Hello, It's Me: Mobile Options for End-User Authentication

Transcription

1 Hello, It's Me: Mobile Options for End-User Authentication As enterprises re-evaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, solution providers are responding by developing innovative options for authentication that leverage what is arguably the most personal, indispensable and ubiquitous of all modern devices the mobile phone. This Analyst Insight frames the expanding range of mobile options that are available for end-user authentication in the enterprise. March 2012 Analyst Insight Aberdeen s Analyst Insights provide the analyst perspective of the research as drawn from an aggregated view of surveys, interviews, analysis and industry experience. Business Context: A Wake-Up Call for Authentication Starting in the second half of 2011, Aberdeen's research in IT Security has noted multiple times that many enterprises are re-evaluating their strategies for authenticating their end-users with methods that are stronger than traditional usernames and passwords. Business context driving these initiatives includes compliance, vulnerabilities and threats, and mobility: The latest findings and recommendations from the agencies of the Federal Financial Institutions Examination Council (FFIEC), issued in a June 2011 supplement to its October 2005 guidance on Authentication in an Internet Banking Environment. The supplemental guidance highlights a number of authentication controls as being more effective in the context of current threats, although no specific controls or technologies are positively endorsed. The highly-publicized headlines of recent successes by the Internet's many attackers and foes, including security breaches at traditional market-leading solution providers such as RSA, The Security Division of EMC and DigiNotar, the now-defunct Netherlandsbased subsidiary of VASCO Data Security. These and other highprofile incidents have collectively served as an industry wake-up call regarding the changing nature of the security threat landscape increasingly, attacks are highly targeted to specific organizations; carefully crafted based on intelligence-gathering about systems, business processes and individuals; and executed across multiple vectors in a manner which is designed to evade detection. The rapid, remarkable impact of enterprise mobility. Mobile devices are ubiquitous, indispensable, highly personal and carried by virtually all demographic groups and are increasingly being leveraged by enterprise IT departments to enhance end-user authentication and improve overall enterprise security (see sidebar). This last point underscores the primary focus for this latest Analyst Insight a look at mobile options for stronger end-user authentication in the enterprise. Fast Facts Findings from Aberdeen's global study of more than 850 organizations, conducted in 1Q2012, help to describe the challenges and the opportunities created by the "bring your own device" trend in enterprise mobility. Enterprise policy toward employee adoption of mobile devices for business purposes: 33% employees must use company-issued devices 38% company-issued mobile devices are available, but employees may use their own devices if they choose 15% employees are responsible for supplying their own mobile devices 14% no formal policy Enterprise supports mobile software applications for business purposes: 42% yes 18% planned < 12 months 19% evaluating 21% no This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc.

2 Page 2 Mobile Options for End-User Authentication Compared to traditional options for stronger end-user authentication, options that leverage today's mobile devices offer several general benefits including lower barriers to adoption for end-users (who leverage devices they already carry and know how to use), and lower total cost of ownership for the enterprise (who leverage devices the end-user may have purchased, potentially for multiple business purposes). The most common mobile options for end-user authentication in the enterprise that Aberdeen sees in its IT Security research are one-time passwords, digital certificates and out-ofband authentication. One-Time Passwords One-time passwords (OTP) are the classic example of two-factor end-user authentication, because they combine something the end-user knows (typically a personal identification number, or PIN) with something they have (traditionally a standalone hardware device referred to as a token, which generates a pseudo-random number every 60 seconds or at the push of a button). The combination of these two factors PIN plus one-time password creates a unique login credential that is valid for a single use. Software tokens are software applications which provide functionality that is essentially equivalent to that of traditional standalone hardware tokens. The end-user enters their username and password, along with their PIN and one-time password from the mobile device, to access enterprise resources (Figure 1). Over the last decade, solution providers have significantly expanded the range of mobile platforms supported by software tokens including smart phones, tablets, and SIM cards for greater end-user convenience and lower total cost than hardware tokens. Definitions In general, factors for enduser authentication include: Something you know (such as a PIN) Something you have (such as a phone, a card or a token) Something you are (such as a voice or finger biometric) Something you do (such as typical patterns of behavior, or the unique dynamics of end-user typing on a keyboard) SIM (Subscriber Identification Module) cards are used to identify and authenticate end-users (subscribers) on mobile phone networks. Among other things, each SIM card contains a unique serial number, the unique mobile phone number of the end-user, and other security and network information. Figure 1: One-Time Passwords Enterprise Mobile Applications (Software Tokens) Server-based authentication solutions send a one-time passcode to a pre-registered mobile phone (e.g., in an SMS message), which the end-user enters together with their PIN, username and password to access enterprise resources (Figure 2). A simple way to think of it is that software tokens generate one-time passwords locally (on the mobile devices that endusers are holding in their hand), while server-based authentication generate one-time passwords remotely (in the cloud).

