Overview of Mobile Device User Authentication
The most fundamental requirement to allowing secure mobile devices within the enterprise is to have a solution in place to authenticate the users of those devices. It is common to use the following methods to authenticate mobile device users:
Authenticate using username and password.
Authenticate using a certificate deployed to the mobile device.
Authenticate using one-time passwords or security tokens.
One-time passwords expire after a single usage, thereby preventing hackers from attempting to use a password after it has already been used once. Such passwords are usually deployed using tokens, either hardware dongles from vendors like RSA or software applications that issue a unique password every time.
Authenticate using smart cards.
Many enterprises implement dual-factor or multifactor authentication systems, which means that multiple authentication methods are cascaded one after the other, to enforce strong authentication. For example, a user may be prompted to authenticate using her username and password, and then prompted again to authenticate using her one-time password and PIN.
Ideally, you want to leverage the same authentication infrastructure to authenticate mobile devices as for regular Windows, Mac, or Linux systems. For example, if you've already deployed RSA SecureID two-factor authentication for regular desktop and laptop systems, enforce the same level of security on mobile devices as well. This will save you time, money, and hassles.
If you need to enforce certificate authentication on mobile devices, you need to look for management solutions that can deploy certificates to devices at scale. Look for such capabilities in the management systems you already have in place for deploying certificates to Windows PCs, for example. Several existing management solutions have recently added mobile features to manage certificate deployments on all types of devices.