Hello, It's Me: Mobile Options for End-User Authentication

(1)

This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and March 2012

Hello, It's Me: Mobile Options

for End-User Authentication

As enterprises re-evaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, solution providers are responding by developing innovative options for authentication that leverage what is arguably the most personal,

indispensable and ubiquitous of all modern devices – the mobile phone. This Analyst Insight frames the expanding range of mobile options that are available for end-user authentication in the enterprise.

Business Context: A Wake-Up Call for Authentication

Starting in the second half of 2011, Aberdeen's research in IT Security has noted multiple times that many enterprises are re-evaluating their strategies for authenticating their end-users with methods that are stronger than traditional usernames and passwords. Business context driving these initiatives includes compliance, vulnerabilities and threats, and mobility:

 The latest findings and recommendations from the agencies of the

Federal Financial Institutions Examination Council (FFIEC), issued in a June 2011 supplement to its October 2005 guidance on Authentication in an Internet Banking Environment. The supplemental guidance highlights a number of authentication controls as being more effective in the context of current threats, although no specific controls or technologies are positively endorsed.

 The highly-publicized headlines of recent successes by the Internet's many attackers and foes, including security breaches at traditional

market-leading solution providers such as RSA, The Security

Division of EMC and DigiNotar, the now-defunct

Netherlands-based subsidiary of VASCO Data Security. These and other

high-profile incidents have collectively served as an industry wake-up call regarding the changing nature of the security threat landscape – increasingly, attacks are highly targeted to specific organizations; carefully crafted based on intelligence-gathering about systems, business processes and individuals; and executed across multiple vectors in a manner which is designed to evade detection.

 The rapid, remarkable impact of enterprise mobility. Mobile devices

are ubiquitous, indispensable, highly personal and carried by virtually all demographic groups – and are increasingly being leveraged by enterprise IT departments to enhance end-user authentication and improve overall enterprise security (see sidebar). This last point underscores the primary focus for this latest Analyst Insight – a look at mobile options for stronger end-user authentication in the enterprise.

Analyst Insight

Aberdeen’s Analyst Insights provide the analyst perspective of the research as drawn from an aggregated view of surveys, interviews, analysis and industry experience.

Fast Facts

Findings from Aberdeen's global study of more than 850

organizations, conducted in 1Q2012, help to describe the challenges – and the

opportunities – created by the "bring your own device" trend in enterprise mobility. Enterprise policy toward employee adoption of mobile devices for business purposes:  33% employees must use

company-issued devices  38% company-issued mobile

devices are available, but employees may use their own devices if they choose  15% employees are

responsible for supplying their own mobile devices  14% no formal policy Enterprise supports mobile software applications for business purposes:  42% yes

 18% planned < 12 months  19% evaluating

(2)

Mobile Options for End-User Authentication

Compared to traditional options for stronger end-user authentication, options that leverage today's mobile devices offer several general benefits – including lower barriers to adoption for end-users (who leverage devices they already carry and know how to use), and lower total cost of ownership for the enterprise (who leverage devices the end-user may have purchased,

potentially for multiple business purposes). The most common mobile options for end-user authentication in the enterprise that Aberdeen sees in its IT Security research are one-time passwords, digital certificates and out-of-band authentication.

One-Time Passwords

One-time passwords (OTP) are the classic example of two-factor end-user

authentication, because they combine something the end-user knows

(typically a personal identification number, or PIN) with something they have (traditionally a standalone hardware device referred to as a token, which generates a pseudo-random number every 60 seconds or at the push of a button). The combination of these two factors – PIN plus one-time password – creates a unique login credential that is valid for a single use.

Software tokens are software applications which provide functionality that is essentially equivalent to that of traditional standalone hardware tokens. The end-user enters their username and password, along with their PIN and one-time password from the mobile device, to access enterprise resources (Figure 1). Over the last decade, solution providers have

significantly expanded the range of mobile platforms supported by software tokens– including smart phones, tablets, and SIM cards – for greater end-user convenience and lower total cost than hardware tokens.

