Missing Link in ENTERPRISE NETWORKING
By: Larry Loeb | 16 September 2016
The factors driving smartphone adoption don't always change that drastically - email, text, personal finance and occasionally syncing a new wearable device - so it's hard to imagine what else consumers can do with them beyond improvements to their daily routine. For businesses, however, can they help in mobile ID security?
To answer that, you'd have to consider the effects of the linkages the phone routinely makes. A device talks to the nearest cell tower all the time, even when you aren't directly using the phone. This pinging ensures location services are done correctly when used for things like GPS.
For identification purposes, your smartphone serve as a stand-in for you to ensure the device isn't being misused, but it doesn't routinely authenticate who has the device in hand - with some exceptions. A banking app can use the fingerprint trigger in the iPhone 5s and up. And because some banks require frequent reauthentication when the app times out, the hardware can be a viable shortcut for authenticating a business account protected with a well-crafted password upheld by the employee who has access to it.
For staff using a common corporate device - a tablet, for example - companies may also store multiple fingerprints to simplify access to company data. In SearchMobileComputing, Matt Schulz of the United Services Automobile Association (USAA) describes this practice wherein employees would bring a shared iPad to reference account information when visiting clients off-site.
Speaking of location monitoring, the Airports Council International-North America has found that a mobile phone can be successfully used in passport control. They developed an â€śMPCâ€ť app that enables eligible travelers to upload their passport information to an online profile. MPC remains the sole protocol authorized to facilitate this practice, and it does not replace a traditional paper passport.
Nonetheless, an app of this nature can bypass the normal security procedure used by routine international travelers at a dozen U.S. airports. Giving time that was spent in a customs line back to a business traveler is a major productivity boost, to be sure. And it requires only the use of a device that the traveler already carries.
Cell phones in general remain a vulnerable platform, though. Base transceiver station (BTS) towers recently showed themselves to be a MitM attack platform, which can allow cybercriminals to fake the identity of a BTS. So although a phone might best serve as an indicator for an ID, it should not serve as an identity confirmer all by itself.
Passive security as well as contextual security come into play here, as GCN points out. Passive methods, such as discovering an employee's location from their cell phone when he or she logs in, could factor into the login authentication process. Simple phone possession won't verify an ID, of course, but if the employee reveals that they are where they're expected to be, it increases the validity of the ID.
Mobile devices talk to a lot of networks. Some of them can be used to enhance ID verification processes when needed. If a better outcome is possible, it may be worth it to trade off some loss of user privacy for a smoother ride through IT's recurring ID routines. If there is a biometric sensor already on the device, ID confirmation becomes much easier and requires far less computing to implement.