Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Martinvj
Viewer II
‎10-12-2017 12:42 PM
‎10-12-2017 12:42 PM

Multi Factor for Mobile apps

It is pretty common to use an app on your mobile phone for 2nd factor (Google Auth, OKTA, Microsoft).

 

This is OK as long as we access the apps from a workstation.

 

This changes when  more and more apps being accessed from the Mobile Phone so, how are security folks handling this situation

 

 

 

 

Reply
3 Replies
sdurbin
Newcomer III
‎10-13-2017 10:37 AM
‎10-13-2017 10:37 AM

You must complete a risk-based analysis based upon the users, risk appetite, the organisation in question and the data secured.

 

 

This may include considerations such as;

 

 - the classification level of the data

 - results of the organisation's risk assessments

 - any regulatory requirements governing data

 - the security maturity of the organisation

 

Once this has been completed it's findings should be used to implement an overall policy.

 

Users handling secure data may be disallowed to use mobile phone's at all. Most capable multi-factor authentication systems allow policies that can restrict the ability to install the application on a mobile phone.

 

Some organisations have granular control, over their user's devices, with a Mobile Device Management applications. In this scenario, it may be prudent to allow corporate users to use their work's mobile phone for authentication with a phone application.

 

Others may even allow personal mobile phones; if the data handled is not classified or the risk is low.

Reply
0 Kudos
BrianKunick
Newcomer II
‎10-13-2017 04:50 PM
‎10-13-2017 04:50 PM

It is important to remember to use an Application rather than a Text to receive the second factor for authentication.  There are too many exploits available for Text-based multi-factor.

Reply
0 Kudos
Jay_Scheiner
Newcomer I
‎11-01-2017 07:20 AM
‎11-01-2017 07:20 AM

We used MDM to push certs to a phone - that's a what you have. Access to the phone is PIN or fingerprint (what you know or what you are) so it's 2 factor. Application being accessed is cert required. This wasn't an easy path to do this, getting certs to work with some apps isn't easy.

Reply
0 Kudos