https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1295#M141 <P>It is important to remember to use an Application rather than a Text to receive the second factor for authentication.&nbsp; There are too many exploits available for Text-based multi-factor.</P> Fri, 13 Oct 2017 20:50:28 GMT BrianKunick 2017-10-13T20:50:28Z https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1238#M138 <P>It is pretty common to use an app on your mobile phone for 2nd factor (Google Auth, OKTA, Microsoft).</P><P>&nbsp;</P><P>This is OK as long as we access the apps from a workstation.</P><P>&nbsp;</P><P>This changes when&nbsp; more and more apps being accessed from the Mobile Phone so, how are security folks handling this situation</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 Oct 2017 16:42:31 GMT https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1238#M138 Martinvj 2017-10-12T16:42:31Z https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1275#M139 <P>You must complete a risk-based analysis based upon the users, risk appetite, the organisation in question and the data secured.</P><P>&nbsp;</P><P>&nbsp;</P><P>This may include considerations such as;</P><P>&nbsp;</P><P>&nbsp;- the classification level of the data</P><P>&nbsp;- results of the organisation's risk assessments</P><P>&nbsp;- any regulatory requirements governing data</P><P>&nbsp;- the security maturity of the organisation</P><P>&nbsp;</P><P>Once this has been completed it's findings should be used to implement an overall policy.</P><P>&nbsp;</P><P>Users handling secure data may be disallowed to use mobile phone's at all. Most capable multi-factor authentication systems allow policies that can restrict the ability to install the application on a mobile phone.</P><P>&nbsp;</P><P>Some organisations have granular control, over their user's devices, with a Mobile Device Management applications. In this scenario, it may be prudent to allow corporate users to use their work's mobile phone for authentication with a phone application.</P><P>&nbsp;</P><P>Others may even allow personal mobile phones; if the data handled is not classified or the risk is low.</P> Fri, 13 Oct 2017 14:37:58 GMT https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1275#M139 sdurbin 2017-10-13T14:37:58Z https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1295#M141 <P>It is important to remember to use an Application rather than a Text to receive the second factor for authentication.&nbsp; There are too many exploits available for Text-based multi-factor.</P> Fri, 13 Oct 2017 20:50:28 GMT https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/1295#M141 BrianKunick 2017-10-13T20:50:28Z https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/3121#M318 <P>We used MDM to push certs to a phone - that's a what you have. Access to the phone is PIN or fingerprint (what you know or what you are) so it's 2 factor. Application being accessed is cert required. This wasn't an easy path to do this, getting certs to work with some apps isn't easy.</P> Wed, 01 Nov 2017 11:20:07 GMT https://community.isc2.org/t5/Industry-News/Multi-Factor-for-Mobile-apps/m-p/3121#M318 Jay_Scheiner 2017-11-01T11:20:07Z