3 Page 3 Figure 2: One-Time Passwords Server-based (e.g., SMS) Enterprise mobile applications refer to small-footprint software applications which are specifically designed to run on smart phones, tablets or other mobile devices, and which are optimized for graphical, touch-based user interfaces (i.e., they are not browser-based). New approaches to providing authentication and other security capabilities for enterprise mobile applications include software developer kits (SDKs) for embedding one-time password authentication functionality directly into the application code. In these scenarios, the mobile application automatically and transparently provides the one-time password as part of accessing the enterprise resource (Figure 3) which not only enhances end-user convenience, but also defends against man-in-the-middle attacks. Definitions Man-in-the-Middle or Man-in-the-Browser refers to scenarios in which an attacker hijacks an online session by transparently inserting himself between the end-user and the legitimate target resource. Figure 3: One-Time Passwords Enterprise Mobile Applications (embedded SDK) Digital Certificates Digital certificates are credentials which have been issued by a trusted authority (a certification authority, also referred to as a certificate authority, or CA); they establish a relationship between a specific end-user and a specific cryptographic key. Certificates are in turn the foundation for a wide range of capabilities, including end-user authentication (e.g., to the endpoint / desktop, for network access, for remote access, for privileged administrative accounts), digital signatures (e.g., signed ), encryption of sensitive data (e.g., encrypted , secure file transfer), and physical access (e.g., integration with physical access control systems for building entry).

4 Page 4 Digital certificates are supported on a wide range of form factors, including smart cards, smart phones, SIM cards, chip-based tokens, bank cards and electronic passports. Newly emerging software smart cards for smart phones provide certificate-based functionality equivalent to that of a standalone smart card (Figure 4). In addition, leading vendors are introducing innovative solutions that leverage software smart cards and proximity-based smart phone technologies such as Bluetooth and NFC (nearfield communication) to provide automatic login and automatic logout to local workstations or physical access control systems. Fast Facts Digital certificates are also supported in a variety of standardized formats for example, see X.509, EMV which specify attributes such as version, serial number, algorithm, issuer, validity period, and optional extensions. Figure 4: Digital Certificates Enterprise Mobile Applications (Software Smart Cards) Interoperability and acceptance of certificates and smart cards continues to be driven positively by US Federal government-led initiatives, e.g.: PIV-I (Personal Identity Verification Interoperable) cards, which meet the technical specifications to work with US Federal PIV infrastructure (e.g., card readers), and which are issued in a trusted manner ICAM (Identity, Credentialing and Access Management), the US Federal initiative defining a government-wide architecture for trusted credentials Enhanced support for certificates and smart cards within the Microsoft platform is also reducing barriers to adoption, for example: Support for smart cards as Plug and Play components of Windows 7 The introduction of Direct Access, for secure remote connections which are transparently chained to a smart card-based Windows logon Out-of-Band Solutions Out-of-band authentication (OOBA) refers to a scenario in which an end-user enters their username and password to access an enterprise resource, but must also respond in a different band or channel (e.g., a phone call, text message, or push notification to a mobile app) as an integral part of Fast Facts PIV-I is designed to drive interoperability with the US Federal PIV infrastructure for: Federal agencies, contractors, suppliers and business partners State and local governments First responders Healthcare workers ICAM is designed to improve electronic access to government services for: Federal agencies, contractors, suppliers and business partners US citizens

5 Page 5 the authentication process (Figure 5). In a similar way, out-of-band solutions can be used to ask the end-user to verify online transactions (e.g., approve a transfer of $X to Account Y at Bank Z). Figure 5: Out-of-Band Authentication (OOBA) and Transaction Verification Note that server-based authentication solutions that send a one-time passcode in an out-of-band channel (e.g., an SMS message with a one-time passcode, sent to a mobile phone as discussed above), are not considered out-of-band authentication, because the end-user enters the one-time password together with their username and password (in the same channel) to access the enterprise resource. Companies evaluating out-of-band technologies for end-user authentication should ensure that their solution providers protect them with appropriate legal indemnification, in the event of potential future disputes over intellectual property in this area (see footnote in Table 1). Aberdeen's Research Findings: Mobile Adoption Figure 6 provides a snapshot based on multiple Aberdeen research studies conducted in the first half of 2011 of how these general classes of phonebased technologies for end-user authentication are currently being adopted in enterprise environments, along with plans and evaluations for future adoption. In terms of current use: All companies currently allowing end-users to access enterprise resources using mobile phones are currently supporting mobile web access Four out of five (83%) respondents are currently using enterprise mobile apps for business purposes, with leading performers deploying an average of 11 employee-facing enterprise mobile apps and lagging performers deploying an average of 5 More than half (55%) have a current mobile device management initiative Two out of five (41%) currently support one-time passwords About one in four (25%) currently support digital certificates Definitions Mobile web access refers to the most basic approach for mobile end-user authentication, in which the enterprise resources being accessed are web-based e.g., Outlook Web Access and the end-users authenticate within their mobile web browsers using traditional username and password. Mobile device management (MDM) solutions generally include device authentication capabilities (based on dozens of device parameters such as time, location, configuration settings, and other attributes), in addition to user authentication and application controls, as the means to control end-user access to enterprise resources. Aberdeen's research has shown that MDM is commonly the first step in a broader enterprise mobility management (EMM) initiative.

