What comes after Software & Message based Multi-Factor-Authentication (MFA)?

Multi-Factor Authentication (MFA) is becoming increasingly important as defend against phishing attacks and account takeovers.

Various new MFA technologies (biometric, messaging, etc.) offering additional possibilities to already established MFA technologies (OTP, hardware-token, smart cards, etc.). While new “software-based” MFA offerings appears to be flexible and easy to deploy, the downturn is that most of them are storing confidential credentials and private keys on mobile devices and rely ultimately on the device’s security itself. Messaging-based MFA has already turned out not to be safe, most recent prominent victim has been REDDIT. Both MFA concepts, software and messaging, may not be a long-term, reliably strategy for fast changing mobile devices and BYOD strategies at corporations and governmental organizations.

Google has publicly confirmed, that within their 89.000 people corporate environment, only a separate, company-controlled hardware token provides 100% protection against phishing and account takeovers.

Do not invent the wheel twice

Separate the private keys from the (mobile) device. To do so, there is no need to invent the wheel twice – just “upgrade” industry standard hardware token (i.e. smart cards) to be more user friendly, easier to use and less disturbing for the mobile end-user; while providing additional benefits for the user, i.e. automated log-out if users walking away from their devices. The global proven technology of smart cards delivers unique strong protection, has been certified almost everywhere and will provide the “best you can buy” protection for any organization – Now, let’s make them user friendly.

This matchless, low risk approach to combine a proven, certified technology with user friendliness will maintain the already existing 100% protection potential, while staying independent from unpredictable device security and will boost BYOD strategies.

Users do not want to enter continuously complex credentials, making photos of QR codes or faces, requesting online approvals from servers or other devices. They want to work while “something” in the background, at minimum workflow impact, shall take care for the security.

Many professional organizations rely on digital certificates for authentication, encryption and signing. Storing individual, organizational certificates and their private keys on consumer oriented, annually changing devices will put organization’s endpoint security into mobile device manufacturer’s hands. If combined with BYOD strategies, the organization will rely also on end user’s discipline of not loading malware on his device. This does not sound like full control for the organization.

Organizations require full and sole control

Each professional organization should, better must have full and sole control on its own and its employee’s private keys and must control effectively access to its own valuable data. Effective data protection and authentication is legally required by GDPR and many industry specific regulations, like banking PSD2 (Payment Service Directive 2). Auditors asking for it – and they will continue asking if access control and authentication has been implemented effectively and will provide state-of-art protection.

Storing corporate individual’s private keys on fast changing devices or using message-based MFA, regardless if devices are under organizational control or as BYOD, has often not been proven to be state of the art; but unfortunately many still doing it. Sometimes convenience beats security – mostly until next data breach or account take over.

Do not make compromises

Confidential private keys shall be stored within certified, safe and protected hardware under 100% control of the organization to provide 100% protection potential for the organisation.

Full control by organization, seamless app integration, minimum user workflow impact and protection in the background can be achieved by combining long-term proven smart cards with new Bluetooth technologies, supported by almost any mobile device (smartphone, tablet, laptop) and most desktops.

Wireless secure MFA freedom for multiple devices

Smart, secure and wireless card reader provide easy multi-device authentication using your smart card on the smartphone, tablet or laptops. It works for all virtually at the same time, offline, online and anywhere. And if the user walks away, the reader will auto lock the device. This results in improved user convenience and increased organizational security at the same time.

Wireless smart card reader, i.e. the AirID from certgate, are used today within global corporations, i.e. the Volkswagen Group, the banking Raiffeisen Group and government authorities, i.e. German Federal Ministries and the parliament. The wireless Bluetooth connection is “double-encrypted” to protect classified governmental information. The reader has been approved by the German Federal Office for Information Security, if used with a predefined set of apps.

Another example might be the unique ONEKEY ID, a compact wireless smart card, shaped like a car key. A great use case is MFA for a cloud based, secure global communication platform, the cgPhone Online system. It is available to the public, give it a try.

Never store private keys on mobile devices

Bottom line, regardless if you are developing, purchasing or just using mobile apps and devices, including laptops, never store individual corporate credentials on the mobile device. Corporate individual’s private keys must stay private, protected by certified hardware and under full corporate control only. Please remember, software alone can not protect software.

Yours, Jan C. Wendenburg