.FLYINGHEAD MOBILE SECURITY
.TITLE A two-pronged approach to password security on mobile devices
.AUTHOR Morgan Slain
.SUMMARY In this very interesting article, Morgan Slain discusses the issues involved in keeping an organization’s passwords secure.
.OTHER
Everyone today must juggle endless passwords, logins and account numbers. One of the handiest places to store them is on your BlackBerry, iPhone, iPad, or other mobile device. Left unsecured, though, the risk for identity theft is great — you might as well just keep all your private info on a 3×5 index card with the heading, "Private Passwords and Logins."
Of course, the risk to companies can be even greater — with dozens if not hundreds of employees all storing personal and business codes on their mobile devices.
How can companies keep this most sensitive information always accessible for their employees, but at the same time totally protected? There are well-known standards for creating and maintaining secure passwords, including specifying length, type of characters, and frequency of password changes. Unfortunately, these standards become a hassle for users. The frustration and inconvenience of remembering multiple passwords can lead employees to compromise prudent standards.
Even if all of your employees adhere to your organization’s password policy, outside identity thieves can still pose security threats to your organization. Identity theft is a serious and widespread problem, one that has grown with the proliferation of mobile devices. After breaking into an employee’s list of passwords, account numbers and logins on a stolen smartphone, identity thieves can access corporate systems at will and are difficult to detect.
A strong password policy can be an effective deterrent, but it cannot completely stop keylogging (using specialized software to record a user’s keystrokes), password hacking, and phishing (creating fraudulent sites that ask for information such as account numbers, passwords, and Social Security numbers).
Costs to an organization from a data security breach can skyrocket from lost business that can be traced directly to accounts fleeing to a "safer" environment, and lost productivity of the non-IT staff, who must work in a degraded mode while the IT staff tries to contain and repair the breach.
Then there are the intangible costs of security breaches, which may include your customers’ loss of trust in your organization, failure to win new accounts due to bad press associated with the breach, and your competitor’s access to confidential or proprietary information.
.H1 Parts of the password security solution
A two-pronged approach to password security on mobile devices offers the solution: strong password policies and multiple-factor authentication.
Most companies start to solve their password challenges by adopting and attempting to enforce strict password policies (passwords must be at least six characters long, should never be a common word, contain a mix of upper-case and lower-case letters, etc). A password policy is an essential step, but the problem with this solution on its own is that the stronger the password policy, the harder it is for employees to keep track of username/password combinations. This generally leads to employees taking shortcuts that compromise security and can lead to significantly increased calls and costs to the IT department.
Multiple-factor authentication means there are at least two different types of credentials that must be submitted at the same time to be authenticated. There are three categories of authentication factors: something you have (a hardware or software token), something you know (a password), and something you are (a thumbprint, retina scan or voice print).
Each factor in the authentication mechanism should be from a different category. By layering on additional factors in your authentication process, you can make it very tough for hackers to force their way into your systems.
Multiple-factor authentication can be an effective addition to security, but it can be cost prohibitive for many organizations and even in larger enterprises it is often used only for the most secure facilities or systems. And even when multiple-factor authentication is in place, one factor usually is still a password covered by a password policy, which can lead to the same associated risks described above.
Despite the risk and costs associated, digitizing and storing critical information in databases is now fundamental to how organizations operate. So sound policies and secure technologies that protect confidential data are essential.
.BIO Morgan Slain is CEO of SplashData, a developer of mobile and desktop productivity applications, including SplashID, the most advanced password management solution for mobile platforms, PCs and Macs. For information on SplashData, visit http://www.splashdata.com.
