two-factor authentication goes mobile · two-factor authentication (2fa) is an information security...
TRANSCRIPT
TWO-FACTOR AUTHENTICATION
GOES MOBILE
First Edition September 2012 © Goode Intelligence
All Rights Reserved
Published by: Goode Intelligence
26 Dover Street London
W1S 4LY United Kingdom
Tel: +44.20.33564886 Fax: +44.20.33564886
www.goodeintelligence.com [email protected]
Whilst information, advice or comment is believed to be correct at time of publication, the publisher cannot accept any responsibility
for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity
with respect to any loss or damage caused or alleged to be caused directly or indirectly by what is contained in or left out of this
publication.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electrical, mechanical, photocopying and recording without the written permission of Goode Intelligence.
Goode Intelligence © 2012 www.goodeintelligence.com
CONTENTS
Market Analysis: The mobile phone as ultimate tokenless authenticator ............................... 2
Understanding the basics: What is Tokenless Two-Factor Authentication (2FA)? ................. 3
What is Two-factor Authentication? ................................................................................... 3
Key benefit of 2FA ............................................................................................................. 3
What is Tokenless 2FA? .................................................................................................... 3
It’s all about user choice! Self-management – the key to 2FA lifecycle management ............ 4
Benefits of user choice and self-management ................................................................... 4
More mobile phones than people – every phone can support tokenless 2FA ........................ 5
Is SMS a reliable method for OTP delivery? ...................................................................... 5
The importance of innovation in tokenless authentication ..................................................... 6
Innovate or fail! .................................................................................................................. 6
Innovation Case Study – SecurEnvoy ............................................................................... 6
The changing endpoint needs a rethink in 2FA technology ................................................... 7
Customer case study – Invensys........................................................................................... 8
Invensys 2FA Project ......................................................................................................... 8
What Goode Intelligence research tells us about mobile 2FA .............................................. 10
Mobile 2FA Adoption ....................................................................................................... 10
Tokenless Mobile 2FA Market Activity: Increasing sales erode hardware token market ... 10
Summary ............................................................................................................................ 11
Related research / about Goode Intelligence ...................................................................... 12
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 2 www.goodeintelligence.com
The mobile phone has become the de-facto device for business and leisure and is in the hands of the majority of the world’s population. Mobile phones have become the dominant computing platform for every part of our daily lives including communication (including business email), social networking, gaming, media consumption, navigation and even payment with the advent of Near Field Communications (NFC) technology. The mobile phone is the ultimate disruptive technology and authentication is not immune from its influence.
MARKET ANALYSIS: THE MOBILE PHONE AS
ULTIMATE TOKENLESS AUTHENTICATOR
This white paper from mobile security research and consultancy specialist, Goode Intelligence (GI) explores how mobile phones are transforming authentication and eroding the position of hardware token technologies as the dominant form in Two-factor authentication (2FA). GI first started its research into mobile phone-based authentication (mobile 2FA) products and solutions in the summer of 2009 and has discovered a number of key facts:
Mobile (tokenless) 2FA is considerably cheaper than hardware-based 2FA solutions including hardware tokens and smart cards
Mobile 2FA is easy to deploy and manage with provisioning taking a fraction of the time that hardware-based 2FA solutions can take
Mobile 2FA is ubiquitous in that it is available for all mobile phones, not just smart phones
In an age where users are bringing in their own mobile devices into the workplace and using consumer cloud-based services for business purposes, end-user choice is vital. Tokenless 2FA solutions must offer user choice through self-management functionality
GI’s research has uncovered examples of excellent technology innovation from vendors involved in mobile 2FA. Choosing a technology vendor with innovation as a primary pillar is key for end-users when making strategic buying decisions for authentication
As mobile 2FA is cost-effective, easy to deploy and available to billions of mobile phone users around the world, it is quickly becoming the de-facto technology to replace weak userid and password authentication solutions
Goode Intelligence White Paper Goode Intelligence’s white papers offer analyst insight from research extracted from primary sources including surveys, analyst reports, interviews and conferences.
