Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential
16 March, 2015
category: Biometrics, Corporate, Digital ID, Financial, Government, Library, NFC
BYOID: Using the mobile as an identity token in a BYOD world
The ultimate goal for enterprises may be to use employee-owned mobile devices as the tokens for access to network resources and physical locations. Instead of issuing ID cards or tokens, individual apps could be downloaded or a mobile device manager could securely load credentials or keys to a handset.
Though it might seem like a no brainer for enterprises to avoid issuing costly tokens and move to the mobile, it’s not that easy, says Chris Taylor, senior product manager at Entrust. The same trust issues that exist when accessing data from a personal mobile device still crop up when using an app for authentication. Policies need to be put in place so employees know what can happen in different situations.
Many early deployments that used the mobile as an authenticator did not gone as planned, Taylor says. Several large enterprises have put the brakes on the technology because employees don’t like the app as much as the hard token. “I’ve seen some large companies come back and say they’re pausing, opting instead for a mixture of apps and hard tokens,” he explains.
To date, those going the mobile route tend to rely on one-time password applications as the authentication mechanism, says Goode. These apps work in a couple of ways, generating a password that the user enters or enabling the user to hit a button on the smart phone to send it directly to the server.
But in the future the mobile device will enable additional authentication mechanisms, some that won’t even require action from the user, Goode says. “The GPS on the device, behavioral biometrics and learned individual patterns can be used for authentication,” he adds. “All that information goes into a service provider’s risk engine to get a level of assurance.”
The feds take on BYOID
Some want to use smart cards to create derived credentials that can enable the mobile device to serve as an identification token. The U.S. government is exploring the use of derived credentials on mobile devices for access to networks and encrypted email, says Neville Pattinson, senior vice president for government sales at Gemalto North America. These credentials are created from a separate parent credential, often a smart card, and then stored on the mobile device’s SIM.
Government agencies are testing different implementations. Some pilots have the credentials placed on the device using a trusted service manager, but the U.S. Defense Department is looking at using NFC and the Common Access Card to place the derived credentials on the handset, Pattinson says. In a Department of Defense pilot, employees tap the credential on to the handset to create the derived credential.
The drawback to this model, however, is that all existing Common Access Cards and PIV credentials would have to be re-issued since the enhanced contactless interface isn’t a standard feature on previously issued smart cards. It is, however, being included on future credentials that adhere to the FIPS 201-2 specification.