· 3 min read

What We Can Learn from Over-Reliance on Mobile-Based Authentication

Francis Tuffy
Francis Tuffy · Editor
What We Can Learn from Over-Reliance on Mobile-Based Authentication

The transition in the ID and secure document industry from physical to digital authentication is just one example in a wider movement across many sectors to strike a balance between convenience and security in identity verification.

And as this excerpt from the UK's Open Access Government about overreliance on mobile-based authentication demonstrates, many of the issues that public sector organisations are grappling with translate directly to our industry’s experience.

Cyberattacks against the public sector are on the rise, with education and healthcare organisations, government agencies and critical national infrastructure all being targeted on a frequent basis.

A lot of the difficulty with maintaining effective cybersecurity throughout the public sector is ensuring that internal login methods are as secure as possible, since many organisations are overly dependent on the use of outdated methods such as passwords, usernames and mobile-based authentication.

While mobile devices offer numerous benefits, including ease of access, convenience and a sense of security, they are also easy to break, lose or steal – and therefore open organisations to numerous cybersecurity risks.

The problem with mobile-based authentication

In addition to being easily lost, damaged or stolen, mobile devices can easily run out of battery – rendering them useless in a situation where one needs to authenticate immediately. They also offer limited use as authentication methods in locations with reduced mobile coverage or security restrictions. In these cases, users who need to authenticate via mobile devices cannot access their digital accounts.

But even in the right environments, mobile devices are not as secure as many would believe. A recent State of Global Enterprise Authentication Survey, from Yubico, demonstrates that 66% of UK respondents think that usernames and passwords, mobile authenticator apps and SMS-based authentication are the most secure ways to log in.

However, from a cybersecurity perspective, passwords and mobile-based authentication methods – including SMS verification, one-time passwords (OTPs) and authentication apps – are susceptible to many common cybersecurity threats. These include phishing scams, man-in-the-middle (MitM) attacks, password spraying and SIM swapping.

Training is key

The survey also highlighted that currently, only 42% of respondents working in the UK are required to attend frequent cybersecurity training. This is concerning as employees are the biggest strength or weakness in an organisation’s cyber defences, but they are not being adequately equipped.

When it came to lapses in cyber hygiene over the past year, 49% of UK respondents used work-issued devices for personal use, 47% admitted to writing down or sharing a password, 33% had allowed someone else to use their work-issued device and 31% had not reported a phishing attempt.

As part of ongoing digital transformation programmes, organisations are increasingly opting for more modern, robust and user-friendly forms of multi-factor authentication (MFA) and two-factor authentication (2FA) that include hardware-based devices or biometric identifiers. Overall, strong MFA authentication solutions remove the reliance on passwords or mobile devices and allow users to seamlessly access their digital accounts by presenting phishing-resistant authentication.

It goes without saying that mobile devices have numerous benefits to users, but they were not specifically designed for secure authentication, so the perception that usernames and passwords, combined with mobile devices, add up to effective and secure authentication is wrong, and if left unchallenged will lead to secure identity problems in the future.

Subscriber content

Read the full article

Full access to ID & Secure Document News articles, newsletters and archives.

Sign Up to ID & Secure Document News Weekly

Receive regular updates on the latest news and articles posted on our website.

Verity

Verity

AI search assistant

Ask me anything from the ID & Secure Document News archives.

free questions remaining