In recent years much of the focus in the authentication space has been on MFA, mobile devices, and biometrics. Many technical advances have been made which also serve to increase usability and improve consumer experiences. There are a few reasons for this.
Multi-factor authentication is the number 1 method to reduce ATO (account takeover) fraud and prevent data breaches. We all know password authentication is weak and the easiest way in for malicious actors. MFA has been mandated by security policy in many organizations and government agencies for years. MFA is now also required in the consumer space by regulations. EU PSD2, for example, calls for Strong Customer Authentication (SCA = 2FA + risk-adaptive) for financial app customers.
Smartphones are commonplace and studies show that consumers tend to protect them better than even their wallets. People have gotten used to using a phone as a 2nd-factor with SMS OTP, although that method has security problems. Phone + PIN is a reasonable 2nd-factor method. Mobile push notifications are also an accepted paradigm. Increasingly we see mobile apps for authenticating users, generally built using SDKs from authentication service providers. In some cases these SDKs allow for the use of security features such as Global Platform Secure Element (SE) and Trusted Execution Environment (TEE).
Apple’s Touch ID and Face ID brought mobile biometrics into the mainstream. Samsung and other Android models also offer native capabilities. More advanced 3rd-party mobile biometric apps are available that add behavioral/passive and other modalities such as voice recognition. From the standpoint of False Acceptance Rate (FAR – the measure of how often an impostor can get unauthorized access) Apple reports an impressive one in a million for Face ID, and one in 50,000 for Touch ID. Though these numbers look great, mobile biometrics remain susceptible to presentation attacks despite vendor solutions using liveness detection methods.
High identity assurance solutions for mobile
Back in 2014, US NIST released SP 800-157 which provided guidelines for the Derived PIV credential. PIV cards are Smart Cards that used by some US government and other agencies for in-person and electronic authentication. The process for obtaining a PIV card is rigorous which allows it to be considered a high assurance credential. NIST SP 800-157 was designed to provide an alternate way of using PIV credentials with mobile devices. Rather than using card readers, a parallel (not a copy) set of credentials including keys and certificates could be issued to and installed on mobile devices. These implementations require the use of security mechanisms such as SE & TEE. The vendors listed below provide compliant solutions:
This Derived PIV Credential approach would also work well in the private sector. Many companies use Smart Cards or other hardware tokens for authentication today. Keys and certificates generated by enterprise PKI could likewise be issued in parallel to employees’ devices. Moreover, the ability to combine high assurance credentials on mobile with FIDO 2 opens many possibilities; for example, using Smart Card strength credentials stored on phones to authenticate to laptops, desktops, and web-based applications.
KuppingerCole believes that companies or other organizations that are looking to modernize IAM solutions in general and authentication services in particular should consider these options. High assurance mobile MFA solutions are suited for organizations that:
- Have high identity assurance level requirements, either by policy or regulation
- Have existing investments and expertise in PKI
- Issue mobile devices to their workforces
- Have existing UEM or EMM solutions in place
High assurance mobile MFA can be deployed alongside current Smart Card or hardware token (PKI) infrastructure, allowing for a controlled phased-in rollout. To maintain separation but preserve compatibility, a new intermediate CA (certificate authority) can be installed under the root to issue parallel keys and certificates for mobile devices. In this scenario, there is no need to “rip and replace”.
In the long run, high assurance mobile MFA solutions utilizing FIDO and WebAuthN protocols can increase usability, decrease costs associated with issuing and replacing Smart Cards or hard tokens, and promote interoperability between mobile and traditional computing devices, web apps, and web services.
For organizations that don’t currently have PKI-based IAM solutions, there is no need to build out CAs and issue certificates to mobiles. In this case, it would be more efficient to implement FIDO 2 authentication. A pure FIDO solution provides similar benefits, such as unique key pair generation on a per-application basis and standards-based communication protocols, without the weight of PKI. Many FIDO authenticators available today can provide strong authentication assurance, but only the processes and PKI described in the previous sections can provide high identity assurance.
The authentication market has a plethora of options today. The time is right to upgrade to strong MFA and risk-adaptive authentication. The challenges reside in understanding your business and regulatory environments and choosing the right mix of authenticators, risk analytics capabilities, and management tools.
For more information or assistance in evaluating high assurance mobile MFA solutions or other authentication services, see https://www.kuppingercole.com/advisory.