locks down crucial apps and data on the device with additional mobile device authentication configurations.
A company portal on a mobile device typically comes in the form of an application that grants permission for the various protected applications. These portals often require MFA, which requires users to authenticate using more than one method. Typically, it requires a company login, and then IT can configure these apps to require additional authentication, such as a text message sent to the mobile device. One example of a portal is Microsoft Authenticator, which requires a Microsoft account. Organizations with Microsoft 365 or Microsoft Office 365 can deploy these configurations to users' Authenticator apps though the Microsoft 365 admin center.
A company portal's username and password requirement ensures that hackers with access to the device can't open apps with sensitive data, and the second layer of authentication ensures that a hacker with the user's portal login can't access the applications from another device.
What other options exist?
Authenticator apps aren't the only option to authenticate mobile users, however.
New technologies, such as direct autonomous authentication (DAA), take user decision-making out of the equation. DAA uses the same technology that mobile carriers do to authenticate users based on their phone numbers.
When a user accesses a portal or a protected app, the DAA tool determines the user's identity based on the device's phone number and creates a unique key that authenticates the app. The user never has to take any actions with this method of mobile device authentication.
