Multi-Factor Authentication and Mobile Devices

Smart Security Makes Life Easier for Users…and Harder for Hackers

By George Brostoff, CEO, SensibleVision

Security is as much about deterrence as prevention. From the highest-clearance government servers to the halls of the Louvre, no security system is impenetrable to a sufficiently clever (and motivated) criminal.

The key to proper security is not to make a system uncrackable, but to make it so time-consuming and inconvenient to crack that the perpetrator will simply reassess and look elsewhere.

After all, a burglar alarm won’t actually stop a criminal from invading your home, but knowing that one is installed (or even a decoy sticker on the front door) may cause a robber to skip your house in favor of one without the risk of the police getting a call.

And if you also have a guard dog or security camera, each additional layer of protection makes the invasion that much more of a hassle and gives robbers yet another reason to look elsewhere.

In the world of cybersecurity, this approach is called multi-factor authentication, and it relies on one of the basic principles of a good defense: making systems more challenging and thus less desirable to attack.

Why We Need to Change
Passwords and physical and virtual tokens provide multi-factor security, but traditional multi-factor security can be frustrating for authentication on mobile devices. Several issues are forcing security experts to seek new ways to protect users:

1. Mobile is in: Most people work on their personal devices at home and on the road more than at a desktop in an (often secure) office. This makes more secure authentication more critical than ever…
2. Users prefer simplicity: The more security steps users have to take, the more onerous they will find the process and the more likely they are to skip one or more steps – or opt-out of the process entirely. And unlike desktops, users access mobile devices far more frequently each day, virtually mandating a simple secure solution.
3. Traditional authentication solutions are geared for desktops and laptops: Asking the user to carry another token for their mobile device is just not practical. And as noted above, a phone can be its own second factor.

Out from Behind the Firewall and into the World

Remember when workplace cybersecurity was as easy as keeping everyone behind the same firewall and enforcing strict access control methods and policies? Of course, breaches happened, but at least IT departments could maintain their control of most data.

Today, we live and work in an age of BYOD (bring your own device) where even employees who spend most of their workday at the office still perform plenty of tasks on their personal mobile devices.

On one hand, this makes employees more flexible and available to work from anywhere (a good thing). On the other hand, instead of having to break through a firewall, all a hacker needs to do is hack a PIN, password, or perhaps even a fingerprint on a single device. That old cliche about a chain being only as strong as its weakest link starts to feel painfully true when a company loses millions because one employee shared a password.

Better Unsafe than Inconvenienced?

If you’re a security professional you might be thinking, “Who doesn’t even put a password on his phone?” The truth is, many people would rather risk a security breach than perform even one security step, let alone several because they are so intrusive.

While most of us are happy to type in a single password to access a device or service, each additional step raises users’ frustration until they simply opt-out, either by leaving the system entirely or ignoring basic security protocols.

For example, many companies require that all files be kept on a central server, but Google Docs is so easy to use that many documents are stored there even if that’s prohibited by company policy. It’s the classic tradeoff between ease of use and data protection.

In a customer-service setting, this might mean that a potential customer becomes discouraged and takes his or her business elsewhere. In a workplace, it may mean that an employee foregoes simple security steps in the name of easy access, such as when workers don’t log out of their computers whenever they walk away from their computers or skip security procedures like authenticator codes or password recovery questions.

Facial Recognition Takes the Pressure Off

Some security solutions like firewalls are great because they require no effort from end-users. But with mobile taking people outside the protection of a firewall, businesses require a new solution for security factors that don’t require onerous extra steps.

So what’s the solution to this seemingly intractable problem? To find the answer, we need to look no further than the most common criticism of modern tech users: “Your face is always stuck in a phone!” Whether for work or play, we use our devices by looking right at them, and that means that passive facial recognition can become an invisible, painless step in simultaneous multi-factor authentication.

The user simply takes a selfie using a security app, and then whenever they turn to look at their device, the app performs a scan to make sure the right person is in control. The user just does exactly they would have done anyway, plus one additional security step like a password, PIN, or fingerprint, and you’ve enacted multi-factor authentication without requiring multiple active steps to frustrate the device owner.

Of course, this means the facial recognition software has to be smart enough to see through a photograph, but such innovations are already available on the market.

It’s Not About Outrunning the Bear

You’ve probably heard the old joke about two friends being chased by a bear: “I don’t have to outrun the bear. I just have to outrun you!” A similar principle applies in cybersecurity. If a hacker has his choice of which system to try and breach, he’s likely to pick the easiest target.

Simultaneous multi-factor authentication is a powerful deterrent because it means the hacker will have to do more work to get in and out unscathed, and a hacker who sees such a system in place may well decide to seek out softer prey.

And if the barrier to enacting multi-factor authentication is that each successive factor requiring active participation from the user is more likely to be ignored, at least one factor should require no participation from the user at all beyond doing what they were already going to do: looking at their device.

The key to strong security is not an impenetrable system, because impenetrable systems don’t exist. Strong security should be easy on you and hard on the hackers. With smart facial recognition technology, at least one easy step for customers and employees becomes a serious hurdle for criminals.

About the Author
George Brostoff is the founder and CEO of SensibleVision, a technology firm specializing in Simultaneous Multi-Factor Authentication headquartered in Cape Coral, Florida. He has founded three successful tech companies, holds seven patents, and grew up working in a family business. George can be reached at [email protected], on Twitter at @SensibleVision, and at SensibleVision.com.