Offensive Security
cyber4.jpg

Latest Posts

Letting Mobile Users Do What They Want Might be Your Best BYOD Security Strategy

47335477_ml.jpg

I’ve watched the Bring Your Own Device (BYOD) trend from a unique position: enterprises with highly sensitive data have hired my company to test their mobile security by hacking their networks through employees’ personal mobile devices.

Smartphones are susceptible to perhaps the widest range of attacks of any computing device, from sophisticated hackers to muggers. In every mobile pen test we’ve performed, we always gained access to sensitive data and applications—or worse. We’ve even tunneled into clients’ internal networks through no more than an employee’s BYO device. We’ve learned what works, what doesn’t, and what was missing entirely in mobile security.

The Biggest Mobile Security Challenge

The weakest link in all of our clients’ BYOD environments was, without question, user authentication.  Enterprise Mobility depends heavily on a combination of new and old authentication methods, which have proven to be compromised with relative ease by unsophisticated hackers. And, the long-held practice of integrating a 2nd factor for authentication has been almost entirely abandoned in BYOD security programs due to its impact on the user experience.

Authentication is perhaps the most egregious usability offense of modern security. We’re required to stop and enter a password whether we’re in our home or halfway around the world.  We’ve gone to great lengths to make other complex security functions completely transparent to the end user. However, the current technology used to validate user identity is completely disruptive and comically old-fashioned.

In fact, mobile devices are killing the password. Everyone knows a password’s strength is derived from its complexity, so why are there so many bad passwords?

It’s a usability problem.

Our fingers aren’t getting any smaller but our keyboards have been miniaturized and require multiple taps to access any numbers or special characters. As a result, mobile users choose easy to type passwords, knowingly trading security risk for greater usability.

The User as the Key to Mobile Security

Biometrics attempt to balance security and usability by doing away with password entry. However, the familiar aggravation of swiping a finger multiple times only to be asked for a passcode anyway points to a less-than-desirable user experience.

The security merits of biometrics are also up for debate. With consumer grade biometric hardware, close enough counts. It’s easy to fake faces and fingerprints with mundane tools like a photograph or a gummy bear, but putting robust biometric hardware into smartphones just isn’t practical. With current technology, a smartphone with strong biometrics would be the size of a desktop PC with the price tag of a luxury vehicle.

Humans, however, have always used sensory data to great effect when making trust decisions. Facial expressions, tone of voice, and movement, along with context play a major role in establishing trust. We rely on these things because we’re able to correlate them to other trusted experiences and it’s difficult to precisely fake one or two of them let alone all of them.

If mobile devices can collect similar sensory data, couldn’t they be taught to make similar trust decisions? The average person uses their smartphone almost one hundred times a day, completing most transactions in only a few seconds. They carry their devices with them at all times through the normal courses of their daily lives. Each user is unique in his or her use of their phone, providing data about the way they walk, hold their phones, where they go, what’s around and when they perform certain activities.

A user’s phone can essentially learn about who they are — and using sensory data to decisively and transparently establish a trusted baseline can help an app decide if the current operator is in fact the authorized user and if it is, if it’s safe to execute in the current environment.

The aggregate of these environmental and behavioral data points create entropy so large that a hacker would have to conduct vigilant and continuous surveillance to have even a tiny chance at faking your unique behavior. As for an electronic attack like brute force—it would be patently absurd.

This is the science of multi-factor behavioral authentication, which we identified in our efforts to hack clients as a powerful option for secure mobile authentication.  Not only is it secure, but its true value is that it moves complexity from the user to the authentication engine.

Yes, a complex password can be almost impossible to break, but with increasing complexity comes decreased usability. With multi-factor behavioral authentication there is no such correlation, because:

1.     We don’t have to worry about users undermining the strength of behavioral biometrics because they’re not being asked to do anything they wouldn’t already be doingNo passwords, no tokens, no finger swipes, no retinal scans. No disruptions.

2.     Multi-factor behavioral authentication doesn’t balance security and usability; it removes the conflict entirely. Embracing mobility means leaving the password behind and pursuing a future where security isn’t the enemy of a great user experience but an integral part of it.

Isn’t it ironic that the future of secure authentication lies in allowing users to engage in normal behaviors with their personal mobile devices?

Jason Miller