Article posted: Mar 05, 2018
By Joakim Thorén, CEO
Recently, ECN published an opinion piece on why smartphones can do double duty to secure data and a user's identity. Certainly, the smartphone is a good tool for authentication, but relying on One-Time Passwords (OTPs) is not an ideal two-factor authentication method, because OTP authentication makes use of rather short computer-generated passwords. These passwords are often provided to the user with none or very weak authentication.
The dangers of using OTPs in two-factor authentication are very real. In fact, the National Institute of Standards and Technology (NIST) has cautioned organizations to eliminate SMS-based OTPs, even if the OTPs have strict time limits for accessing them.
Smartphones are an important element in today's mobile-centric workforce, as evidenced by a recent Harris Poll that shows more than 80 percent of US workers have smartphones. Workers use them to access critical work data and collaborative tools such as Salesforce. But concerns about the safety of corporate data on smartphones are growing.
In a Dimensional Research poll of global professionals, 64% of participants were doubtful their organizations could prevent a mobile cyberattack with more than 1/3rd of companies believed to fail in adequately securing mobile devices. Nearly all survey respondents, 94 percent, said they expect the frequency of mobile attacks to increase. Another 79 percent state the difficulty of securing mobile devices is growing.
Organizations can and must secure smartphones, but OTP is not the answer. One alternative is asymmetric key cryptography, also called public key cryptography, which uses public and private keys to encrypt and decrypt data. The "keys" are simply large numbers that have been paired together but are not identical. One key in the pair can be shared with everyone, as it is a public key. The second key in the pair is kept secret, as it is a private key. Either of the keys can be used to encrypt a message; the opposite key from the one used to encrypt the message is used for decryption.
As more data becomes mobile accessible, it's important for organizations to have mobile identity and access programs in place. To learn more about how to better protect your organization by using identity and access management, visit https://versasec.com/vsec-cms.php.