Why Relying on Phones for Online Authentication Is a Bad Idea

In 2022, the US Government released memorandum M-22-09 addressing the requirements for achieving zero-trust security. This introduction has sparked a new standard of cybersecurity for organizations that are looking to stay a few steps ahead of cybercriminals. Zero-trust security requires an on-guard approach where “no actor, system, network, or service operating outside or within the security perimeter is trusted” (M-22-09).

Regarding authentication, zero-trust security requires the “continual verification of each user, device, application, and transaction.” So, let’s have a look at passwordless authentication solutions today. Why do they rely on the phone? The phone is neither the user nor the device. So, what’s the point of verifying the phone through multi-factor authentication (MFA)?

Phone-Based Authentication Today

Most of today’s traditional authentication providers rely on the phone for online authentication because, before now, they weren’t required to verify the device — also known as the endpoint. Authentication vendors have been focused on authenticating the user instead. But, the user can’t communicate directly with the authentication server, so a phone is used as the middleman.

It’s possible for the server to talk to the phone via the network, which is out-of-band (OOB). So, for most authentication solutions, the phone represents the user.

For the phone to represent the user, the user must interact directly with the phone. For example, they have to unlock the phone — often using biometrics — and then enter a one-time password (OTP) or accept a push notification to verify to online apps or services.

According to Forbes, “having to pull out your smartphone to scan a fingerprint or your face every time you want to authenticate adds friction to the user experience.”

But, even with this friction, where’s the association between this user verification and the endpoint?

Using the Endpoint Instead

 The logical solution is technology the user already has on hand — the endpoint.

Modern endpoints are equipped with a trusted platform module (TPM) that’s capable of performing public key cryptography. Public key cryptography is today’s most secure tool for authenticating to online apps and services and is the basis for industry-leading FIDO2 authentication. It relies on mathematically linked keys to verify that the authentic device is contacting the service provider. Hackers can’t impersonate the user without access to the private key stored securely on the user’s device.

Using the phone OOB is not a phishing-resistant practice and therefore can’t support zero-trust frameworks. Instead, when using the phone for MFA, it should be used locally as an extension of the endpoint via Bluetooth low energy (BLE), a cable, smart card, or USB key. These modes are much more secure than using the phone OOB, which has no direct connection to the endpoint.

Continual Verification With the Endpoint

To reinforce already top-of-the-line authentication, the endpoint can also offer the IdP information about the device’s security posture, monitoring the device, user, and even the user’s intent. With this information, the IdP can make intelligent decisions on whether or not to trust the endpoint, which permissions should be granted, and which should be denied.

For example, the endpoint knows when the user has logged into the endpoint. It also knows if the user has opened Outlook on the authentic endpoint.

By contrast, a phone that isn’t even associated with the endpoint can’t provide security posture data. For example, the phone has no idea if the user has logged off the endpoint.

Standards Have Changed and So Should User Authentication

Most of the popular authentication solutions today rely on an OOB phone for MFA. Why wouldn’t they? It’s easy to implement and complies with former security standards.

But, the standards are changing and there’s a more secure way to address user authentication.

WinMagic’s passwordless authentication solution, MagicEndpoint, has already implemented what the industry will be implementing over the next couple of years: You don’t need a phone or a password to log into your online apps and services. Today’s endpoint can completely free users from any and all online authentication works!

This approach is so much more than “not sacrificing the user experience.” It actively removes the need for the user to authenticate to the server — such as with a phone or secondary device — which the industry has wrongfully been pushed to implement. WinMagic knows the most reliable method for authentication is the endpoint you’re using to access online services, rather than any extra devices that can be exploited by hackers to break into your account.

“Endpoint access provides access to everything else.”

With MagicEndpoint, BLE via a phone can be used to securely authenticate the user to the endpoint. Alternatively, users can verify themselves through USB keys, smart cards, or other modes. These technologies help confirm that the user is physically at the endpoint accessing the online apps and services. The endpoint then provides passwordless, no-user-action access to these online services.



Traditional phone-based authentication vs MagicEndpoint

This setup is much more secure than verifying only the user, as most authentication solutions focus on.  WinMagic has taken today’s leading ideas in user authentication and improved them to be more secure without sacrificing the user experience.

Learn more about how MagicEndpoint can transform user authentication in your business by getting in touch with our Sales team.

Previous Post
Passwordless for Government: A WinMagic Webinar