New mobile authentication strategies and the decline of the password
Since the dawn of humanity, people have used passwords. Whether to identify with friendly forces on a battlefield, get into a speakeasy during prohibition or access devices and data in the modern era, passwords have historically been the dominant method of communicating securely.
In today’s hyper-connected mobile world, however, businesses need to take new approaches to mobile authentication. Large-scale hacks have become increasingly common, and the now-antiquated password is often the weak link in more traditional security procedures. With new mobile authentication techniques, businesses have more comprehensive ways to protect against these security breaches.
Strong Passwords Are Not Enough
The use of strong passwords that consist of a long stream of alpha-numeric characters and symbols seems like a logical strategy, but hackers have come up with many ways to crack those using clever algorithms, extensive dictionaries, phishing scams and keylogging malware. In addition, workers are increasingly using multiple mobile devices to access their business applications, data and cloud-based apps — all of which require distinct passwords. Remembering complex passwords for all of the different apps, devices and services is next to impossible; even if a user does remember those long strings, they are difficult to enter on small devices such as smartphones and tablets. Single-sign on (SSO) technologies can help with that, but if those rely on inherently vulnerable passwords, the risks only multiply.
More and more, companies have been deploying multifactor authentication (also known as two-factor authentication) methods to help keep unauthorized users from accessing critical business apps and data. At a basic level, multi-factor authentication requirements can consist of:
- Something the user knows, like a password or other account details
- Something the user possesses, like a smartphone or hardware token
- Something on the user’s body, like a fingerprint or iris scan
One of the most common approaches is for a user to log in with a dedicated user ID and password. After that, the user receives an SMS message on their mobile device with a randomly generated code to complete the login process. This can also be done with hardware tokens that generate a new access code once activated, and smart cards that contain an RFID chip that authenticate authorized users through sensors on the device.
There is a variety of ways to handle mobile authentication at the network level. Digital certificates; the use of directory services like Microsoft Active Directory; and tunneling through secure SSL, IPsec and mobile VPN connections are a few more ways to secure a mobile environment. With granular identity and access management (IAM) tools, IT administrators can also create strict policies about which users can access the network from specific devices and locations.
While passwords aren’t going anywhere soon, it’s become increasingly clear that they are not sufficient to secure a mobile, hyper-connected environment. Security breaches happen every day, and all businesses and individuals are potential targets. With new mobile authentication technologies, however, businesses have many options to stay at least one step ahead of malicious hackers.