GI Research Facts 35% of organisations have deployed mobile phone-based authentication
1
Mobile phone-based authentication has increased market-share from 5% in 2009 to over 20% by the end of 2011
2
By the end of 2014, 64 percent of 2FA sales will be mobile-based
3
1 Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:
http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition 2 Goode Intelligence primary research
3 Taken from “The mobile phone as an authentication device 2010-2014”. Published by Goode Intelligence, November 2009:
http://www.goodeintelligence.com/report-store/view/the-mobile-phone-as-an-authentication-device
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 3 www.goodeintelligence.com
UNDERSTANDING THE BASICS: WHAT IS TOKENLESS TWO-
FACTOR AUTHENTICATION (2FA)?
What is Two-factor Authentication?
Two-factor authentication (2FA) is an information security process in which two means of identification are combined to increase the probability that an entity, commonly a computer user, is the valid holder of that identity. 2FA requires the use of two reliable authentication factors:
Something the user knows, e.g. a password or a PIN
Something the user owns, e.g. a mobile phone, a hardware token or a smart card
In many 2FA solutions, possession of the second factor, “something that the user owns”, is demonstrated by knowledge of a one-time password (OTP). This OTP is either generated by the second factor in the possession of the user, e.g. a mobile phone, or by a trusted server that is then delivered to the second factor. This delivery can include SMS text messages.
Key benefit of 2FA
Reduces the possibility of an authentication credential being stolen and hacked. Passwords are static codes that are prone to theft, e.g. through a phishing, keylogging, or replay attacks. By utilising OTPs, a 2FA solution can avoid many of the weaknesses associated with static password solutions.
What is Tokenless 2FA?
Hardware tokens generating OTPs have been a common method for 2FA. For many years enterprise users have been carrying around hardware tokens for enterprise 2FA. But have hardware tokens had their day? Has a combination of high purchase and distribution costs, a move away from centralised support to self-service and security concerns created by high-profile hacks meant that alternative 2FA solutions are beginning to erode this once dominant technology? A credible alternative to hardware tokens are tokenless solutions. Tokenless solutions do not rely on proprietary hardware but instead make use of existing hardware that is already in the hands of users. They perform all of the security functions that hardware tokens offer, and in some cases enhance security, but are not reliant on expensive, single-use, hardware technology. The power of tokenless is especially strong when the device being utilised is a mobile phone.
GI Definitions 2FA: Two-factor
Authentication. Something the user knows and something the user owns or has
Tokenless 2FA: 2FA solutions that do not rely on proprietary hardware technology
OTP: A one-time
password is a password or code that is generated for only one login session
Credential: Identity
attestation issued by an authority to validate users at logon
Replay attack: Where a password is intercepted or stolen and then replayed by an imposter user to get unauthorised access to a computer or network
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 4 www.goodeintelligence.com
IT’S ALL ABOUT USER CHOICE! SELF-MANAGEMENT – THE
KEY TO 2FA LIFECYCLE MANAGEMENT
Choice is a frequently used word in IT at the moment.
The choice for an employee to bring in their own personal device to the workplace and use it
for business purposes; where device can mean smart phone, tablet computer, netbook,
laptop or MacBook.
The choice to share information with friends and colleagues using agile cloud-based
services such as Dropbox and Box.
The choice to communicate with friends and colleagues using social network tools such as
Facebook, Twitter and LinkedIn.
Is choice relevant to information security and in particular is it relevant to 2FA? On the
surface you would think not as it goes against some of the tenants of information security;
strict information security policy drive technology controls that are deployed by central IT and
information security functions. This does not really sit well with user choice; or does it?
Will bring your device (BYOD) turn into bring your own token (BYOT)? Over two-thirds of organisations now support BYOD and many are using tools such as Mobile Device Management (MDM) to enforce security policy.
4 These employee-owned devices are also being
utilised as authenticators; soft tokens running as mobile apps – Bring your own token (BYOT)
Are we able to put the user in control whilst at the same time ensuring that information
security policy is met? GI firmly believes that the two can coexist with each other for 2FA
solutions by:
1. Choosing an authentication technology partner that puts the user in control but also
allows authentication security policy to be met
2. Allows administrators to create the technology framework to support choice
3. Allows the end user to choose the authentication device of choice
4. Supports any mobile phone, not just smart phones that can run mobile apps
5. Allows the user to swap seamlessly between mobile phones without incurring
additional license cost
Benefits of user choice and self-management
Modern enterprise IT is all about providing users with choice and information security should
not be immune to this trend. It is important that authentication solutions provide the user with
choice; putting the user in control of what authentication device (mobile phone) they want to
choose. A core strength of today’s authentication solution should be the offer of self-
management; empowering the user to manage their own authentication service, thus
removing the onus on administrators of authentication lifecycle management.
