Mobile authentication is nothing new. SiteMinder, a prominent web access management tool has been able to handle mobile browsers and sessions for at least 7-8 years. Some users complained of WAP and its limitations, but most could access information and log in to web sites with minimal issues.
WAP is gone and it is now replaced by a multitude of devices: tablets, PDAs, smartphones, etc. With the proliferation of Splinternet, we are witnessing not only a boom of content, but also the need to limit access to sensitive applications and data not only from the device but also on the device. Authentication, authorization, and data protection challenges multiply as companies embrace the PostPC tablets, etc.
What do we see people asking about? From the enterprise security perspective, the biggest challenge seems to be protecting the data on the device, performing a remote wipe on a lost or stolen piece of equipment, and making sure corporate information is separated clearly from any private data. Writing mobile applications or designing mobile-capable and still rich, interactive web pages is no easy task either. Companies also wonder about how to deliver and (de)provision applications quickly and securely.
What do we see companies do? Sandboxing corporate data and mandating the use of remotely wipeable devices is the first step. Storing certificates and using transaction signature mobile authenticators to defend against stolen or compromised text messages with one time passwords is a logical follow-on.
We expect Splinternet to embrace mobile virtualization. Running VMWare with multiple guest operation systems will be a good candidate for solving this. We are trying to lead the way at Forrester and help companies with data protection and Splinternet access from these devices.
Let us know about your thoughts, trials, and tribulations in this area.
Andras Cser is a Principal Analyst at Forrester Research, serving Security & Risk professionals.