Enforcing Authentication on Employee Smartphones

Monday, March 14, 2011

Roman Yudkin

485f5553442ebdfbfa4926166697c319

Individuals are increasingly using their smartphones for a mix of both business and personal purposes.

Sometimes people even "pull" the use of smartphones and other consumer products into the business without the IT department's knowledge or consent.

As a result, businesses are struggling to implement security controls such as strong authentication on the smartphones their employees are using.

It's very easy for an employee to lose a smartphone or have it stolen. When that happens, there's the potential for valuable company information to be exposed or fall into the wrong hands. Yet, many businesses fail to enforce authentication on the phones their employees use.

A recent study published by Ovum showed that only 52% of businesses enforce authentication on their employees' mobile phones. A separate survey conducted by Goode Intelligence showed that 70 percent of businesses allow employees to use their personal smart phones for company business, and 64 percent of the companies that allow users to store company information on their smartphones are not enforcing encryption of that sensitive data on the phone!  

If a locking method is used on the device at all, most often it consists merely of a short 4 digit PIN. These PIN-based passwords are extremely low entropy and are easy for a hacker to guess or break by trying most common combinations.

Businesses should implement strong authentication controls to lock the devices from unauthorized users. An image-based approach works well for device lock/unlock.

One image-based approach is to have the user select broad categories of things that are easy to remember. To unlock the device, the application displays a grid of random pictures and the user must identify the pictures that fit their pre-chosen categories in order to authenticate and unlock the device.

The specific pictures that are displayed on the grid are different each time, thereby forming a unique picture password each time. All the user needs to remember are the broad categories. 

By creating a one-time picture password each time, it provides stronger security than a static 4 digit PIN and because the user can identify their categories by tapping the appropriate images, it is easier than trying to type a complex password on the phone's keyboard.

In addition to locking/unlocking the device itself, some businesses should consider protecting certain applications on the phone behind an additional layer of authentication. Most smartphone applications today are launched simply by tapping them and do not require any authentication from the user.

Businesses should require authentication in front of any applications on their employees' smartphones that connect to corporate networks or access sensitive company information or online accounts. They should make sure that certain apps on the employees' phones be kept "separate" on the device and behind a type of security wall that requires authentication before launching the app. 

Additionally, businesses that create apps should keep security in mind and build-in authentication schemes for their apps. 

As employees continue to use their smartphones for both personal and business purposes, businesses must begin implementing more stringent security measures and educating their employees on the importance of protecting the mobile devices and specific applications with layers of authentication.

The improved security practices will trickle-down to the broader consumer market and individuals users will begin adopting better smartphone security practices as well.

Possibly Related Articles:
15500
PDAs/Smart Phones
Policy Authentication Enterprise Security Mobile Devices Smart Phone Employees
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.