February 11, 2013
The rise of the Smartphone has been astounding. A recent report by Flurry notes that the global adoption and proliferation of Smartphones has become the fastest growing trend in technology history. Flurry estimates approximately 74 to 79 percent of U.S. and U.K. adults use or own a Smartphone. With this level of use, the need for increasingly sophisticated mobile security is essential. Two-factor authentication offers a comprehensive yet easy to implement solution for Smartphone security.
Current Smartphone Security Trends
Current Smartphone security methods are relatively basic. Using basic log-in credentials or touch-based gestures are the most popular mobile security methods. Unfortunately, these methods are increasingly easy to guess or circumvent. This leaves a bounty of information available to hackers and identity thieves should they gain access to the device. Even worse, mobile malware and viruses are on the rise as well. This means physical access is no longer required to compromise a device and its contained accounts and services. This has started a push towards improved mobile security methods, such as two-factor authentication.
What is Two-Factor Authentication
Two-factor authentication is a security method that uses two distinct ways of verifying the identity of a user. This allows a greater level of protection. When properly implemented, it can make an account or service virtually impenetrable against the most common forms of compromise or intrusion. These methods have been in use in enterprise and corporate environments for a number of years. Common implementations included key fobs, USB access keys or security certificates. Upon attempting to login to a network or service, the keys would need to be verified in conjunction with a user name and password. Access would be denied without all three components.
Though these solutions offer outstanding security, they are difficult to implement and cost prohibitive for the average user due to the need for dedicated authentication servers, security key replacement costs and technical ability. Smartphones have changed this and provided a simple, user-friendly way to implement two-factor authentication for the average user.
How Mobile Two-Factor Authentication Works
The premise behind mobile two-factor authentication is simple. The process starts by linking an account or service with a mobile device. This can be done directly through the service through API integration or by using a dedicated mobile application. When a user attempts to access the account or service, the phone is used to further verify his or her identity and provide access. Though this can be done in a variety of ways, there are four common methods most often used today.
• Voice confirmation: The service or account will place a call to the mobile device and deliver a message containing a passkey. The user must then enter the passkey to obtain access.
• SMS confirmation: A passkey is sent using SMS to the mobile device. Upon entry of the key on the site, access is granted.
• Push Notifications: After attempting to access the account, the user’s phone will receive a notification requesting response. Upon response via the phone, access is granted.
• Application Integration: Access to accounts and services are tied directly with an application on the user’s phone. After entering login credentials for the service, the user must also launch an application on his or her phone and provide a generated key or perform a specific action to gain full access.
In most cases, passkeys and other requirements are dynamically generated based on unique serial numbers, phone identifiers and other criteria to prevent unauthorized users from generating the required keys. This ensures access is nearly impossible without direct access to the device. Since passkeys are often generated on demand or refreshed at frequent intervals, the chance of using cached passkeys, guessing the passkey or brute-force decrypting a valid key within the time window is minimal.
Potential Concerns Regarding Mobile Two-Factor Authentication
Though there are obvious benefits to two-factor authentication, there are some issues that can arise. The most common concern is fail-safe systems should a device be lost or inaccessible. In most cases, contacting the service provider or a system administrator will allow a user to provide authentication and make changes to the two-factor authentication long enough to access the account or service. Care should be taken when implementing fail-safe systems to ensure they cannot be abused to compromise the security of the two-factor authentication system.
Another major concern is the use of two-factor authentication by unauthorized users to block authorized users from an account. While this is less common in enterprise or business settings, it is possible for anyone with unauthorized access to many popular online services to enable two-factor authentication without the account holder’s knowledge. Upon attempting to login, the user will be locked out and must contact support to restore access.
Robert Coulter is an author for Authentify. Robert reviews and blogs about phone based two-factor authentication. In his free timem he enjoys biking and swimming outdoors whenever possible.