Mobile Security – Simple Username and Password Isn’t Good Enough


More mobility requires more security options that just a username and password
More mobility requires more security options that just a username and password

There’s plenty of news out there about the way mobile technology, BYOD programs, and other facets of the consumerization of IT trend are reshaping the workplace and the IT department. The traditional daily routine of typing a username and password into PC in the morning, using that computer all day long, and shutting it down before heading home is gone for many of us.

Today, we use a mix of devices in the office, during meetings, on the road, and often from home. That mix of devices, a range of different apps, cloud services, and remote access empowers us in ways that were unimaginable a few years ago. In this new workplace, however, do we need something more than the old username and password to make resources available and keep them business data secure?

According to enterprise expert Benjamin Robbins, we probably do. As he points out in a recent blog entry, the old model of user identity doesn’t provide enough security and flexibility for today’s ever more mobile world.

One issue is that the old paradigm was designed with a physical security system in place – if I’m typing my username and password at my desk, I’ve already gotten into the office building, into my company’s office, and sat down in my cubicle – even if there’s no ID badge needed to do that, I’ve passed people who know me and haven’t questioned my authority to be there. My PC is, of course, connected to my company’s network and is behind a firewall that ensures a significant level of data security.

A lot of that protection vanishes if I’m sitting at Starbucks with my iPad using public Wi-Fi to access a cloud-based resource (possibly one that would be in a vendor’s datacenter and thus remote even if I was at my desk). That’s a lot of variables in itself, but if my iPad is stolen while I’m ordering my second or third latte then even the less than stellar security in place could be gone if I didn’t use a passcode or had left the device unlocked.

Adding features like device type (iPhone, iPad, MacBook, Windows desktop and so forth), a specific device identified by serial number or another unique characteristic, physical/geographical location, the type of network I’m connected over, and even the apps that I’m using creates a much more specific picture of my user identity – any of those identifying factors can be used to disallow or restrict access to secure systems. If my username and password is stolen and somebody in Europe tries to use it to access confidential data hosted in the cloud (or even in the office), for example, they can be denied access simply by virtue of being thousands of miles away and/or for using an unrecognized device/computer.

The concept is really an extension of two existing IT practices. First is two factor authentication, which requires something like a smartcard, RSA SecurID token, or biometric data such as a fingerprint or iris scan needs to be provided as well as my username and password. Second is managing access or environment based on device or device group – a basic concept with Windows/Active Directory group policies as well as Apple’s managed preferences architecture where my username is associated with specific user groups and groups of devices – which can be used to allow or restrict access to data, apps, and can provide an overall computing experience and configuration.

There isn’t even much challenge to creating such a system isn’t particularly technical since most of the needed data is already easy to retrieve. The biggest challenge is likely getting executive and user in buy-in to a model that requires a fair amount of personal information like location data by shared with and/or recorded by IT.

Source: remotelyMOBILE

  • xMoonDevilx

    Authenticators (small keychain devices utilizing an algorithmic refreshing code system) can be used as an added utility, being required to enter code generated from it after entering I’d and password. There are even apps of this nature (depending on company) where you can simply use your smartphone as the Authenticator. Would be cool if the Code Scanners on smartphones which can scan the generated ‘barcode’ identifiers on products, as well as seen through TV adverts, but make them use thumbprint scanning….but that takes the company needing security to implement and a developer company to make it- make it in general, accessible, and affordable. Blizzard Games offers a free app Authenticator for its games if desired…banks like Wells Fargo also offer a free keychain style Authenticator for security to online banking services.

  • JustDoIt

    What about the ability to offer a phone based authentication?  Not an app but by a call or SMS like Facebook does.  You just put in your username and password and rather than carrying an extra token or restricting two-factor to only your smartphone users, you allow them the ability to telesign in on any phone that they already have.  I believe this is a more practical option and can more easily get buy-in from the business team.

  • Sollyoung


  • Signed_out

    agree with JustDolt. I prefer it when an organization (like Facebook) offer a
    form of 2-factor authentication requiring customers to telesign into their
    accounts and by this ensuring added protection and reduction of fraud for their
    clients.< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />