Imagine having your users empty their pockets at a big security checkpoint as they enter your building. What kinds of devices would you find? Tons of tablets, scads of smartphones, the rare Google Glass, and probably one guy who still has a pager. Make a stack of all of these and it's most likely taller than your building.
This BYOD trend can obviously be a security risk but it is also an identity management opportunity. The reason is that mobile devices are an integral part of a user's identity; users are very rarely separated from their phone so you can use the device to help identify them.
The best and most immediate use is two factor authentication (TFA). Software based tokens are free, the OATH server comes with EmpowerID and the client apps (such as Google Authenticator) are free. The uses for two factor authentication are many and can help balance the security risk that you're facing just allowing these devices. We recommend three main uses for two factor authentication:
- Two factor authentication with ALL password resets. If a user is resetting their passwords, force TFA to ensure they are who they say they are.
- Step up authentication. When a user is attempting to access a highly secure resource (folder with 10Q financial documents, the SharePoint site with Coca Cola's secret recipe, etc.) step up their authentication to include two factor authentiation.
- Role based authentication. If a user wants to be highly privileged, make them prove who they are when they authenticate. Often the users with the most privilege have the most clout in the organization and get away with the least security (CxO, domain admins, etc). That is bad security.
On top of TFA, use your identity management platform for device registration. If a user is authenticating and accessing resources from a mobile device, know who that user is and what device they are using. Link the device to the user and have the tools to audit how and when the user is accessing company resources.
And, finally, have a self service portal that users can use from their mobile device. EmpowerID has an HTML5 interface that works natively on all devices, allowing users to authenticate, reset their passwords, access SharePoint, request access to resources and all other identity actions.
These devices are not going away, take advantage of them in your identity management plans. We can demo how EmpowerID can make that stack of phones work to your advantage, contact us today to see how!