By Steve French, Global VP of Product Management & Marketing, OpenMarket for Mobile Market Portal
It’s often difficult to remember the world without smartphones. However, before mobile, security consisted of protecting the PC and the user. With the advent of smart devices, the game has totally changed. In fact, if pundits are correct, there will be more mobile phones on the planet than people in 2014. These mobile phones have unleashed users from a static environment, giving them a constant connection with nearly any person or machine in the world from virtually any location. As a result, they’re doing more online-shopping, banking, downloading entertainment, socializing, and working.
Enterprises are implementing mobile engagement strategies as they see a huge potential to optimize their business processes and improve relationships with their customers and employees. However, while having “always-on” access can bear many business benefits and offer a valuable convenience for users, for enterprises it creates more security risks and opportunities for data breaches that most organizations are simply unprotected against. For instance, the latest Target and Neiman Marcus breaches compromised the sensitive information of over 70 million customers in December, and both retailers are still trying to uncover how and where the data breaches occurred.
As enterprise technology continues to advance, security needs are becoming more complex and many organizations are unable to protect themselves properly, creating unknown openings that compromise data before an organization can do anything about it. To ensure mobile is not the technology causing major data breaches like the aforementioned example, organizations must implement company-wide security tactics that can be leveraged across all internal and external customer-facing communication use-cases.
Out With The Old: Single-Factor Authentication
The typical validation method employed on the internet today is single-factor authentication, where users supply a username and password. That approach has significant drawbacks, particularly as cybercriminals become more organized and adept. According to Microsoft, the average online consumer has 25 accounts, each of which requires login credentials. On any given day, an enterprise worker may require a half-dozen or more passwords in the normal course of logging on to Windows, remote access, WiFi access and e-mail. To simplify their personal and work lives, online users often resort to creating several complex passwords – or worse; they use the same password across multiple sources. The problem is, once a hacker figures out just one password, he’s got access to several accounts.
To make matters worse, online users often choose the convenience of “Keep Me Logged In” when accessing frequently visited sites. Most don’t realize the inherent risk in doing so. The website stores a “cookie” on the computer. That cookie can be harvested by malware and sent to an attacker, who can use it to impersonate a valid user and steal their online identities. Many sites also enable users to log in using their identities from social media sites like Facebook and LinkedIn. Users assume that this type of access is secure because they’re not supplying a password, when in fact they are simply reusing an existing, static password and creating another opportunity for hackers to breach their personal data.
In With the New: Two-Factor Authentication
Although two-factor authentication (2FA) isn’t really a “new” concept, many enterprises are just beginning to realize the simple yet necessary additional layer of security that 2FA offers. When a business is authenticating a user’s identity, it can utilize three methods:
1. Knowledge: something known only to the user, such as username and password
2. Possession: something only the user possesses, such as a physical card, a mobile phone, or a security token
3. Inherence: a characteristic unique to the user, such as a fingerprint or other biometric trait
Typically, SMS-based 2FA uses the knowledge (username/password) and possession (such as a PIN) aspects. When both of these factors are required for authentication, the security model becomes much more entrenched, making it more difficult to bypass or hack. Today’s worker has a mobile phone within reach almost every minute of the day, making it an easy channel to leverage for authentication because of its frequent use by employees and customers. Additionally, when compared with other 2FA approaches such as Iris scanning, voice recognition and fingerprinting, SMS-2FA avoids unnecessary and expensive complexities while offering a secure way for organizations to protect company information. Today, even strictly regulated financial institutions leverage SMS-2FA for customer-based online transactions. When a customer attempts to access an account, the bank sends a secure SMS (or text message) to the customer with a one-time PIN code that must be used to complete the transaction.
The Benefits of Two-Factor Authentication
Two-factor authentication provides many business benefits, including:
Improved security: By requiring a second form of identification, SMS-2FA decreases the probability that an attacker can impersonate a user and gain access to computers, accounts or other sensitive resources. Even if a fraudster gains access to a password, he won’t have the second element required to authenticate.
Increase productivity and flexibility: Enterprises are embracing mobility as it contributes to higher productivity. With mobile 2FA, employees can securely access corporate applications, data, documents, and back-office systems from virtually any device or location-without putting the corporate network and sensitive information at risk.
Lower helpdesk and security management costs: The average user calls the help desk 1.25 times per month. In an environment that’s experiencing unusual downtime or has had recent upgrades, that number can exceed three calls per month. The industry research group, HDI, estimates at least 35-40 percent of those calls are related to password resets. Furthermore, each of those tickets consumes, on average, 20 minutes of the help desk technician’s time. Two-Factor Authentication can help remedy these time-consuming and costly password-reset calls by providing a safe and secure way for end users to reset their own passwords. The business outcome includes cost savings from fewer calls, increased employee productivity and satisfaction.
Reduce fraud and build secure online relationships: Identity theft, which accounted for 17 percent of all fraud in 2013, is on the rise. Fraud in all its guises has a direct impact on the bottom line. Even worse, it can result in a loss of trust, credibility and brand equity, and destroy a customer relationship. Twenty-nine percent of fraud victims avoid certain retailers as a result of their victimization, even if the merchant wasn’t responsible for the data breach. Two-Factor Authentication provides an additional layer of mobile protection that secures the site, the transaction and customer. Moreover, by creating a secure brand experience, businesses increase their opportunity to create ongoing interactions with customers.
A Holistic Approach to Mobile Engagement Solution
Today’s employees and consumers are accustomed to having the information and resources they need at their fingertips. This level of digital convenience offers huge potential for businesses, while introducing new security risks and vulnerabilities. Two-Factor Authentication provides the stronger user validation that today’s enterprises require, and those failing to leverage it as an integral part of their mobile strategy are leaving themselves open to dire consequences.