Your Guide to Authenticating Mobile Devices
| Author | Timothy D. Cairney,Abbie Gail Parham,J. Lowell Mooney |
| DOI | http://doi.org/10.1002/jcaf.22052 |
| Published date | 01 May 2015 |
| Date | 01 May 2015 |
65
© 2015 Wiley Periodicals, Inc.
Published online in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/jcaf.22052
This article was originally published in Volume 24, Number 5 of The Journal of Corporate Accounting and Finance.
f
e
a
t
u
r
e
a
r
t
i
c
l
e
J. Lowell Mooney, Abbie Gail Parham, and Timothy D. Cairney
Your Guide to Authenticating Mobile
Devices
INTRODUCTION
Criminals,
hacktivists, and
hostile governments
understand that
the quickest way
to corporate data
is through mobile
workers’ unsecured
endpoints.
Marble Security,
2013
The consumeriza-
tion of mobile technol-
ogy is creating major
privacy and security
headaches for corporate
executives. Consumer-
ization refers to the increasing
tendency of new information
technology to emerge first
in the consumer market and
then spread to the workplace.
According to a recent survey by
IDC, 40% of the devices used
to access business applications
are consumer-owned, up from
30% in 2010. The survey further
revealed that IT groups typically
underestimate significantly (by
as much as 50%) the percent-
age of employees who use their
own devices for work purposes
(International Data Corpora-
tion, 2013). And we are not just
talking about one device per
employee. Gartner Research
(Matthews, 2012) predicts that
by 2014, 80% of profession-
als will use at least two mobile
devices, whether employee-
owned or company-owned, to
access corporate systems and
data. Then how does an orga-
nization fully support the busi-
ness demands of its employees
while managing the
security risks created
by allowing mobile
access to sensitive
networks and infor-
mation?
In our last article,
Your Firm’s Mobile
Devices: How Secure
Are They? (Wright,
Mooney, & Parham,
2011), we reviewed
eight security tools
and discussed sev-
eral best practices
for securing mobile
devices. We also
described strategic
goals related to
mobile devices, pro-
vided guidance on the effective
management of mobile technol-
ogy, and discussed the advan-
tages of creating a mobile device
audit plan. Finally, we noted the
importance of managing mobile
devices strategically.
One of the eight security
features we wrote about was
authentication. Our mobile
security checklist emphasized
the importance of taking steps
such as enabling password pro-
tection on critical or sensitive
New information technology (IT) mobile devices—
such as the iPhone and iPad—are increasingly
emerging in the consumer market first. Then, they
spread to the workplace. But this is creating major
privacy and security headaches for corporate
executives. Surveys show that IT groups signifi-
cantly underestimate—by as much as 50%—how
many employees use their own mobile devices
for work purposes. So what is to be done? The
authors take an in-depth look at one vitally
important security measure: user authentication.
Companies need to go beyond just using pass-
words if they want to stay safe and secure. This
article shows you how. It includes step-by-step
instructions and a series of valuable checklists.
© 2015 Wiley Periodicals, Inc.
66 The Journal of Corporate Accounting & Finance / May/June 2015
DOI 10.1002/jcaf © 2015 Wiley Periodicals, Inc.
gain access, users must know the
password, possess the physical
token, and confirm their identity
with biometric data such as a
fingerprint, DNA sample, voice-
print, or retinal patterns.
Passwords Provide Paltry
Protection
A 1995 study by the U.S.
Computer Emergency Response
Team found that approximately
80% of the security incidents
that they received were related
to poorly chosen passwords. A
follow-up study more than 15
years later found that two thirds
of organizations surveyed were
still using just a password to
secure remote access (EMC Cor-
poration, 2011b). Making the
situation even worse is a work-
place security survey conducted
by RSA in 2011, which reported
that 41% of respondents use
the same password to access
multiple accounts and that 25%
admitted to writing down their
passwords (EMC Corporation,
2011a).
Many organizations have
adopted a challenge/response
protocol to enhance their one-
factor password systems. Before
granting access, challenge/
response systems pose ques-
tions to the user that are more
personal in nature. But again
this approach is based solely on
something the user knows. Some
questions are easy static ques-
tions, such as the name of your
pet. (Paris Hilton’s cell phone
account was hacked because the
perpetrator knew the answer.) It
may be better to have more diffi-
cult or even more dynamic ques-
tions; however, if the user is an
infrequent visitor, then the more
difficult questions will be easily
forgotten. Further, and perhaps
more important, even when
challenge/response questions are
Authentication methods that
employ only one of the factors
are referred to as single-factor
authentication, and so on.
Single-factor authentication
This method has been
around for millennia (Honan,
2012). Single-factor authentica-
tion requires users to provide
something they know such as a
password to gain access.
Two-factor authentication
In these systems, access
is granted to users based on
something they know, such as
a security code or PIN num-
ber, and something they have
in their possession, such as an
authenticator that provides the
password whenever access is
needed. Authenticators may
take several forms. Hardware
authenticators are typically por-
table devices such as key fobs,
dongles, and smart cards small
enough to fit on a key chain and
ideal for users who need access
from a number of different
locations. Software authentica-
tors are applications (“apps”)
loaded on smartphones and
other mobile devices that pro-
vide digital certificates to verify
a user’s identity. This way of
doing authentication is referred
to as Public Key Infrastructure
(PKI) authentication. An iden-
tity is given a digital certificate
by a Certificate Authority (CA),
which is then presented during
the authentication process to
verify that users are who they
say they are. Finally, on-demand
authenticators deliver passwords
“on demand” via short message
service (SMS) text message to
the user’s mobile device or regis-
tered e-mail address.
Three-factor authentication
These authentication sys-
tems employ all three factors. To
data and applications, requir-
ing employees to create strong
(complex) passwords that have
to be changed on a regular basis,
and disabling auto-complete
features that remember user
names and passwords. In this
article, we revisit the issue of
user authentication. It is a brave
new world out there. Though
password systems are still widely
used, we now challenge the
notion that mere knowledge
of a password proves users are
who they say they are. We then
describe enhanced authentica-
tion protocols that use mul-
tiple authentication factors to
confirm the identity of those
seeking access to the company’s
computer networks. Next we
compare and contrast the secu-
rity provided by the primary
mobile-device operating systems.
Finally, we conclude with several
checklists for your IS organiza-
tion, for your employees, and for
executive management that will
help your company address the
authentication of mobile devices
strategically.
PASSWORDS ARE THE
WEAKEST FORM OF
AUTHENTICATION
First, we provide a brief
description of how authentica-
tion works and then explain why
passwords don’t provide strong
protection.
Authentication Primer
User authentication systems
enable users to gain access to the
data and other digital assets and
resources they need to do their
jobs. Authentication protocols
are based on one or more of
the following three authentica-
tion factors: something users
know, something users pos-
sess, and something users are.
To continue reading
Request your trial