Figure 1: One-Time Passwords – Enterprise Mobile Applications (Software Tokens)

Source: Aberdeen Group, March 2012 Server-based authentication solutions send a one-time passcode to a

pre-registered mobile phone (e.g., in an SMS message), which the end-user enters together with their PIN, username and password to access

enterprise resources (Figure 2). A simple way to think of it is that software tokens generate one-time passwords locally (on the mobile devices that end-users are holding in their hand), while server-based authentication generate one-time passwords remotely (in the cloud).

Definitions

In general, factors for end-user authentication include:  Something you know (such as

a PIN)

 Something you have (such as a phone, a card or a token)  Something you are (such as a

voice or finger biometric)  Something you do (such as

typical patterns of behavior, or the unique dynamics of end-user typing on a keyboard)

SIM (Subscriber Identification Module) cards are used to identify and authenticate end-users (subscribers) on mobile phone networks. Among other things, each SIM card contains a unique serial number, the unique mobile phone number of the end-user, and other security and network information.

(3)

Figure 2: One-Time Passwords – Server-based (e.g., SMS)

Source: Aberdeen Group, March 2012 Enterprise mobile applications refer to small-footprint software

applications which are specifically designed to run on smart phones, tablets or other mobile devices, and which are optimized for graphical, touch-based user interfaces (i.e., they are not browser-based). New approaches to providing authentication and other security capabilities for enterprise mobile applications include software developer kits (SDKs) for embedding one-time password authentication functionality directly into the application code. In these scenarios, the mobile application automatically and

transparently provides the one-time password as part of accessing the enterprise resource (Figure 3) – which not only enhances end-user convenience, but also defends against man-in-the-middle attacks.

Figure 3: One-Time Passwords – Enterprise Mobile Applications (embedded SDK)

Source: Aberdeen Group, March 2012

Digital Certificates

Digital certificates are credentials which have been issued by a trusted authority (a certification authority, also referred to as a certificate authority, or CA); they establish a relationship between a specific end-user and a specific cryptographic key. Certificates are in turn the foundation for a wide range of capabilities, including end-user authentication (e.g., to the endpoint / desktop, for network access, for remote access, for privileged

administrative accounts), digital signatures (e.g., signed email), encryption of sensitive data (e.g., encrypted email, secure file transfer), and physical access (e.g., integration with physical access control systems for building entry).

Definitions

 Man-in-the-Middle or

Man-in-the-Browser

refers to scenarios in which an attacker hijacks an online session by transparently inserting himself between the end-user and the legitimate target resource.

(4)

smart cards, smart phones, SIM cards, chip-based tokens, bank cards and

electronic passports. Newly emerging software smart cards for smart

phones provide certificate-based functionality equivalent to that of a standalone smart card (Figure 4). In addition, leading vendors are introducing innovative solutions that leverage software smart cards and proximity-based smart phone technologies such as Bluetooth and NFC ( near-field communication) to provide automatic login and automatic logout to local workstations or physical access control systems.

Figure 4: Digital Certificates – Enterprise Mobile Applications (Software Smart Cards)

Interoperability and acceptance of certificates and smart cards continues to be driven positively by US Federal government-led initiatives, e.g.:

 PIV-I (Personal Identity Verification – Interoperable) cards, which meet the technical specifications to work with US Federal PIV infrastructure (e.g., card readers), and which are issued in a trusted manner

 ICAM (Identity, Credentialing and Access Management), the US

Federal initiative defining a government-wide architecture for trusted credentials

Enhanced support for certificates and smart cards within the Microsoft platform is also reducing barriers to adoption, for example:

 Support for smart cards as Plug and Play components of Windows 7

 The introduction of Direct Access, for secure remote connections

which are transparently chained to a smart card-based Windows logon

Out-of-Band Solutions

Out-of-band authentication (OOBA) refers to a scenario in which an end-user enters their username and password to access an enterprise resource, but must also respond in a different band or channel (e.g., a phone call, text message, or push notification to a mobile app) as an integral part of

Fast Facts

Digital certificates are also supported in a variety of standardized formats – for example, see X.509, EMV – which specify attributes such as version, serial number,

algorithm, issuer, validity period, and optional extensions.