4 Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:
http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 5 www.goodeintelligence.com
MORE MOBILE PHONES THAN PEOPLE – EVERY PHONE CAN
SUPPORT TOKENLESS 2FA
It is forecast that shortly there will be more mobile devices than people on this planet
(forecast for just over seven billion people in 2012)5. Ericsson, the mobile network
technology vendor, forecasts that by 2017 there will be nine billion mobile phone
subscriptions.6
Forecasts for 2011 indicated that there were around six billion mobile phone subscribers
around the world with predictions that this figure would rise by 500 million, to a total of 6.5
billion, by the close of 2012.7
6.5 billion mobile phone subscribers by the end of 2012
Every one of these mobile devices has the capability to support tokenless 2FA, either
through the receipt of SMS text messages containing OTPs or by utilising a mobile app that
generates the OTP on the device itself. Two-factor authentication is within easy reach of the
majority of the world’s population without the need to issue and manage any additional
hardware – that is over six billion potential authenticators. That means tokenless 2FA for any
mobile device, anytime from anywhere in the world.
Is SMS a reliable method for OTP delivery?
There is occasionally an issue with reliability of OTP delivery with SMS text message-based
2FA solutions. Mobile network operators (MNOs) cannot guarantee SMS text message
delivery within an acceptable timeframe for 100 percent of all SMS messages delivered.
There are times when the mobile network is overloaded, e.g. peak times at events and
natural disasters, and other times when network coverage is either poor or non-existent, e.g.
an IT engineer in a data centre that may be underground or protected from radio.
Late delivery of an OTP contained in an SMS text message can be problematic for a time-
critical login that can mean no access to critical enterprise resources. To overcome this
tokenless 2FA vendor, SecurEnvoy, has developed a patented pre-loading feature where
5 United Nations world population figures
6 Ericsson: http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers – Please note that this forecast is
for subscriptions. One mobile phone subscriber can have multiple mobile phone subscriptions. 7 http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 6 www.goodeintelligence.com
the problem of poor mobile phone network coverage is removed by the ability to pre-load
OTPs.
Pre-loaded one time codes are an innovation from SecurEnvoy that gets over the problem of guaranteeing the receipt of SMS text messages. There are situations, e.g. peak-times for SMS traffic or when a mobile phone user is outside of network coverage, when an SMS text message cannot be delivered to a user within a timely manner. This can be critical if you are using SMS to deliver an OTP for remote network access. By pre-loading one time authentication codes each time (three codes are sent with each SMS text message) a user initiates a logon session this issue is resolved
THE IMPORTANCE OF INNOVATION IN TOKENLESS
AUTHENTICATION
Innovate or fail!
There are many examples in the history of information technology where market-dominant
technology vendors have seen a steep-decline in fortunes as a result of a failure to keep
innovating. The IT and telecommunications graveyard is full of organisations that, instead of
keeping innovation central to their strategy, have relied on technology that may have been
disruptive and innovative in a previous IT age. The current problems that technology vendors
such as Research In Motion (RIM) and Nokia are facing testify that companies must strive to
innovate and successfully get that innovation to market.
The mantra of innovate or fail is as true in the world of information security and
authentication as it is with other areas of IT and telecommunications. One authentication
vendor that views innovation as key to its success is SecurEnvoy.
Innovation Case Study – SecurEnvoy
Tokenless mobile phone-based authentication has been around as a concept since the late
1990s and as a product since the early part of the current century. SecurEnvoy has been at
the vanguard of innovation (see figure 1 for a timeline of SecurEnvoy’s innovation) in
tokenless authentication since 2001 when the first pre-loaded one time code was sent to a
mobile phone.
Goode Intelligence applauds SecurEnvoy’s track record of innovation in tokenless
authentication from its early beginnings in 2001. Its record for innovation includes using
mobile 2FA for password resets (2006), tokenless cloud-based authentication with
SecurCloud (2009) and continues into the present with supporting the use of its tokenless
authentication for enterprise-grade disk encryption solutions.
Future product releases will build on this strong track record in innovation and will include
solutions to use one time codes to ‘session lock’ the voice network to the browser’s current
network connection for phone call-based authentication.