6 Page 6 About one in four (23%) currently support out-of-band authentication Relative to current use, the responses for planned use in the next 12 months and current evaluations indicate very high market interest in stronger forms of end-user authentication than basic username / password. Figure 6: Adoption of Phone-based Authentication (1H2011) Mobile web access 100% Enterprise mobile apps 83% 10% Mobile device management 55% 24% One-time passwords 41% 19% Digital certificates 25% 26% Out-of-band authentication 23% 24% Percentage of All Respondents Current Use Planned or Evaluating Source: Aberdeen Group, July 2011 Customer Case-in-Point: Direct Marketing Services Founded in 1923, a leading provider of business-to-business direct marketing services today generates nearly $1B in annual revenue and serves its global customer base with approximately five thousand full-time employees worldwide. Security-related pressures that led to the company's recent adoption of one-time password software tokens on employee-owned smart phones and tablets include: Client contracts and regulatory compliance requirements, which impact the manner in which customer and prospect data may be captured, handled, analyzed and disseminated Consumer concerns about the privacy and security of their data, which could lead them to exercise their ability to prevent such data from being collected, used or shared Management of third parties, which provide a portion of the overall services in certain engagements "Many of our customers, especially those in the financial services and healthcare segments, expect this feature to be a standard component of our security program," explained the company's Director of IT. "While one-time passwords do involve an additional step in the process of our end-users obtaining remote access to our network, the increased security it provides to us and our customers far outweighs any inconvenience." Phased rollouts of software tokens from Entrust began in 2011 for all of the company's SSL VPN users, representing about 30% of the total employee

7 Page 7 population. Because of the company's desire to minimize its total cost of ownership by supporting software tokens on employee-owned smart phones and tablets, the ability to support grid cards as a low-cost alternative for employees without their own smart phone or tablets from the same Entrust IdentityGuard management console was a key solution selection criteria. Rollout of the software token solution did uncover a few tangential issues early on, for example the fact that the company's SSL Server Certificates had expired. "On the one hand we were communicating that the installation of software tokens is mandatory and urgent," noted one company vice president, "While on the other hand, every employee following the directions to comply was receiving an error message saying that the certificates were invalid and recommending not to continue." But as these issues were overcome, the company is satisfied with the overall balance of security, total cost and end-user convenience offered by its selection of a primarily phone-based option for end-user authentication. Definitions Grid cards refer to a 5-row by 10-column matrix of numbers and characters which has been uniquely created and issued to each end-user. When logging in, end-users are asked to provide the corresponding information from a number of specific cells (e.g., the number or character from the cell D5) as their one-time password. Grid cards can be printed (wallet-size) and carried physically, or produced and stored electronically. Solutions Provider Case-in-Point: Entrust (Dallas, TX) Since the mid-1990s, Texas-based Entrust has developed identity-based IT security solutions including strong authentication, fraud detection, digital certificates, SSL and EV SSL Server Certificates, and Public-Key Infrastructure (PKI) that today support more than 5,000 organizations in over 85 countries. Historically, Entrust's customer base has been particularly strong in the areas of government, financial services, telecommunications, pharmaceuticals, aerospace and defense. Figure 7: Entrust IdentityGuard Software Authentication Platform Many Authentication Methods, Common Management Console Source: Entrust, March 2012 The Entrust IdentityGuard solution is a flexible software authentication platform and common management framework that allows organizations to select the appropriate balance of security, total cost and convenience for each segment of their end-user population. Entrust IdentityGuard is designed to support a broad range of authentication methods from a common management console (Figure 7) including solutions for

