User Authentication on Mobile Devices

Google Two FactorAuthentication

OTP (One Time Password)

What is Two Factor AuthenticationMost of us, use a single factor (password), typically 8 characters and easy to remember.  Your password can be compromised by:• Social Engineering• Intrusion in the host• It's written down somewhere• Brute force hacking• Phishing scheme

Two factor provides a second key (password), previously using a "fob" or a smart card. Google has now implemented OTP, 6 digit second factor, using using mobile phones: SMS, voice message or generated by your phone (Android, BlackBerry or iPhone). 

What Google Two Factor looks like

Google has a check box to remember your location/s for 30 days. Either SMS or voice messaging 6 digit factor delivery.

Is Google Two Factor right for you

Pros• Simple to use  • Backup phone if primary is fails,

lost or stolen• Allows users to roam, to different

systems/locations• 10 emergency backup codes• Automatic setup via QR code• Support for multiple accounts• Time and counter based code

generation RFC 4226, 3548 (Seek for Android information, Home)

Cons• Susceptible to man-in-the-middle

and man-in-the-browser attacks• Sys Admin overhead• 10 emergency backup codes• Application-specific passwords are

required, for applications requiring a separate login 

• Can't be presently used with Google SSO enabled

• root access can overcome the JavaCard security mechanism

Two Factor Failures

There haven't been reports of the actual two-factor algorithms or protocol hacked.

Reports I'm aware of have made use of social engineering and/or password recovery processes.

The question is "will cell phone users implement two-factor authentication", or is there an alternative?

• Bio-metrics, retina scan, finger print scan, facial recognition, Bio-impedance, etc.

• Why have users failed to adopt any of the security methods? 

References

RFC 4226 HOTP: An HMAC-Based One-Time Password Algorithm

Seek for Android information: Secure Element Evaluation Kit for the Android platform

2-Step Authentication for Google Administrators 

An example of the RSA SecurID Fob, model RSA SID700-6-60-60-10

App Stores Security

What you download may be compromised!

State of the App Market

• Apple and Google control 80% of the App Market• By the end of 2013 an estimated 50 Billion downloads• There are over 1 million different Apps

The summary doesn't consider Amazon and Barnes & Noble. Corporate sites offering downloads for they're flavor Apps, Developers, in all sizes and Apps Distributors.

We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).

What are the areas of concern?

• How trustworthy is the App Store?• How trustworthy is the Developer?• Can the user report issues found in the App?• Who should get the report?• Does the App use more permissions than needed?• Does the App make connections to the Internet?• Does the user need anti-virus, malware, etc.?• Will this be an issue with BYOD? 

BYOD

Bring Your Own Device

Corporate Attitudes, Issues & Policies

• IT management is presently split regarding BYOD.  A bit more than half allow employees to use their own devices. Given the recession IT budgets have been very tight, so it's an opportunity to avoid spending?

• The Operating Systems and CPUs are different than PCs does this provide a measure of protection?

• How can employees connect to the Company IT services: WiFi, Ethernet (Netbooks, Pads) and Smart Phone as a USB thumb drive?

• Do many companies have any policies regarding acceptable sources of Apps? A black list of Apps? a policy on connecting to the IT infrastructure?