The "bring-your-own-device" (BYOD) phenomenon reached a crescendo on the Internet early June 2012. A major contributor to the "noise" was no doubt an EDUCAUSE Live webinar that introduced BYOD to a boisterous, record number (388) of eager participants.
As mentioned during the webinar, the first wave of BYOD in higher education is already taking hold at smaller colleges and universities where support staff are limited. It's only a matter of time before mounting economic and social pressures at larger institutions make BYOD the norm. Sure there are challenges, especially security and privacy issues, but you ignore the inevitability of BYOD at your own peril. Like the Borg, resistance is futile.
Surely the proliferation of mobile devices is driving the BYOD phenomenon. When I received my first cell phone more than a dozen years ago, little did I realize how that meager phone would blossom into a full-fledged "smart" communications device with near 100% penetration. Sheesh, what was I thinking?
So now that we have it, what are we going to do with it? In a word, everything. The particular use case I want to explore here is mobile-based two-factor authentication.
Mobile-Based 2FA
Like many of the exciting technology developments of the day, two-factor authentication is riding on the coattails of the mobile phenomenon. In this case, mobile devices represent a pervasive, ubiquitous platform on which to base that elusive second authentication factor.
The ubiquity of mobile, coupled with the prospect of an independent second factor, is a compelling solution to a long overdue problem (that begins with “pass” and ends with “word”). Yes, mobile will become the next battleground (the “good guys” against the “bad guys”), but mobile-based 2FA significantly raises the bar. Instead of phishing (which the bad guys will increasingly abandon), we can expect more of what we saw in conjunction with the CloudFlare compromise, that is, sophisticated social engineering attacks on privileged accounts. As always, let the user beware!
Bring Your Own Token
Thus the term "bring-your-own-token" (BYOT) is born. BYOT is a term for "various [authentication] methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have." In this case, the mobile phone, in particular the "smartphone,” is leveraged as a "what you have" token used in conjunction with two-factor authentication (2FA).
Cloud-based, two-factor authentication services (such as the Duo Security solution) significantly increase security with little (if any) decrease in usability. If you currently deploy a “strong password” solution, mobile-based 2FA can actually increase both security and usability at the same time. Since some of these solutions (like Duo) are cloud-based, these benefits are obtained in return for a very modest deployment cost.
Deployment Considerations
A moment’s worth of reflection should convince you that any authentication service will have deployment concerns, and a BYOT two-factor authentication deployment is no exception. Of particular concern is what happens in the event of a lost or stolen mobile phone? (By definition, a mobile phone is one that can be lost.) If such a phone does not require a passcode, then all is lost since an attacker can use the phone to reset the user’s password via e-mail (which most phones expose as an “always on” service). Therefore a basic assumption is that mobile phones (which are owned and operated by end users of course) are passcoded.
Note that this deployment issue is not new. In a password-only environment, a laptop without a screen saver is equally as vulnerable. (Oh, you stopped worrying about that a long time ago? Yup, me too.)
Thus the security of mobile-based 2FA is reduced to user behavior on the client mobile device, and I don't have to tell you how difficult that’s going to be. One approach is to design an institutional BYOT program that rewards the user for doing the right thing. The institution reimburses each user a fixed, monthly stipend for the use of their mobile device in the workplace. In return, the user agrees (as a matter of policy) to passcode their phone and take appropriate steps if the phone is lost or stolen. In this way, all parties cooperate in an effort to make it more difficult for the bad guys to get the upper hand.
And so we see that mobile-based 2FA is not altogether free. All parties contribute their fair share to the effort. This will shift the attention of the bad guys away from phishing toward more focused attacks, but surely the value of a stolen password file will fall, and thus it will become more difficult for the bad guys to subvert our systems wholesale.