Fast Facts

PIV-I is designed to drive interoperability with the US Federal PIV infrastructure for:  Federal agencies,

contractors, suppliers and business partners

 State and local governments  First responders

 Healthcare workers

ICAM is designed to improve electronic access to

government services for:  Federal agencies,

contractors, suppliers and business partners

(5)

can be used to ask the end-user to verify online transactions (e.g., approve a transfer of $X to Account Y at Bank Z).

Figure 5: Out-of-Band Authentication (OOBA) and Transaction Verification

Note that server-based authentication solutions that send a one-time

passcode in an out-of-band channel (e.g., an SMS message with a one-time passcode, sent to a mobile phone as discussed above), are not considered out-of-band authentication, because the end-user enters the one-time

password together with their username and password (in the same channel)

to access the enterprise resource.

Companies evaluating out-of-band technologies for end-user authentication should ensure that their solution providers protect them with appropriate legal indemnification, in the event of potential future disputes over

intellectual property in this area (see footnote in Table 1).

Aberdeen's Research Findings: Mobile Adoption

Figure 6 provides a snapshot – based on multiple Aberdeen research studies conducted in the first half of 2011 – of how these general classes of phone-based technologies for end-user authentication are currently being adopted in enterprise environments, along with plans and evaluations for future adoption. In terms of current use:

 All companies currently allowing end-users to access enterprise

resources using mobile phones are currently supporting mobile web access

 Four out of five (83%) respondents are currently using enterprise mobile apps for business purposes, with leading performers

deploying an average of 11 employee-facing enterprise mobile apps and lagging performers deploying an average of 5

 More than half (55%) have a current mobile device management

initiative

 Two out of five (41%) currently support one-time passwords

 About one in four (25%) currently support digital certificates

Definitions

 Mobile web access refers to the most basic approach for mobile end-user authentication, in which the enterprise resources being accessed are web-based – e.g., Outlook Web Access – and the end-users

authenticate within their mobile web browsers using traditional username and password.

 Mobile device management (MDM) solutions generally include device authentication

capabilities (based on dozens of device parameters such as time, location, configuration settings, and other

attributes), in addition to user authentication and application controls, as the means to control end-user access to enterprise resources. Aberdeen's research has shown that MDM is commonly the first step in a broader enterprise mobility management (EMM) initiative.

(6)

Relative to current use, the responses for planned use in the next 12 months and current evaluations indicate very high market interest in stronger forms of end-user authentication than basic username / password.

Figure 6: Adoption of Phone-based Authentication (1H2011)

100% 83% 55% 41% 25% 10% 24% 19% 26% 24% 23%

Mobile web access

Enterprise mobile apps

Mobile device management

One-time passwords

Digital certificates

Out-of-band authentication

Percentage of All Respondents Current Use Planned or Evaluating

Source: Aberdeen Group, July 2011

Customer Case-in-Point: Direct Marketing Services

Founded in 1923, a leading provider of business-to-business direct

marketing services today generates nearly $1B in annual revenue and serves its global customer base with approximately five thousand full-time

employees worldwide. Security-related pressures that led to the company's recent adoption of one-time password software tokens on employee-owned smart phones and tablets include:

 Client contracts and regulatory compliance requirements, which

impact the manner in which customer and prospect data may be captured, handled, analyzed and disseminated

 Consumer concerns about the privacy and security of their data,

which could lead them to exercise their ability to prevent such data from being collected, used or shared

 Management of third parties, which provide a portion of the overall

services in certain engagements

"Many of our customers, especially those in the financial services and healthcare segments, expect this feature to be a standard component of our security program," explained the company's Director of IT. "While one-time passwords do involve an additional step in the process of our end-users obtaining remote access to our network, the increased security it provides to us and our customers far outweighs any inconvenience."

