Much has been written about the security threats inherent with smartphones, tablets and BYOD in the mobile enterprise. But as access control technology moves to a new type of more secure and extensible architecture, mobile devices will actually play a pivotal role in helping to improve how organizations protect access to both physical and IT resources.
Far from a security liability in today's new access control paradigm, smartphones instead offer an ideal vehicle for carrying portable, secure credentials that are difficult to copy or steal. The devices also make it significantly easier to implement strong authentication throughout the infrastructure as part of a converged solution that protects access to all key physical and IT resources.
With secure credentials carried on smartphones, organizations can now create a single solution for protecting access to everything from doors, to data, to the cloud.
This model is extremely attractive to users. Previous hardware one time passwords (OTPs) have been inconvenient, while more recent software OTPs have been easier to use but vulnerable to security threats.
Smartphones carrying secure tokens provide a highly trusted alternative that can simply be tapped to a personal tablet or laptop for authenticating to a network or application. In addition to OTPs for authenticating ID, phones can also carry credentials for physical access control.
The result is an easy-to-use strong authentication model that allows users to tap in to facilities, VPNs, wireless networks, corporate Intranets and cloud- and web-based applications, as well as SSO clients.
There is no need for a separate card reader, or for the user to carry any additional tokens or devices, and organizations can achieve true strong authentication convergence spanning many different physical and logical access control applications.
Mobile access control has required rethinking how to manage physical and logical access credentials, and to make them portable to smartphones. The mobile access control platform must use a new data model that can represent many forms of identity information on any device that has been enabled to work within a secure boundary and central identity-management ecosystem.
A New Infrastructure
This new infrastructure also uses a secure communications channel for transferring identity information between validated phones, their secure elements (SEs) or equivalent protected containers, and other secure media and devices.
The final piece is a cloud-based, secure identity provisioning model that eliminates the risk of credential copying while making it easier to issue temporary credentials, revoke lost or stolen credentials, monitor and modify security parameters when required, and provide real-time security reports for compliance purposes.
Being able to store and use access control credentials on mobile phones will offer the opportunity for powerful new authentication models in the mobile enterprise. It will be possible to blend classic two-factor authentication with streamlined access to multiple cloud apps, on a single device that users rarely lose or forget.
User convenience will be improved because the same phone used for logical access control will also be used to open doors, and for many other physical access control applications. With proper planning, organizations can leverage their existing physical access control credential investment to realize these benefits, seamlessly adding logical access control for network log-on.
This will enable them to solve the strong authentication challenge while reducing deployment and operational costs by extending their solutions to protect everything from the cloud and desktop to the door.
The result is a fully interoperable, multi-layered security solution across company networks, systems and facilities.