Derived Credentials

The other benefit of smartphones we see very much in use at the moment is a derived group, derived credentials. So this is presented under NIST special publication 800-157 and also under the FIPS standard 201-2. And what we’re talking about here is, instead of the traditional approach to multi-factor authentication, where we use hard tokens these work– these function, but are generally more expensive and generally less flexible. To log into our desktop, for example, we need a smart card reader, perhaps, if we’re using smart cards as our token, and we have to have a pin, and also then our username and password. So this can be less flexible.

And also, we need to make sure any computers that that user is accessing have that smart card reader. So this isn’t a very good mobile solution. Smart card readers don’t typically occur within highly portable devices. And, again, we have the added cost. So the federal government in America recognised that they wanted to support mobile devices, they had to support mobile devices, whether these were corporate or bring your own device. And the use of bring your own device type mobiles depends on your risk profile. But this actually allows us to register a mobile device to become a token in its own right. So this is a pretty smart thing to do.

People have their smart phones with them nearly all the time, and we have a very, very high level of usage of mobile devices. So this doesn’t require a brand new infrastructure; these are typically things we have in place already. And what we’re doing is we’re using the device to store the approved credential on the phone in a secure area. So most mobile devices, Samsung, iOS devices, Apple devices, have hardware security modules that you can store credentials in. So using the credential means that you can store it on the device and access it when you need. The device in turn, we then need to rely on that device being secure.

So if somebody wants to access their banking application, we see this kind of derived credential in use. The banking app is enrolled through various steps, and an access token is left on the device. And then when you try to access the banking app, it may be protected by a PIN number, something easier to log in with. It may be protected by a biometric check. Equally, we see these derived credentials in use for soft tokens. Most big providers, Microsoft, Amazon, Apple, all offer this kind of approach.

So this means if we’re looking to use this, and it is a very popular choice for the reasons we’ve described, device enrollment and device management becomes crucial. Any problems around the device platform can undermine the entire process. So we need to make sure that our Android devices are not rooted, ideally, and the iOS devices are not jailbroken. And if we’re using bring your own device, that we understand the security posture of those devices that we are allowing to be used for derived credentials. And for bring your own device, it doesn’t rule out the use of derived credentials. You will see this frequently used by companies like Microsoft by banks as part of their process.

But it’s an interesting shift in the way we’re working.