Identity management on mobile devices: How do we do it?
I have been taking a lot of calls on mobile identity issues and solutions over the last three months, and I am just as confused now as when I started looking into this subject. And I think the vendors I have spoken with are reaching, in their assessments of the right course of action and where the market is heading. If you want to implement identity on a mobile device, what do you do?
- Option 1, Crawl: Use a mobile browser and capture user names and passwords just like we do on the desktop. But mobile browsers kinda suck. People don’t want to use them and they suffer many of the same security problems we have had for a decade (see OWASP Top 10).
- Option 2, Toddle: Augment with OAuth tokens. Is OAuth 2.0 even a standard? But what about the security issues of encryption, digital signatures, and bi-directional verification of trust?
- Option 3, Walk: Adopt the ‘App’ model, and create an IAM app, which handles all the complicated identity stuff on your behalf. How does that app cooperate with other apps? How do we deal with personal and corporate personas? How do we deal with knowing the user is who they are supposed to be, and not a random person who found your phone?
- Option 4, Run: Use special features of the mobile platform, such as voice recognition on phones, or cameras for facial recognition? Will that work when I am on the subway or in Starbucks? Does Joe User want that – enough to pay for it – or will they look at such things as privacy violations?
These are the options I am hearing about. And none of them seem to be fully thought out. And once we get past Toddle, who’s the buyer?
Seeking wisdom, I scaled the mountain to discuss the topic with Securosis’s IAM guru, Gunnar Peterson. What I got was:
“Mobile Identity? Ooohhh – it’s early days and it’s an unholy mess”.
Yes, that pretty much summed it up. Gunnar agreed that this is the current progression, and that Identity definitely gets ‘stronger’ with each progressive step outlined, but it also gets much more complicated.
Do you think I am over-reacting? Did I miss anything that concerns you? This is a topic we will dive into over the coming weeks, so I would like to hear from the community.
Reader interactions
5 Replies to “Mobile Identity—WTF?”
Adrian, when you talk mobile Identity are you talking about using the mobile as a form of MFA, using it to id yourself to a site, or using it to id yourself to apps that are on the phone? Each of these require a little different perspective on what you do and how you do it.
@Ruz—Two factor auth – I’ve heard of a couple possible solutions including SMS to mimic what key fobs do, but not yet in production. Obviously voice prints and facial recognition are one such option, and virtual smart card (i.e. an EMV app) would be another. I’d not heard about the photo verification options with Square, but I’ve got friends who use it as their primary payment option so I’ll check it out. Thanks!
@Oliver – Good point on the SIM card. Not seen that nor have I been briefed by a vendor who does it, but I’ve asked vendors like Ironkey if this was a roadmap item but never got an answer.
@Andre G – Things like UUID, geolocation and other data scraped from the device would provide an additional level of confidence. Love to see/hear more about your research at some time in the future. I’ve got a steep learning curve on this one, and it seems like there is a lot of untapped potential on the mobile device, but we are falling back to what we know.
-Adrian
Static identifiers of any kind are bad for identity. One should be able to publish his or her credit report online without any way for someone to track it back to that individual.
In other words, k-anonymity is better than usernames, real names, UUIDs, MEIDs/IMEIs/phone-numbers, cookies, OAuth tokens, zip codes, payment card “numbers”, and social security numbers. We’ve done the research. Now we just need any development team in the world to implement it and make it popular.
I see many apps just doing their standard username/password schema and store it (hopefully) in an appropriate way.
I have seen a development over here, where a mobile provider has enhanced their SIM card with cryptographic functionality to improve authentication on the mobile. The system works really nice and is useful. You can use the functionality for personal or company use, as you integrate this IAM service in your app / application. It is protected by a PIN and works on most actual smart phones. It is affordable but not cheap. So not something for a mass market offering but certainly a valid alternative for company use.
I am curious where you would fit 2-factor based authentication into this. Something like the key fobs that show passcodes… Are they even being combined with mobile security?
Second, Another variation on 2-factor authentication is things like what Square does in their mobile app for accepting credit cards: Show a picture of the person and ask for confirmation that this is the person doing the purchase. Interesting idea – much like asking for ID when accepting credit cards. Is that considered part of Option 2 or 3?