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 7 www.goodeintelligence.com
Figure 1: SecurEnvoy – Timeline of tokenless innovation
Source: Goode Intelligence, July 2012 (data from SecurEnvoy)
THE CHANGING ENDPOINT NEEDS A RETHINK IN 2FA
TECHNOLOGY
We are witnessing diverse and fundamental changes in how enterprise IT is accessed and
consumed. A combination of smarter connected consumer devices and cloud-based
enterprise services is leading to a revolution in how employees access enterprise IT
resources.
Company-issued laptop computers have been the de-facto endpoint computer device for
accessing enterprise IT resources when away from the office. Laptop computers are
equipped with serial and USB ports that allow devices, such as smart card readers and USB
memory sticks, to be easily attached and used. Smart cards and USB-based authenticators
have been methods in which 2FA has been supported. However, as falling laptop sales
testify, the laptop is losing its grip on being the prime enterprise mobile computing device.
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 8 www.goodeintelligence.com
In recent years the trend has been to complement, and even replace, enterprise laptop use
with a new breed of smart connected devices. Commonly these new smart mobile devices
(SMDs) are smart phones and tablet computers running mobile operating systems.
Additionally the enterprise is been extended out to a new range of connected intelligent
consumer devices that offer similar levels of functionality as smart phones and tablet
computers. It is feasible that access to enterprise resources could well be pushed out to
Smart TVs, games consoles and other touch-screen consumer devices.
The changing nature of enterprise IT requires a good long-term strategy and involves a good degree of future-proofing and authentication is certainly not immune from this
These are consumer devices and, in the main, do not offer the same levels of local
connectivity that a laptop computer does. If an organisation has adopted hardware-based a
2FA solution that requires either a physical connection, certificate or pre-installed software
on an enterprise owned device than this investment would be redundant in this new age.
As a result of this change, organisations should embrace 2FA technology solutions that have
a zero footprint at the point of authentication; thus accommodating both existing connection
points on any present or future device. This approach is more in-tune with the changing
nature of enterprise IT. Goode Intelligence believes that tokenless mobile 2FA currently
offers the best solution to provide strong authentication for the new breed of remote
enterprise workers.
CUSTOMER CASE STUDY – INVENSYS
Invensys is a UK-based FTSE100 engineering conglomerate with revenue of nearly £2.5
billion (2011) employing more than 20,000 staff around the world. The company is
comprised of three companies; Invensys Rail, Invensys Controls, Invensys Operations
Management.
Historically, each of three businesses was run independently, including its IT infrastructure
services. To streamline its operation, Invensys introduced a global IT infrastructure division
with a remit of developing shared IT services across all three of the business units. This
included remote access services with a vision of creating a single solution to support
employees’ accessing Invensys IT resources remotely. Naturally, user authentication is a
vital part of this shared infrastructure.
Invensys 2FA Project
Back in 2009, Invensys Rail was using a hardware token solution to provide user
authentication for its remote access service. The hardware 2FA solution was not without its
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 9 www.goodeintelligence.com
problems; despite being run as an outsourced service Invensys Rail found it to be time
consuming and costly to operate. One key issue was availability of the hardware token when
end-users really needed it. Users were often without their tokens when they were required to
connect to the Invensys Rail IT network remotely.
A decision was made to replace the hardware token solution with the key project drivers
being:
1. To reduce the cost of the current hardware token 2FA solution; calculated as $8 per
person per month for hardware token.
2. To reduce the time it took to deliver 2FA credentials to users; calculated as taking
“around ten days”.
The task was given to David van Rooyen, principal solutions architect, responsible for
Invensys’ telecommunication based infrastructure strategy. After developing the
requirements and evaluating the technology available, Van Rooyen decided to deploy a
mobile phone-based 2FA solution provided by SecurEnvoy - SecurAccess. Van Rooyen
outlined how the SecurEnvoy solution fulfilled Invensys’ requirements for an agile cost
effective 2FA solution; “Provisioning a physical token for one of our users takes around ten
days compared with five minutes provisioning a soft token, so the man hours are vastly
reduced as well as the costs of shipping them out. I’ve completed a full business analysis
and found that $8 per person per month is what it was costing for a physical token versus $2
per person per month for a soft token. When you replicate that across 15-20,000 users, the
savings are in the millions.”
