Using Two-Factor Authentication for Mobile Security

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

uthenHacked passwords expose users to viruses, malware and data breaches on their mobile devices. Tech-savvy hackers have the tools to unlock passwords and steal or mess up corporate and personal data.

What can users do to protect their mobile devices from hackers? Here are five steps that can improve mobile security by combining passwords with a second form of authentication, for two-factor authentication.

Register Mobile Devices

Company-owned mobile devices and company-approved BYODs not registered in the company's server are vulnerable to hacking attacks. To mitigate risks, you must register your mobile devices with the system administrator who can remotely scan for viruses and malware and take corrective actions. If you lose your mobile device, you must contact the admin immediately. All data on your lost device will be purged.

When done with the registration process, the admin sends you corporate policy agreements (electronically on your laptop or in paper format) for your signature and then activates your mobile device.  To protect corporate data on your BYOD, the admin should remotely create a corporate partition and put your personal data in a second partition.

Follow Password Policy

Sites that accept weak passwords are highly prone to being hacked. To mitigate these risks, you should follow the password policy by creating a strong password of at least eight characters long, containing at least an upper case, a lower case, a number and a special character. If a password you've created is weak, you will not be allowed to proceed. You must put your password in a safe, secure physical place away from the prying eyes of your "helpful" colleagues and friends. Lastly, you must pair the password with a read-only digital security code token to complete the two-factor authentication process. 

You must let the system administrator know when you get a new job at a higher level in the same organization as a result of a promotion you got or the merger of your company with another. Changes in your job role invalidate your account and password you've used. He will send you a password policy update for your signature before he can set up a new account and issue you a temporary password you can change within a prescribed time.

Follow Security Code Token/Password Pairing Policy

A strong password alone does not guarantee that a site will not be hacked. To lessen the site's chances of being hacked, you should follow the token policy to pair the read-only, one-time digital security code token with the password.  You use a company-issued phone number to request the code token from a system administrator. When you get the code in your encrypted text message, you use it within a prescribed time (30 minutes) before you can use the password for the first time. If you exceed the prescribed time, the system automatically invalidates the security code and asks you to request another security code token. You are not allowed to share the code with your colleagues and friends. 

You must let the system admin know when you get a transfer to a different department within the organization.  Due to changes in your job responsibilities, the system administrator revokes your old account and establishes a new account to reflect new access privileges. The administrator will send you a policy update for your signature.

Follow Security Code Token/Smart Card Policy (optional)

Some companies ask users to use smart cards as an authentication token to boost security. But users who've successfully entered a PIN associated with smart cards to access a company's B2B website are vulnerable in exposing their personal information to hackers. PINs have been hacked or stolen. It doesn't matter what smart card mobile reader you've used with your mobile devices.

To mitigate hacking risks, follow the security code token policy on getting a digital security code to pair with your PIN. If you do not use the code within a prescribed time, the system invalidates it. You are responsible for keeping the code and your PIN away from your colleagues and friends.    

If you lose your smartcard or get promoted inside the organization, you must contact the system administrator immediately. He will lock you out of the card, and send you two policy updates – security code token and password - for your signature before he can issue a new smartcard. 

Follow Biometric Data/Fingerprint Policy (optional)

Hackers have exploited vulnerabilities of biometric technologies. They have stolen fingerprints, created live fingers, swiped them on a standard fingerprint sensor used with mobile devices and fooled the system into accepting a legitimate owner's biometric data as theirs.  To mitigate the risks, you should follow the biometric data policy by getting a 3-D fingerprint sensor as a company-approved hardware token. The token is more secure than the 2-D standard fingerprint sensor.

The token takes a 3-D image of your fingerprint and authenticates it against several fingerprint templates that you've enrolled in the token. Each time your fingerprint is authenticated, your biometric credentials (hidden) are different (An HYPR token, for example). Fast generation of the one-time security code for your biometric credentials prevents the hackers from re-using the token. 

If you lose your fingerprint sensor token or get a new job within the organization, you must contact the system administrator to get a new token.  He will send you a biometric data policy update for your signature. 

Judith M. Myerson is the editor of Enterprise System Integration (second edition). Having more than 15 years of experience covering enterprise technology, she has published articles on cloud, enterprise and mobile security,  and network management.  She worked as the ADP Security Officer/Manager at a now-closed naval facility.