Virtualization: A solution for securing mobile identity?

If someone steals your phone and then logs into your apps, those apps may think they're working with you

If all applications move to a mobile device model, where there's no longer any artificial distinction between the "desktop version" and the "mobile version" of an app, then the way we think about authenticating users has to change. Logging onto an app on one device with something as weak as a password, logging off of that device, and then logging onto the same app on another device with the same password, introduces any number of potential vectors of attack and exploitability.

Yes, I'm injecting my personal bias into this piece. My experience in this area has given me an unavoidable bias against vulnerabilities you can drive a truck through. Passwords of any length whatsoever are far too weak a system with which to string a chain of trust from device to device. Keep in mind that among the most popular smartphone apps are password vaults--systems for enabling multiple, more complex passwords on several apps, secured with… well, with a single password, generally. We're doing a wonderful job shuffling the weakest link in the chain from place to place, but we're doing nothing to fix the chain itself.

I've suggested before that, as virtualization makes it feasible for people to keep their desktops in the cloud, operating systems vendors needing a leg up in the mobile space (e.g., Microsoft, BlackBerry) move their staging areas for applications to cloud-based virtual platforms. There, a much stronger authentication system could be employed, with help from biometric scanners on devices. If the devices themselves get lost or stolen, or conceivably if the connection itself gets hijacked, then the attackers get nothing of value.

In a formal Twitter chat with multiple security professionals conducted by Ping Identity in June, the company's technical director for the CTO's office, Mark Diodati, suggested that engineers find a way to more tightly bind users' identities to their devices. It's the opposite of my approach, and it got the attention of some of Ping's folks.

"When Mark [Diodati] was referring to binding the device identity to the users, or binding the two together, I don't think he was suggesting that, after that initial binding of a user identity to a device, we're then done, and that from that point forward, the device's [native] authentication is all you need to authenticate the user," explains Ping Identity technical architect Paul Madsen, in an interview with FierceEnterpriseCommunications. "I think what we see is a more flexible and adaptable model, where [device-native authentication] may be sufficient for accessing some applications. It all boils down to, we're trying to authenticate the user as they access applications. Everything else is a proxy for that."

In an application-centric universe, with respect to authenticating the user, devices can either help or get out of the way. In the older world, when BlackBerry devices were conduits for BlackBerry applications, the device could manage the entire authentication process. But applications are no longer bound to devices (sorry, Apple), so authentication needs to be independent of both apps and devices. Ping, naturally, would like to lead this business.

So it has to keep an open mind, Madsen tells us, as to how users lead the evolution of mobile apps. That said, Madsen reminded me that there's some trouble with the idea of pulling down the virtualized envelope and apps environment from the cloud, each and every time the user wants to log on. This, too, could pose a problem for maintaining the chain of trust.

"To some extent, I think we're agnostic as to the actual mechanism on that device, as to how you partition that device between enterprise use and employee use," says Ping Identity's Madsen. "I see virtualization as one extreme, or one mechanism to partition. There are other ways to slice-and-dice the device into parts that IT is authoritative over, and parts the user or the employee is authoritative over, [such as] dual persona. To some extent, we don't really care what happens on the device. We see the identity requirements pretty much the same. Whatever you have on the device, and however you partitioned it, through virtualization or encryption, you still need a means to refer to that user. You need some sort of representation of the user that can be presented to the applications, the servers, the endpoints. That's our business: allowing those identity representations and security tokens to be securely provisioned to the device, and then presented to the applications as relevant, as necessary."

Related Stories:
Ping Identity architect: SAML 'might not be the future'
Framing the issue of mobile security: Is the cloud the solution?