Table 1: Key benefits: Hardware token vs. Tokenless - Cost reduction and Time saving
Hardware Token Tokenless
Cost Reduction ($) $8.00 per user per month $2.00 per user per month Time Saving (Provisioning single token)
10 days 5 minutes
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 10 www.goodeintelligence.com
WHAT GOODE INTELLIGENCE RESEARCH TELLS US ABOUT
MOBILE 2FA
Goode Intelligence is a leading authority in mobile security and has been covering the
mobile phone-based authentication market since 2009 when it first published its report ‘The
mobile phone as an authentication device’. Since that report was published GI has noticed
the steady rise in the adoption of mobile phone-based authentication solutions.
Mobile 2FA Adoption
In Goode Intelligence’s annual mobile security survey (GI mSecurity survey report) there has
been a steady rise in the adoption of mobile phone Two-factor (2FA ) authentication
solutions from zero adoption in 2009, rising to 22 percent in 2010 and standing out 35
percent in the last survey from late 2011 (with a further six percent planning to deploy).
Figure 2: The percentage of organisations that have adopted the mobile phone as an
authentication device – 2009-2011
Tokenless Mobile 2FA Market Activity: Increasing sales erode
hardware token market
In terms of market activity, Goode Intelligence’s market analysis (started in the summer of
2009) suggests a steady annual increase in the sales of mobile 2FA solutions.
In 2010, data harvested from end-users and technology vendors, suggested that around five
percent of global 2FA sales were mobile-based. A follow-up study in 2012 discovered that
this figure was now over 20 percent. A forecast, made by GI in 2009, suggested that by the
end of 2014, 64 percent of 2FA sales will be mobile.8
By 2012, 64 percent of total 2FA worldwide sales will be mobile-based
8 Taken from “The mobile phone as an authentication device 2010-2014”. Published by Goode Intelligence, November 2009
2009
2010
2011
0%
22%
35%
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 11 www.goodeintelligence.com
SUMMARY
Mobile phones offer organisations that are evaluating their end-user authentication strategy
a realistic alternative to both single-factor, userid/password, and hardware-based (single-
user devices) two-factor authentication solutions.
This white paper has explored how mobile 2FA is meeting the needs of modern IT functions
that require agile, cost-effective and easy to deploy/manage two-factor authentication
solutions.
The market for mobile 2FA will continue to grow and it is on course to become the dominant
force in two-factor authentication.
End-users who are reviewing their authentication strategy must seriously consider mobile
2FA as a viable solution.
End-users should ask potential authentication partners these important questions when
evaluating a suitable 2FA technology solution:
Does the solution offer an end-user choice in what mobile phone they can use for
2FA purposes?
Can the end-user make these choices through a self-management function?
Does the mobile 2FA solution work on any phone, in any region and any time?
If the solution is SMS-based, how is the problem of delayed SMS delivery and poor
network coverage resolved?
How easy is it to re-provision an end-user when that user changes their mobile
phone and is there any additional cost involved in this process?
What track record does the potential technology partner have for innovation and will
innovation continue to be important for future product releases?
Should allow 2FA on any device – allowing zero footprint at the point of login
Two-Factor Authentication Goes Mobile
Goode Intelligence © 2012 P a g e | 12 www.goodeintelligence.com
RELATED RESEARCH / ABOUT GOODE INTELLIGENCE
The mobile phone as an authentication device 2010-2014 (Published November 2009)
Mobile Phone Biometric Security – Analysis and Forecasts 2011-2015 (Published June 2011)
GI mSecurity 2011 Survey Report Premium Edition (Published April 2012)
mBiometric Series – Insight Report: Mobile Fingerprint Biometrics (Planned publication
September 2012)
Mobile Financial Services (MFS) Series - Insight Report: Mobile Banking Security (Planned
publication October 2012)
Smart Mobile Identity – the next wave of mobile identity and authentication solutions
(Planned publication December 2012)
For more information on this or any other research please visit www.goodeintelligence.com.
Since being founded by Alan Goode in 2009, Goode Intelligence has built up a strong
reputation for providing quality research and consultancy services in mobile security. This
document is the copyright of Goode Intelligence and may not be reproduced, distributed,
archived, or transmitted in any form or by any means without prior written consent by Goode
Intelligence.