Introduction and enterprise authentication
Google recently announced a new authentication idea that could eliminate passwords.
The concept, explained in a presentation here, uses your smartphone. You receive a notification on your phone alerting you to a new login. You authenticate by selecting yes or no, then confirm an ID number that appears at the login screen. There are no codes to enter, no passwords to remember, and no cumbersome biometric security steps.
While the idea was presented as a consumer login process (the slides show a login to Google Chrome and Gmail, not any enterprise services like Google for Work), there’s a potential for using a similar approach for business logins, something that could save countless support desk calls when employees ask for a password reset. And, if effective in terms of corporate security, the system could protect assets and ward off hackers, who would not have access to the smartphone.
Several experts told techradar that the authentication concept makes sense, and in some cases is already available. However, there are some concerns about how it would be implemented in a mixed environment, and whether users might actually balk at the process.
Large companies have used various authentication methods for years, from face recognition to fingerprints and voice identification. What’s appealing about the Google concept is that it makes it seamless for the user. Many enterprise security techniques can be confounding to the end-users, who just want to login and start working. Once presented with biometrics, they don’t always understand the right steps to gain access or how to use them.
Mike Byrnes, a spokesperson for the security company Entrust Datacard, says the security Google is suggesting is already in use at some companies. There are several advantages, he says. One is ease of use. Employees do not have to remember (or write down) complex passwords or store a token they use for login purposes.
It’s also much more secure than a password, because it uses a two-factor authentication method. Users have to initiate the login, then use a second device to confirm the access. The only downside is that an employee might not always have their phone, so many companies that offer this type of authentication offer a backup login process.
“While solutions can vary in implementation, professional-grade solutions leverage mobile phone biometrics and contextual analysis in the background to streamline the user experience and provide advanced security,” says Byrnes. “There are no real cons to the solution other than your phone needs to be close by and connected to a data network.”
Ben Johnson, Chief Security Strategist at Carbon Black, told us that Google’s concept of using a smartphone for access makes sense for another reason. In the enterprise, employees are already used to the idea of having to use a secondary authentication method, such as a token or a VPN that requires you to type in a code that’s sent by text or email.
Is a smartphone the answer?
While there may be other implementations of a “password free” login, few are as simple and straightforward as the Google approach. Users don’t have to know what’s going on. They receive a notification that looks like a text message. They respond, verify the code, and gain access. In many ways, it’s all about relieving the IT helpdesk and meeting corporate standards for two-factor authentication while not creating a burden for employees.
That said, the one drawback is that employees will rely even more on their phones. Johnson says that could be a problem since hackers might start targeting the phones, even if it means stealing them or accessing them remotely, as they become more prevalent as a device used for authentication. A company would have to require that all employees have their smartphone available with them at all times, which is not always the case.
“The question arises of how much auditing could the IT and security teams do around logins and access, so that will have to be incorporated into existing monitoring and security operation processes and systems,” says Johnson. “It continues the overall industry trend toward making your mobile device the most crucial and therefore valuable target for attackers.”
David Rivera, a senior software architect at Lenovo, says fingerprint logins have been available on Lenovo laptops for some time. He suggests that, instead of moving to only one authentication method as Google has described, it’s better to combine multiple methods.
“Combining smartphone ‘what you have’ authentication with other forms of authentication that use ‘who you are’ (a biometric, like fingerprint) and ‘what you know’ (like a secure PIN) would provide the best level of security,” he says. “It’s up to the security and IT administrators in companies to determine which solutions fit best for them and their users.”
As you can guess, there are many options for enterprise security. Few are as streamlined or as easy for the end-user, but a few might match up better with corporate strategies.
For example, Rivera mentions that Intel recently announced that its Authenticate technology now works with the fingerprint readers on Lenovo ThinkPad laptops. Intel includes the technology as part of the Intel Core vPro processor line and can detect whether a smartphone is within the proximity of the laptop and require additional steps, such as entering a password.
Microsoft recently introduced an authentication system with Windows 10 called Windows Hello (pictured above). To login, the camera on a Microsoft Surface Pro tablet can scan your face or iris before allowing access. IT admins can require that the user enter a password.
The problem, of course, is that many large companies have not deployed Windows 10 yet. And, not every laptop offers the same biometric technology, so it’s hard to standardise on one. That’s what makes the Google approach – or something like it – a viable option because it could potentially work with any system, from desktops to laptops to tablets.
- Also check out: Behavioural biometrics – the future of security