Mobility and PKI - A Match Made in InfoSec Heaven
Companies are beginning to embrace Public Key Infrastructure - or PKI as it is known in our three-letter-acronym-filled industry - as an alternative to usernames and passwords or two-factor tokens to authenticate users.
The use of digital certificates - another term broadly used to refer to PKI - to authenticate computers is not new to web servers. “Https” has used them since its inception. However, nowhere has the use of digital certificates to authenticate users been more clearly valuable than in the world of mobile devices.
Of course there are other uses for PKI, including encryption and non-repudiation of messages, but for this discussion, I’m going to focus on using PKI as a method of authenticating users and devices.
PKI on mobile devices is one of those rare examples where an IT department can make its systems more secure while also making them easier to use.
As a quick primer, here is how digital certificates work to authenticate a user.
I like to compare a digital certificate to my driver’s license. It was issued to me by the state of Florida to use as a form of identification. When I travel by air, I present my driver’s license to the TSA agent at the airport, who accepts it as proof of who I am. There is an established “trust” relationship between the TSA and the state of Florida, where the TSA believes that Florida has sufficiently verified my identity and my citizenship in order to issue me the driver’s license. If Florida says that I’m Pat Patterson, then that’s good enough for the TSA.
In the case of PKI, the digital certificate is comparable to my driver’s license. The system that creates and issues the certificate, called a Certificate Authority (CA), takes the role of the state of Florida, and the system that trusts the CA and grants me access to a resource, such as a VPN concentrator or an email server, can be compared to the TSA.
It’s worth noting here that there is an implied authentication going on with the TSA example. The TSA won’t accept a credit card as a form of ID, because just having the card in my possession is not enough evidence to prove that I am the person whose name is on the card. Having possession of the license and having a face that matches the picture on the license is required in order to authenticate my identity. If you’ve heard of the concept of two-factor authentication, the TSA example falls into this category – the factors are “something I have” (the license) and “something I am” (my face).
Mobile device operating systems, like iOS and Android, have been designed to natively leverage digital certificates for authentication. In fact, they frequently use them in the background without knowledge or intervention from the user.
However, many organizations are still using usernames and passwords to authenticate users to the resources they make available on mobile devices. Email, VPN, Web Servers and Wi-Fi networks can all be easily configured to accept digital certificates for authentication, which would make these systems easier for the user to use by not having to type their passwords into their devices. Making this change could potentially make these systems more secure, since a properly configured and managed PKI solution is effectively a two-factor authentication system.
Many organizations with mobility programs have Mobile Device Management (MDM) solutions in place, and more are considering implementing them. Many of the available MDM solutions have the ability to enroll and deploy digital certificates to the devices they manage.
Some of these solutions include built-in CAs, meaning organizations that don’t already use digital certificates can start using certificates without building a separate CA component. For those organizations that envision using certificates beyond just mobility, however, I would recommend building and deploying a full enterprise-class CA.
Once the MDM and CA are in place, the technical parts of this solution are pretty straightforward. The user enrolls their device in the MDM solution. The MDM solution configures the resource (email, VPN, Wi-Fi, etc.), while also enrolling and deploying the digital certificate that will be used to authenticate to the resource.
When the user tries to access the resource (e.g. opens the email app or enters the coverage range of the Wi-Fi), the device automatically provides the certificate as proof of the user’s identity. They are granted access to the resource without the user having to type their password.
While this user experience is not unlike the practice of storing passwords in email clients on mobile devices, there are a few significant advantages of the digital certificate approach.
First, when it is time for users to change their passwords, they will not have to fumble with changing them on their mobile devices, since their passwords are not stored on the mobile device. Second, if a device is lost or stolen, the certificate can be revoked quickly and without any other disruption to the user. By contrast, if passwords are stored on the device, best practice would require users to change all of their passwords if the device is lost or stolen.
For organizations looking to take advantage of this technology, I always emphasize that the most important piece of implementation is the process, not the technology.
It is possible, through process, to make a PKI implementation a much stronger authentication method than a driver’s license, but it is also possible (and actually really easy) to make one into a weaker method than a credit card.
This starts with the protection of the critical components of the CA, especially the private key for the root certificate. This should be regarded as a top secret item, since anyone with this private key can generate certificates that appear to have come from the CA and will therefore be trusted by the organization’s resources.
This continues with strong requirements for enrollment. When I first moved to Florida, the state of Florida required me to bring my old driver’s license, my passport, my birth certificate, a utility bill and my face (for the picture). Making sure that the device and user are authenticated before enrolling them in the MDM or distributing a digital certificate to them is similarly important. If devices are allowed to enroll certificates without strong proof of their identity, it will be as if Florida gives out driver’s licenses without all those supporting documents. If I can get my license with only $5 and my signature, I doubt the TSA will continue to trust it as a form of ID.
Once the certificates are deployed, solid security requirements placed on the devices are needed in order to protect that certificate and add the second factor of authentication. Commonly, a device unlock PIN is considered that second factor, so having a reasonably strong PIN policy for mobile devices is a must.
Similarly, requiring device encryption and monitoring devices for device compromise (such as “jailbreaking” and/or “rooting”) will ensure that the certificate is being stored safely and not being duplicated or misused. MDMs should be leveraged to enforce these policies across all devices.
Finally, a complete solution requires solid processes for revoking certificates and remotely wiping devices in the event of lost or stolen devices or employee separation. Educating employees on the need to report lost or stolen devices in a timely manner is a definite must.
Mobility is a great place to start with a PKI implementation, but there are many use cases beyond mobility where digital certificates can make an impact. Deploying digital certificates to company laptops can provide authentication benefits to internal applications, VPN, Wi-Fi and so on. Digital certificates can be loaded onto smart cards to support user logins to workstations and administrative logins to servers. Most new technologies that require authentication have some form of support for PKI.
Digital certificates can be a transformative technology. They have the potential to make our systems more secure while improving the user experience and productivity. The technology is mature, supportable and affordable. I encourage any organization with a mobility initiative or an existing mobility program to take a look at adding PKI to their solution. It is an opportunity that should not be missed.