8 Mobile application (software token) Server-based (SMS) Mobile application (embedded SDK) Hardware-based (e.g., SIM) Hardware-based (e.g., SIM, NFC) Mobile application (software smart card) Authentication (1) Transaction Verification MDM Integration Hello, It's Me: Mobile Options for End-User Authentication Page 8 website authentication, desktop authentication, building access, cloud authentication, remote / mobile access, secure , digital signatures, government eid and passport, and government ehealth and citizen ID. In the context of this Analyst Insight, Entrust IdentityGuard provides the broadest support among leading solution providers for mobile options for end-user authentication (see Table 1). Solutions Landscape (illustrative) Solution providers of mobile options for end-user authentication range from those who focus on specific methods (e.g., OTP, certificates, OOBA), to those who focus on specific mobile platforms (e.g., SIM), to those who support mobile options as part of a broader, "platform" approach to enduser authentication. Table 1 provides an illustrative list. Table 1: Mobile End-User Authentication for the Enterprise One-Time Passwords Digital Certificates Out-of- Band (3) Solution Providers (illustrative) Entrust X X X X X x X X VASCO X X X X RSA / EMC X X X x x X Gemalto X X X X X ActivIdentity X X X SafeNet X X Quest Software X X Symantec (VeriSign) X X X Swivel X X StrikeForce (2) X X X PhoneFactor X X Authentify X X Note 1: OOBA capabilities based on a partnership with Authentify are designated by "x" Note 2: Ram Pemmaraju, CTO of StrikeForce Technologies, is credited by the US Patent Office as the inventor of US Patent # , "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System," issued January 2011 Note 3: At the time of publication the number of partnerships, acquisitions and in-house development efforts related to the integration of mobile authentication and mobile device management capabilities is on the rise; readers should confirm current status in this regard directly with the respective solution providers

9 Page 9 Summary and Key Takeaways As enterprises re-evaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, mobile devices are becoming even more attractive as the means for addressing mounting regulatory pressures for stronger authentication, an increasingly sophisticated vulnerability and threat landscape, and unrelenting expectations of mobility for the typical enterprise end-user. Solution providers are responding by developing innovative options for enduser authentication that leverage these mobile devices, particularly in the area of one-time passwords, digital certificates and out-of-band authentication. Solution providers of mobile options for end-user authentication range from those who focus on specific methods (e.g., OTP, certificates, OOBA), to those who focus on specific mobile platforms (e.g., SIM), to those who support mobile options as part of a broader, "platform" approach to enduser authentication. From the end-user perspective, mobile authentication solutions have several advantages: Mobile devices are faithfully carried and used already, so barriers to adoption are low Mobile solutions are generally designed to be familiar and easy to use, so little training is required Mobile devices are generally always in the end-user's possession, so the authentication experience to enterprise resources is always consistent From the enterprise perspective, advantages of mobile authentication solutions include: Mobile devices already exist and can be leveraged for multiple business purposes, which lowers total cost of ownership for the enterprise The question "what devices are on the enterprise network" can be addressed by device authentication (e.g., the issuance of a digital certificate to provide each device with a unique digital identity); Aberdeen's research in network access has shown that the leading performers are nearly 2-times more likely than the lagging performers to have implemented this capability Many enterprise users have more than one mobile device; the business needs to establish a level of assurance not only for what devices are accessing its network, but also for what authorized identities are behind those devices Mobile authentication solutions complement existing mobile device management initiatives, which already exist at more than half of all companies participating in Aberdeen's 2011 study

10 Page 10 Enterprises should first establish what strategic objectives they are trying to achieve with their enterprise mobility management initiatives e.g., compliance, risk, total cost, convenience, collaboration and then select the mobile options for end-user authentication that best supports these needs. In other words: first why, then how. For more information on this or other research topics, please visit Jumping on the Out-of-Band Wagon; January 2012 Stronger Authentication for Small and Mid-Sized Businesses; November 2011 Too Trusted to Fail: Attacks on SSL Server Certificate Infrastructure in 2011; October 2011 Enterprise Mobile App Strategies; October 2011 Enterprise-Grade BYOD Strategies; September 2011 The Case Against Passwords: Reevaluating Stronger User Authentication; August 2011 The Case for Smart Cards; July 2011 Enterprise Mobility Management Goes Global: Mobility Becomes Core IT; July 2011 Related Research IAM Integrated: Analyzing the Platform versus Point Solution Approach; June 2011 Managing Identities and Access; March 2011 Secure Remote Access: From the Outside In, to the Inside Out; January 2011 The Zen of Network Access; Dec Five Key Capabilities for Gaining Visibility and Control over Your Network Devices, Endpoints and End-Users; Sept Logon Once, Access Many: The Pursuit of Single Sign-On; March 2009 One-Time Passwords for Two-Factor Authentication; January 2009 Managing Privileged Users; Nov Strong User Authentication: Best-in-Class Performance at Assuring Identities; March 2008 Author: Derek E. Brink, Vice President and Research Fellow for IT Security For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500. As a Harte-Hanks Company, Aberdeen s research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen or call (617) , or to learn more about Harte-Hanks, call (800) or go to This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2012a)