User convenience versus system security

Mobile Workshop A few months ago, a Reg Reader study told us that sorting out the user authentication and identity management challenge was pretty high on the list of IT priorities, especially for larger organisations.

From this study, we learned that two thirds of enterprises were suffering from a proliferation of sign-on mechanisms, with users having to juggle multiple logins across different applications and connectivity options. In order to deal with the fallout from this – password reset overhead on help desks, exposure from users writing passwords down on Post-its, etc – one in five had already invested significantly in the single sign-on (SSO) approach, with a further third following them down this route.

Of course SSO quickly leads to a requirement for more advanced authentication as people realise that a single username and password combination falling into the wrong hands could lead to not only one system being compromised, but every system the user who owns the login has access to. Not surprisingly, we picked up a lot of interest in alternative and multi-factor authentication approaches (see Figure below).

So, the general trend is towards stronger, smarter and more consistent authentication, which will not only lead to greater security, but potentially, with SSO, to a higher degree of user convenience.

But is there a potential fly in the ointment?

In the same study, we learned that over 80 per cent of organisations allow access to systems from company provided mobile devices (laptops, PDAs, smart phones, etc), with over 40 per cent permitting access from personally owned mobile devices. And what is it that users like about this? It’s the convenience and flexibility of being able to access applications and data directly while they are out and about. And time and time again, we hear from research that this is good for the business – better productivity, improved decision making, and so on – so as the price of wireless data enabled mobile devices and related services comes down, and wireless access increasingly becomes a native feature of back-end servers (e.g. Microsoft Exchange), then usage is surely destined to escalate.

This brings mobile security into sharp focus, with lots of discussion across the industry about secure connectivity, data encryption and other technology solutions. But the one thing that potentially stands in the way of effective mobile security is the same thing that makes mobile devices so attractive in the first place– the convenience factor.

Ask the average BlackBerry or Windows Mobile user about the benefits of such devices, and they will typically cite immediate fuss-free access to their email and/or other frequently accessed applications. Against this background, even simple password protection on the device is regarded by many as being intrusive, so the temptation is just to leave the device open which, let’s face it, many (most?) devices are. We then end up with the ludicrous situation of a BlackBerry with Triple DES end-to-end encryption back to the server that any third party can just pick up and use to access potentially sensitive corporate information. Sure you can wipe or disable a lost or stolen device with an over-the-air instruction from an administrator, but not all systems support this and in any event, there is potential for abuse until the point the user realises and reports the loss.

Coming back to where we started, we then have the consideration that in other scenarios, security specialists are already questioning whether simple usernames and passwords are really adequate for the future. But being realistic, are users really going to tolerate multi-factor authentication for handhelds using tokens, smart cards or whatever?

One possible answer to this problem is biometrics, and over the past few years, lots of devices have been launched with fingerprint readers. These could potentially provide device security in a more convenient manner, but so far, they don’t seem to have caught on in a big way. Perhaps the problem hasn’t been widespread or prominent enough for people to care enough to date, but with such a high emphasis on advanced authentication in other areas, an obvious disjoint is emerging when we consider mobile security in the broader context.

There doesn’t seem to be a magic bullet to solve this mobile device security challenge at the moment, but we’re sure many of you out there must have considered this and related issues, and might even have some practical experiences or useful advice that may be of benefit to others. If so, we’d be really interested in your feedback below.®