I recently read an interesting article from Avisian – “Mobile as a Credential” by Zack Martin. The article definitely hit home, as it directly relates to what we have been researching and building at Entrust.
The article comes at an interesting time, as we just launched IdentityGuard 10 & I conducted a joint webcast with Forrester discussing Mobile Authentication / Identity (and Strong Authentication in general).
For the most part, I found myself in agreement with the article as a whole. However, there were a few things that I’d like to call out and discuss…..
The author Zack Martin (Avisian) had an interesting section on “Challenges with the mobile as an ID”. I couldn’t help but notice a few interesting points from the CTO of RSA:
- “RSA has certificate authorities but Curry says nobody has approached them about using digital certificates on the mobile device. “People have talked about putting the pieces together but I don’t know if there’s any commercially-viable offerings out there,” he says.”
- “Digital certificates have a high level of trust and are difficult to hack. But, they are expensive, Curry says.”
Now, let me tackle these one-by-one.
# 1: Based on what we’ve seen with our customer base, and many other organizations – we are seeing demand for Digital certificates on mobile devices (and not just mobile devices, many other kinds of devices – think “Internet of Things” & “M2M”). Many organizations want to enforce, not only WHO is accessing their networks, but WHAT (as in: are you an iOS device, Android, etc.). Digital certificates are a great way to accomplish this. Whether it’s for VPN access, WIFI, etc, many routers/VPNs already accept certificates as a form of authentication. And given the recent breaches; strong authentication along with a layered security approach is the very least we can strive for. Coupled with the flood of mobile devices (personal and/or corporate owned), it won’t get easier! I wonder why nobody has approached them? We’ve certainly been approached (partners, customers and so on). Now to the commercially-viable offering point….well we’re on thatJ.
#2: I couldn’t agree more. Digital Certificates aren’t bullet-proof, but they are a proven standard and widely supported method for strong authentication (not to mention other applications). And if they work well – they’re transparent to the end-user! Now the fact that he mentioned that they are expensive; well that’s an interesting point. As I mentioned earlier, this article comes at an interesting time. We just released IdentityGuard 10; which has the ability to work with PKI and enroll / manage certificates on mobile (and other) devices. This very same platform, can also manage a range of authenticators (such as Mobile OTP soft-Tokens, Smart Cards, Hard Tokens, and so on). To top that off, this platform is known to be much more cost effective than the RSA platform (which is really only OTP’s). I don’t mean to get all Sales-y here, but I think people should know that there are other versatile platforms that are much more cost effective and provide futuristic capabilities (that’s me with my nerd hat on indirectly referring to our smart cards, and upcoming NFC technology solutions). We’ve saved countless customers a lot of $ by switching over to IdentityGuard.
So there you go, I found that I couldn’t hold myself back on commenting; as this topic has been on the top of my mind for a while now (not to mention our customers, and other organizations). And we just had a big product release that falls right into this topic. Overall, Zack (Avisian) did an excellent job covering the topic of mobile as a credential. It’s just too bad he didn’t give me a call :(. Maybe next time!!!
Product Management – Mobile Security & eID’s