Phased rollouts of software tokens from Entrust began in 2011 for all of the company's SSL VPN users, representing about 30% of the total employee

(7)

ownership by supporting software tokens on employee-owned smart phones and tablets, the ability to support grid cards as a low-cost

alternative for employees without their own smart phone or tablets – from the same Entrust IdentityGuard management console – was a key solution selection criteria.

Rollout of the software token solution did uncover a few tangential issues early on, for example the fact that the company's SSL Server Certificates had expired. "On the one hand we were communicating that the installation of software tokens is mandatory and urgent," noted one company vice president, "While on the other hand, every employee following the directions to comply was receiving an error message saying that the certificates were invalid and recommending not to continue." But as these issues were overcome, the company is satisfied with the overall balance of security, total cost and end-user convenience offered by its selection of a primarily phone-based option for end-user authentication.

Solutions Provider Case-in-Point: Entrust (Dallas, TX)

Since the mid-1990s, Texas-based Entrust has developed identity-based IT security solutions – including strong authentication, fraud detection, digital certificates, SSL and EV SSL Server Certificates, and Public-Key Infrastructure (PKI) – that today support more than 5,000 organizations in over 85 countries. Historically, Entrust's customer base has been particularly strong in the areas of government, financial services, telecommunications,

pharmaceuticals, aerospace and defense.

Figure 7: Entrust IdentityGuard Software Authentication Platform – Many Authentication Methods, Common Management Console

Source: Entrust, March 2012

The Entrust IdentityGuard solution is a flexible software authentication platform and common management framework that allows organizations to select the appropriate balance of security, total cost and convenience for each segment of their end-user population. Entrust IdentityGuard is

designed to support a broad range of authentication methods from a

common management console (Figure 7) – including solutions for

Definitions

Grid cards refer to a 5-row by 10-column matrix of numbers and characters which has been uniquely created and issued to each end-user. When logging in, end-users are asked to provide the corresponding information from a number of specific cells (e.g., the number or character from the cell D5) as their one-time password. Grid cards can be printed (wallet-size) and carried physically, or produced and stored electronically.

(8)

authentication, remote / mobile access, secure email, digital signatures, government eID and passport, and government eHealth and citizen ID. In the context of this Analyst Insight, Entrust IdentityGuard provides the broadest support among leading solution providers for mobile options for end-user authentication (see Table 1).

Solutions Landscape (illustrative)

Solution providers of mobile options for end-user authentication range from those who focus on specific methods (e.g., OTP, certificates, OOBA), to those who focus on specific mobile platforms (e.g., SIM), to those who support mobile options as part of a broader, "platform" approach to end-user authentication. Table 1 provides an illustrative list.

Table 1: Mobile End-User Authentication for the Enterprise

Solution Providers (illustrative)

One-Time

Passwords Digital Certificates Out-of-Band (3)

M ob ile a pp lic at io n (s of tw ar e to ke n) Se rv er -b as ed (S M S) M ob ile a pp lic at io n (e m be dd ed S D K ) H ar dw ar e-ba se d (e .g ., SI M ) H ar dw ar e-ba se d (e .g ., SI M , N FC ) M ob ile a pp lic at io n (s of tw ar e sm ar t ca rd ) A ut he nt ic at io n (1 ) T ra ns ac ti on V er ifi ca tio n M D M In te gr at io n Entrust X X X X X x X X VASCO X X X X RSA / EMC X X X x x X Gemalto X X X X X ActivIdentity X X X SafeNet X X Quest Software X X Symantec (VeriSign) X X X Swivel X X StrikeForce (2) X X X PhoneFactor X X Authentify X X

Note 1: OOBA capabilities based on a partnership with Authentify are designated by "x" Note 2: Ram Pemmaraju, CTO of StrikeForce Technologies, is credited by the US Patent Office as the inventor of US Patent #7870599, "Multichannel Device Utilizing a Centralized Out-of-Band Authentication System," issued January 2011 Note 3: At the time of publication the number of partnerships, acquisitions and in-house development efforts related to the integration of mobile authentication and mobile device management capabilities is on the rise; readers should confirm current status in this regard directly with the respective solution providers Source: Aberdeen Group, March 2012

