Getting Past Passwords for Mobile Device Security
In the beginning was the password. And the password was good.
Then came the Common Access Card (CAC) and token systems. And they were good.
But it wasn’t enough. And over time there came numerous other forms of identity verification: biometrics and voice recognition and facial recognition.
For deeper security, there were combinations of verifiers: for example, a smart card and fingerprint or a user name and a biometric confirmation.
And then came the smart phone.
Of all the challenges that the digital world has presented to those who need to maintain security, though, the smart phone stands as an opportunity and a threat, a challenge and a puzzle.
“The smart phone is the break point because it started moving more of peoples’ business lives and social lives from the laptop and more and more people started using that technology,” says Randy Vanderhoof, executive director of the Secure Technology Alliance (formerly the Smart Card Alliance), a non-profit association of companies in the security market. “Mobile devices have reached the saturation point. [Virtually] every man, woman and child has a mobile device.”
That swift adoption of mobile technology by the world’s population is nothing short of astonishing. By 2015, subscriptions to mobile services had reached 4.7 billion globally, according to the Global System for Mobile Alliance, a professional organization that includes most carriers, mobile network operators and equipment makers. By 2020, that’s expected to reach 5.6 billion – 70 percent of the world’s population.
The Government Perspective
All those mobile devices make personal identity verification a burgeoning business and the same demand for mobile verification is extending into the highly secure world of government. The Department of Homeland Security (DHS) in particular, needs to verify government employees who need mobile or remote access to work files and systems.
The April 2017 Department of Homeland Security (DHS) Study on Mobile Device Security, released under the signature of Robert Griffin Jr., acting DHS under secretary for science and technology, notes that while government use of mobile devices represent “almost an insignificant market share,” the stakes are considerable: “Government mobile devices…represent an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions.”
What is more, the vulnerabilities are numerous:
- The mobile device technology stack, including mobile operating systems and lower-level device components
- Mobile applications
- Networks (e.g., cellular, Wi-Fi, Bluetooth) and services provided by network operators
- Device physical access
- Enterprise mobile services and infrastructure, including mobile device management, enterprise mobile app stores and mobile application management
While the report found that security is improving both for the devices themselves and among operating system providers, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.” For government, verification and security is a systematic question of improving the overall mobile ecosystem. To do this, DHS is recommending:
- Programmatic improvements
- Increased DHS authorities
- Adoption of standards and best practices
- Additional research
Improving programs and adopting new standards and best practices are especially important. The report urges active DHS participation in standard-setting bodies and efforts.
Two legal gaps stand out in particular: DHS has no legal authority to compel mobile carriers to assess risks to their networks that might affect government mobile device use. Also, while DHS can evaluate carrier network vulnerability, it cannot compel carriers to provide the information it needs to make such evaluations. In response, DHS wants to alter Federal Information Security Modernization Act metrics to cover mobile devices and develop a new program of research and development to secure mobile networks and technology.
Overall, the report stated, “Federal departments and agencies should, where needed, develop or strengthen policies and procedures regarding government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques, and procedures.” To do this, DHS requires “proper” resources and legal authorities to assert itself in securing those devices.
The device perspective
While government itself tries to secure the overall mobile device ecosystem and its networks, the struggle continues to secure and validate individual users and devices—especially as they’re increasingly used to conduct business from a distance.
“The state of the technology is changing rapidly and it becomes increasingly important to be able to adjust to the demands of our mobile dependence on interactive means,” points out Vanderhoof. “So many of the changes that are happening in identity have to do with non-face-to-face interactions with people through the Internet or through their mobile device or through remote communications. We’re seeing more and more accuracy being developed and groups that are looking to leverage the advances in identity and all kinds of technology that will work in our environment that is becoming increasingly mobile as well as disconnected from any physical interaction.”
A variety of identifiers are being studied as possible forms of identity verification for mobile devices, some of which are already in use in other contexts. These include:
- Gait: Measuring a person’s stride using embedded smartphone sensors like gyroscopes and accelerometers;
- Facial recognition: Mobile devices can be equipped with facial recognition applications to verify user identity;
- Fingerprints: Increasingly, smartphones are equipped with fingerprint scanners of growing accuracy;
- Video: A user can submit a short video “selfie” for verification against an existing database;
- Social media: Social network logins and profiles can be used to verify identity;
- Smartphone identifiers: Serial numbers and device codes.
Any of these – plus, of course, the traditional username and password– can be used in combination to provide a variety of levels of security.
What’s more, verification at a distance – without the need for user input or even awareness – is already on the near horizon. “Their gait or voice patterns can be used forensically to match that individual,” Vanderhoof said. “If you’re watching someone type on a keyboard, the pressure on the keys can be measured. You can identify people from a distance or at an airport, where you may not be able to measure someone by a fingerprint biometric. If you’re actually touching something like a machine or keypad, you can measure the veins in their hands, by blood pressure and other physical characteristics that can be acquired against a known biometric.”
Integration is Critical
Whatever the identity verification mechanism an organization chooses, however, it takes skilled integrators to seamlessly meld the new technology with existing authentication and access control mechanisms.
“There are many different authentication mechanisms one could use,” said Rob Lentini, director for credentialing programs at systems integrator General Dynamics Information Technology (GDIT). “The challenge is making them work with the access control infrastructure that’s already in place. Few Agencies can afford to rip and replace their existing access control mechanism. But with careful engineering we can ensure that everything works robustly, reliably and at scale. That’s where many of the real challenges are.”
For all this, experts acknowledge that no method is flawless and any verification regime depends on the level of security and intrusiveness required. While consumer applications strive for ease of use and minimal intrusiveness, highly secure applications can require many layers of verification and deep intrusiveness – that is, highly personal unique information, such as a parent’s middle name, date of birth, home address and so forth.
There is no doubt, however, that the need for verification will continue and the means of providing it will continue to be explored.
As Vanderhoof puts it: “It’s becoming increasingly important that we get identity correct and authentication improved because we’re seeing the results of what happens when the bad guys are able to exploit the weaknesses in our current system: malware that gets spread to business computers and consumers because people can’t identify a hacker’s e-mail from a legitimate e-mail or people being able to hack into business computer systems by injecting malware from third party service provider systems that aren’t even systems managed by their own company. These are examples of why it’s important that we get identity and authentication correct. It’s becoming more difficult to fight the criminal exploitation of our electronic systems without it.”