Multi-Factor Authentication for Mobile Devices

Protecting user accounts does not stop at desktops and personal computers. Consumers have continually shifted to mobile devices as their primary mechanism for connecting to the web. Many enterprises have already adopted, or have begun to adopt, mobile device management solutions to allow their people to connect to enterprise apps through company or personal devices. Your adaptive multi-factor authentication strategy will be at a huge disadvantage if you do not consider the experience for users who are connecting with their mobile devices. Through this series we are going to explore a variety of different concepts on enabling MFA on mobile devices. By the end of this series you should have the tools, and knowledge on how to select a MFA approach, and how to implement it into your own solution.

Why do mobile devices need specific consideration in authentication strategies?

There has been continued growth in adoption of mobile devices in both the consumer and enterprise space. In this section we are going to outline a few different factors on why this is the right time to take advantage of the needs and requirements of users in different spaces, and merge them with functionality built into mobile devices.

Functionality to support MFA built directly into mobile devices

Mobile devices running iOS and Android have built in functionality to support a variety of different MFA use cases.

Face ID, Touch ID, and Android biometrics could allow you to utilize the platform authenticators built directly into your device. These will help you unlock WebAuthn authentication. This piece is also exemplified by the recent announcements from Apple, Google, and Microsoft as they will begin to introduce passkeys (copyable WebAuthn credentials) into their ecosystems.

SDK’s and frameworks could also help you to unlock a variety of other MFA flows. For example CryptoTokenKit could help you unlock smart card functionality on Apple devices. Yubico also has SDK’s for both iOS and Android to allow your applications to talk directly to YubiKeys connected to your mobile device.

Needs in the consumer space

Consumers demand simple and secure experiences on their mobile devices. Common authentication methods such as passwords or SMS/email based OTPs offer little account protection for an often burdensome experience; passwords require you to remember a complex string that should be unique to each site, and OTPs often require users to leave your app in order to open their messages or email. Ideally consumers should begin to move towards phishing-resistant credentials as they often offer more account security with minimal disruptions to their experience. The recent implementation of passkeys in popular ecosystems will push the adoption of phishing-resistant credentials in the consumer market.

Needs in the enterprise space

It’s no secret that account protection is a critical component of protecting companies from cyber threats. Enterprises will need to consider how they provision and validate credentials as they allow people to leverage mobile devices in their ecosystem. It’s worth noting that many companies already have infrastructure in place that could include identity, account, and public key management - this is worth noting as they may want to continue to leverage these components that are already in place.

Some drivers for the adoption of mobile devices in the enterprise space include:

  • Easier access to email and calendars for employees who are on the move

  • Use cases for workers who operate “in the field”, where it’s easier to perform tasks on a small form factor like a phone, rather than a larger laptop

  • Adoption of zero trust architectures, allowing users to access enterprise apps from any of their devices

What are my MFA options for mobile devices?

Now that we’ve covered some of the drivers causing the adoption of mobile devices in the consumer and enterprise space, let’s discuss what options work best for your audience. We will start by giving a brief overview of the three different options, and the situations where they shine best. By the end of this section you should be able to articulate which option is best for your use case.

WebAuthn

WebAuthn is a W3C standard meant to act as a replacement for passwords to remove the threat of phishing based attacks by relying on public-key authentication. WebAuthn is built into many of the most widely used browsers as an API that allows the browser to talk directly to a security device to provide a token to validate a user. Security devices, also referred to as authenticators, are often categorized in two different ways: Security keys (like the YubiKey) or platform authenticators (popular examples include Touch ID, Face ID, Android Biometrics).

These authenticators in themselves act as two-factors of authentication, wrapped in a single form factor. These factors are often a combination of “something you have” which is the authenticator, plus either a “something you know” which could be a PIN on the device, or “something you are” such as a biometric scanner like Touch ID.

It should be noted that WebAuthn is used primarily for web applications, though both iOS and Android include APIs/SDKs that would enable it for use in native applications.

Works best when:

  • Your users want the freedom to choose their own authenticator

  • You want your users to leverage security keys for authentication

  • You want your users to leverage passkeys, Face ID or Android Biometrics for authentication

  • Your users may utilize your app from a web or native application

PIV

The United States Federal Government has been issuing strong cryptographic hardware authentication devices to its civilian employees and contractors for more than 15 years. These devices, called Personal Identity Verification (PIV) cards, combine a strong Public Key Infrastructure (PKI) credential with a robust identity proofing and background check process on a physical smart card. The Standard behind these PIV Cards is Federal Information Processing Standard 201 (FIPS 201) titled Personal Identity Verification of Federal Employees and Contractors. Today, the PIV standard is complemented by additional authenticators (i.e., Derived PIV Credentials) targeted for mobile devices that lack support for smart cards.

Authorization of derived PIV credentials means that these credentials and the associated private key can now be provisioned onto the PIV-compatible secure element of a FIPS Series YubiKey. The private key corresponding to a derived PIV credential can thus be stored in a cryptographic module in an alternate form factor in addition to a government-issued PIV credit card style.

The advantages of using the YubiKey as a smart card are the portability, smaller form factor, and its ability to communicate with iOS devices via Lightning connector and contactless (NFC) interfaces without requiring additional card readers or software.

OATH

If neither WebAuthn or PIV meet your requirements, you could still rely on OATH (time based and counter based one time passwords). YubiKeys in combination with the Yubico Authenticator application could help you to secure your app using OATH. SMS/email based OTP should be avoided as SIM swapping could allow attackers to read the code sent to you over text messaging, and email based OTP is only as secure as the email account they are sent to.

Getting started on implementation

At this stage you have hopefully decided on a path forward, and have selected the MFA option you want to go forward with in your own solution. Below are links to progress you through this series so that you can continue to learn how to implement your MFA option for your mobile solution. Each link will provide you with resources to better understand the protocol that you are leveraging, along with implementation guidance for specific mobile ecosystems (iOS vs Android).