(9)

Summary and Key Takeaways

As enterprises re-evaluate their strategies for authenticating end-users with methods that are stronger than traditional usernames and passwords, mobile devices are becoming even more attractive as the means for addressing mounting regulatory pressures for stronger authentication, an increasingly sophisticated vulnerability and threat landscape, and unrelenting expectations of mobility for the typical enterprise end-user.

Solution providers are responding by developing innovative options for end-user authentication that leverage these mobile devices, particularly in the area of one-time passwords, digital certificates and out-of-band authentication. Solution providers of mobile options for end-user authentication range from those who focus on specific methods (e.g., OTP, certificates, OOBA), to those who focus on specific mobile platforms (e.g., SIM), to those who support mobile options as part of a broader, "platform" approach to end-user authentication.

From the end-user perspective, mobile authentication solutions have several advantages:

 Mobile devices are faithfully carried and used already, so barriers to adoption are low

 Mobile solutions are generally designed to be familiar and easy to use, so little training is required

 Mobile devices are generally always in the end-user's possession, so the authentication experience to enterprise resources is always consistent

From the enterprise perspective, advantages of mobile authentication solutions include:

 Mobile devices already exist and can be leveraged for multiple business purposes, which lowers total cost of ownership for the enterprise

 The question "what devices are on the enterprise network" can be addressed by device authentication (e.g., the issuance of a digital certificate to provide each device with a unique digital identity); Aberdeen's research in network access has shown that the leading performers are nearly 2-times more likely than the lagging

performers to have implemented this capability

 Many enterprise users have more than one mobile device; the

business needs to establish a level of assurance not only for what devices are accessing its network, but also for what authorized identities are behind those devices

 Mobile authentication solutions complement existing mobile device management initiatives, which already exist at more than half of all companies participating in Aberdeen's 2011 study

(10)

achieve with their enterprise mobility management initiatives – e.g.,

compliance, risk, total cost, convenience, collaboration – and then select the mobile options for end-user authentication that best supports these needs. In other words: first why, then how.

For more information on this or other research topics, please visit www.aberdeen.com.

Related Research Jumping on the Out-of-Band Wagon;

January 2012

Stronger Authentication for Small and Mid-Sized Businesses; November 2011

Too Trusted to Fail: Attacks on SSL Server Certificate Infrastructure in 2011; October 2011

Enterprise Mobile App Strategies; October 2011

Enterprise-Grade BYOD Strategies; September 2011

The Case Against Passwords: Re-evaluating Stronger User Authentication; August 2011

The Case for Smart Cards; July 2011 Enterprise Mobility Management Goes Global: Mobility Becomes Core IT; July 2011

IAM Integrated: Analyzing the Platform versus Point Solution Approach; June 2011

Managing Identities and Access; March 2011

Secure Remote Access: From the Outside In, to the Inside Out; January 2011

The Zen of Network Access; Dec. 2010

Five Key Capabilities for Gaining Visibility and Control over Your Network Devices, Endpoints and End-Users; Sept. 2010

Logon Once, Access Many: The Pursuit of Single Sign-On; March 2009

One-Time Passwords for Two-Factor Authentication; January 2009

Managing Privileged Users; Nov. 2008

Strong User Authentication: Best-in-Class Performance at Assuring Identities; March 2008

Author: Derek E. Brink, Vice President and Research Fellow for IT Security ([email protected])

For more than two decades, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.5 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500.

As a Harte-Hanks Company, Aberdeen’s research provides insight and analysis to the Harte-Hanks community of local, regional, national and international marketing executives. Combined, we help our customers leverage the power of insight to deliver innovative multichannel marketing programs that drive business-changing results. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 854-5200, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com.

This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (2012a)