Companies are racing to implement phone-based credentials to increase security and user convenience. In general, that’s a good thing. However, if you’re thinking they’ll finally solve all of your identity security and credential management issues, think again.
It seems like a different lifetime, but it wasn’t that long ago when a phone was, well, just a device used to talk to other humans. Obviously, those days are long gone. In both personal and professional settings, smartphones are now with us all the time, at our beck and call to perform seemingly endless tasks. Identity credentials are just the latest use case.
From an identity security perspective, they’re changing the industry rapidly, becoming the new go-to for verifying identities and providing access to corporate premises, systems and information. There are myriad advantages to using a smartphone as a token, and there are multiple companies that offer capable solutions to utilize your phone in this manner.
You can find plenty of industry experts praising the capabilities and security of using phone-based tokens, and rightly so. But there’s something missing from the conversation — a reality that few are discussing. Phone-based tokens can’t solve all use cases, don’t meet the standards of certain industries and don’t provide the level of security that users with higher privileges require.
That doesn’t mean that you should be ignoring the smartphone credential zeitgeist. In fact, it should be an important aspect of your security strategy. For many companies, however, mobile credentials aren’t an end-all solution for identity security and credential management. According to Gartner’s Market Guide for User Authentication, half of customers still require additional tokens or credentials to meet their identity security needs. There are multiple reasons for this, and it’s important to understand them before implementing a solution for company-wide smartphone authentication.
Phone Compatibility & Privacy Concerns
To start, the implementation of smartphone tokens first requires every employee to have a phone that’s compatible with your solution. It may seem like a given, but not everyone has a smartphone. And some employees may have an outdated phone, or one whose operating system is incompatible. An even more prevalent issue is that many employees may be uncomfortable with using your credential app on their personal phone due to privacy concerns.
You can solve the above by issuing company phones to users, but depending on the size and resources of your organization, that could prove cost prohibitive to the point of impossible. You can likely find solutions for the users with incompatible phones or privacy concerns, but you’ll need a clear plan prior for implementation in order to create a smooth transition.
Workstation Login & Network Issues
While phone-based tokens largely provide increased security over physical tokens, there are situations where a user requires access that mobile credentials have yet to provide. Many mobile credential solutions don’t include the ability to log onto your computer, so users still have to have an additional set of credentials to get workstation access.
Network coverage and offline access also provide pain points. Smartphone credentials usually rely on internet access to verify identities. If you’re in a situation where your connection is spotty, or simply need to work in a location without internet access, this can lead to you being locked out and unable to perform your duties. With the rapid increase in remote employees likely to continue in 2021, this can pose significant problems and create productivity disruption.
Specific Environments & Users Require Increased Security
There are some industries, departments and locations within corporate environments where smartphones are banned. Working with highly sensitive information or IP may require employees to leave their phones at home or in a locker. Of particular note are the security concerns around smartphone cameras.
There are also certain people within organizations who require heightened security measures. A CISO, for instance, regularly requires an additional token like a Yubikey in order to access a company’s most sensitive information and assets. Whether from a personnel standpoint or an environmental one, if these situations apply to your organization, you’ll need additional credentials or tokens to gain access to areas and systems, even if you implement phone-based tokens for limited access and controls.
Look for Solutions That Complement Mobile Credentials
Gartner’s research indicates that the issues detailed above affect 5 to 15 percent of employees in roughly half of all of their U.S. customers, so they’re relatively common. This isn’t to say that mobile credentials are bad — they increase both security and convenience for a variety of reasons. For most organizations, they’re an effective part of your identity security arsenal.
The issue is, rather, like all authentication methods that came before them, they can’t solve all use cases for each individual. For most organizations, multiple credentials and tokens remains the reality. This creates questions that enterprises have to answer. How do you manage your existing credentials while leveraging them to ensure that you remain secure? How can you increase the ability to work anytime, from anywhere, in every use case?
You still need to find additional authentication methods and credential management strategies that fill in the gaps of phone-based credentials. Finding a solution that allows for offline identity verification as well as workstation login will boost productivity and free up employees, particularly as we move towards more geographically dispersed remote employees. Instituting MFA and single sign-on will help eliminate passwords and streamline the authentication process. A platform to manage the various credentials for your workforce will ensure access without adding to the already considerable burdens and costs associated with IT departments and help desks.
The use of mobile credentials is going to continue to rise for the foreseeable future. As that happens, the companies that compete on identity issuance are going to continue to push their capabilities, hopefully furthering convenience and security. But it’s important to remember, that even as phone-based credentials take over, they’re still only one part of a healthy, robust security profile that works for all use cases and users, while being easy to implement and manage for current and future needs.