Can the enterprise trust smartphone verification technology?
73 per cent of fraud professionals think mobile devices will be the primary identity verification technology in the coming years. Yet 60 per cent also said that this will be biggest single point of compromise as well.
73 per cent of fraud professionals think mobile devices will be the primary identity verification technology in the coming years. Yet 60 per cent also said that this will be biggest single point of compromise as well, according to research by the Callcredit Information Group. Which begs the question, should your organisation trust smartphone ID verification technology?
Currently only 43 per cent of UK organisations, according to the CallCredit research of 106 fraud prevention managers and directors in organisations of more than 100 employees, use smartphone verification methods. Yet there can be little doubting that such devices will be the primary method of verifying customer identity before very much longer. Indeed, the research reckons that another 18 per cent of organisations are planning to move to smartphone verification checks within the next three years.
This is in keeping with the move away from name and address data and towards email and device attributions as a verification method instead.
The commercial director of CallCredit, John Cannon, calls smartphones a "key avenue in identity verification" but also acknowledges "they also represent significant risk." Moving this debate out of the financial sector, and squarely into the broader arena of general enterprise usage, SC Media wondered what industry opinion was regarding how secure a proposition the smartphone is as a user authentication or verification device?
Javvad Malik, security advocate at AlienVault told SC that, "smartphones are an obvious choice to increase authentication" be that through two-step verification or physical possession. "It has the benefits of being almost universally available" Malik continues "and can be implemented without an excessive overhead to providers." All of which is true, but Malik is quick to agree that smartphones can also introduce loopholes and vulnerabilities that can be exploited. "From a risk perspective" he insists "they are largely a better option than using simple ID and password combinations."
Marc Boroditsky, general manager of authentication at Twilio accepts that, "businesses need to look to discourage consumer over-reliance on passwords by utilising two-factor authentication (2FA) APIs, and implementing them directly into the customer log in experience." And Barry Scott, CTO at Centrify EMEA, adds that to use a smartphone in this way, "it really needs to be secured and managed to reduce the risk of being compromised itself to ensure it can be used as a trusted device for authentication."
Thomas Fischer, threat researcher and security advocate at Digital Guardian, reminds us of those attacks on the SS7 network protocol that "have allowed parties to intercept SMS, thus allowing the same party to intercept authentication tokens being delivered by SMS." While most people accept that the security of SMS to a smartphone is something that can be compromised, Barry Scott insists that "depending on the value of the data involved, the risk of an SMS hack may be far outweighed by the value of using the phone for multi-factor authentication (MFA)."
James Romer, chief EMEA security architect at SecureAuth picks up on that keyword, insisting that smartphones as authentication tools are "fundamentally a compromise." Romer told SC Media UK that despite being expensive, user-operated and vulnerable to loss or theft they can be very effective authentication tools "when combined with adaptive authentication methods."
Meanwhile, Simon Edwards who is European cyber security architect at Trend Micro, sees smartphones as the main tool for authentication making a lot of sense. However, he warns that, "the security implementations are very different between different phones." He points to Apple's Secure Enclave chip being specifically designed for facilitating a secure system that allows for authentication, something not available in Android phones. Dain Nillson, engineering lead for Yubico argues that "while several modern smartphones do offer secure built-in hardware which can be used to protect key material from extraction, the support for this is rather limited and very few applications take advantage of it."
All of this said, we have to realise that the security industry itself has been pushing for smartphones as an authentication vehicle. Yet as Ryan Wilk, director at NuData Security, points out, "single data points used for authentication continue to be the greatest point of failure in the secure authentication chain." Wilk insists that a trusted environment can only be achieved through a holistic risk-based authentication infrastructure that looks across multiple vectors of the user's behavioural interaction.
Keiron Dalton, global program senior director at Aspect Verify, sees the rich data and insights from smartphone usage as an enabler for authentication. "Behavioural insight, operator insight and transactional insight can be collected and verified legitimately with no disruption to the user experience" he told SC Media Uk, "yet increase security and further prevent the risk of fraud."
At the end of the day, authentication methods come down to trust. "Given the potential weaknesses of mobile devices at the software, operating system and firmware levels," Andy Lilly, CTO at Armour Comms concludes, "whatever clever mechanism is used in the device, and the resulting authentication data, needs to be protected by a hardware root of trust to prevent details being stolen or modified."