Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Mobile phones: security tokens for the next decade?

Mobile phones could replace hardware tokens over the next 10 years, if organistions are willing to accept them, says Entrust

Article comments

Mobile phones are becoming increasingly multi-purpose. Not so many years ago, a mobile phone was for making calls and sending text messages; the arrival of smartphones meant they could also be used to play games and browse the web; now we rely on them for almost everything – from navigating cities to making payments in shops.

So why not use them for security too? For years, banks have relied on hardware tokens to provide an extra layer of authentication for online banking. These supply one time passcodes that are required alongside a user name and password to complete a transaction. Many businesses also issue smartcards and key fobs that give employees access to buildings.

Smartphones today are capable of carrying out all these functions and more – plus they come with the added convenience of being always at hand. A survey by market research firm IDC back in 2008 found that a third of workers would choose their mobile phone over their wallet or keys if they had to leave the house for 24 hours and could take only one item.

The mobile phone is now so central to most people's work and personal lives that they simply can't get by without it. And it is for this reason that mobiles make such good security tokens, according to Mike Byrnes product manager at identity-based security ID company Entrust.

“I believe mobile strong authentication will become the leading type of authentication,” he said in an interview with Techworld. “Over the past 10 years we saw hardware tokens become the de facto standard for strong security. I believe mobile will be that hard token over the next ten years.”

Byrnes said that this evolution will be driven primarily by consumers, as part of the bring-your-own-device (BYOD) trend. This is because employees now expect to be able to do everything from one device. However, there are advantages for enterprises too.

“Enterprises have accepted that consumers are bringing their devices to work, and have let those devices on the network, but now they want to leverage those mobile devices to help improve business and to bring better security to the table,” he said.

Beyond hardware tokens

Byrnes said that while traditional hardware tokens that generate one-time passcodes of eight digits are effective security against password theft and some forms of security hacks, more advanced forms of criminal activity work, such as putting malware on users' computers, can defeat the purity of one-time passcodes.

Mobile phones provide what is known as a “second channel” – in other words it does not rely on the computer but is a totally independent communication channel. This means that, in the case of the user's computer being infected with malware, transaction details or authentication requests can be sent to their mobile device.

“Imagine you receive a notification on your mobile device, telling you that you are trying to log into the corporate HR system, but you are doing something else, so you know right away that something is going on,” said Byrnes.

“You would click decline because you know it’s not you trying to access that system. So you have just defeated an advanced malware attack because your mobile device was contacted in real time to try and confirm a login prior to it happening.”

In the banking world, mobile authentication also helps to protect against advanced man-in-the-browser attacks like Zeus, which have been used to successfully steal cash from corporate bank accounts.

For example, a corporate cash manager who is attempting to transfer £50,000 would receive a confirmation request on his device before the transaction is completed, checking that it was not fraudulent.

“Whatever the transaction context, that information is sent to your phone. When you click the OK button, your computer will then launch forward and the login will be complete,” said Byrnes.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *