Moving to mobile credentials? Read this first.

Mobile Credentials
<img src="https://images.squarespace-cdn.com/content/v1/5d3a0abcf7bd0a0001f0b5e8/1607116256299-7DQT2LWNWNYUGQDEG6D2/Moving+to+mobile+credentials%3F+Read+this+first" alt="Moving to mobile credentials? Read this first" />

By: Jerome Becquart

Identity security, as it always seems to be, is changing. And like most things in our lives, the next iteration is taking place on our smartphones. Mobile credentials are the new go-to for many enterprises, offering increased security convenience over physical cards, a form of authentication that users rarely misplace or forget, and for many companies, cost savings over other types of identity issuance.

By now, all of the major players in identity issuance offer mobile credential solutions that are capable. If you haven’t made the move to phone-based authentication and are wondering whether you should, the short answer is yes. They’re already secure and effective, and as the app-based smartphone technologies continue to increase in sophistication, they should only get better.

So, will mobile credentials finally be the singular solution to all of your credential needs? Unfortunately, no. Like all forms of credentials before them, they still don’t have the capability to solve every business use case, meet the needs of users with higher privileges, or satisfy certain industries that require higher levels of security. Many enterprises will still need to issue credentials like a Yubikey for key personnel, a smart card for physical access to the workplace, and have a system in place to effectively manage credential issuance and lifecycles.

Benefits & issues with mobile credential adoption

One of the major benefits of mobile credentials is that most employees already own the key technology required to implement them, a smartphone. However, there are a few concerns to consider before you make the switch.

First, everyone within your organization will need a smartphone, and that device will have to be new enough and have a compatible operating system with the app that you select. This may seem like a given, but it’s a good thing to consider before you take the plunge. Users may also have privacy concerns about installing the app on their personal device. We recommend learning about what type (and under what instances) the app will be able to access information on each user’s phone, so that you’re ready to answer questions and address any concerns within your team.

For some companies, there’s a simple workaround for these concerns—the issuance of company smartphones to staff. Of course, that’s an investment that not every company is willing or able to make, which means you’ll need to address the above concerns prior to implementation.

An additional benefit of mobile credentials is their ease of use. While users often forget or misplace items like smart cards—presenting its own series of security issues—most of us are fairly programmed at this point to know where our phone is at all times. Within a corporate environment, where you’re connected to the company network at all times, it’s an effective way to ensure credentials are present and secured.

But an issue that mobile credentials haven’t been able to solve yet is how to connect to systems and assets when internet access isn’t available, or is unstable. Where and how we work is so incredibly dispersed now that this is a major concern. The move to remote employees in 2020 is likely to continue in 2021, even as our world hopefully moves on from Covid-19. If anything, it’s likely to accelerate, just as it was doing prior to 2020. So solving offline access issues so that you can work from anywhere, at any time is paramount.

Most mobile credentials also don’t provide the ability to login to workstations and operating systems like Microsoft Windows. Thankfully, your PKI should be able to solve these issues. If you don’t yet have a PKI-based identity solution, we’d recommend finding one that will seamlessly integrate with your existing infrastructure and mobile credentials.

Mobile credentials don’t work everywhere

There are both environments and users that require security beyond that offered by mobile credentials. According to Gartner, 5% to 15% of employees in 50% of enterprises require something more. Why? Well, for one, there are industries that work with highly sensitive information where the use of phones is prohibited. Even in sectors where the security isn’t quite that stringent, there are often departments or rooms that ban phones from the premises. Both the recording and camera functions in smartphones are security risks in these instances.

If you work in an industry where the above doesn’t apply to you, there are still likely users who require additional identity security. A CISO or CEO, for instance, will have powers and access that most employees should not. For this reason, it’s still necessary for certain leadership roles to have a physical credential in order to view certain company assets and information. So while mobile credentials are an improvement upon previous iterations of identity issuance, they present the same reality as all solutions before them—multiple credentials and users that require higher levels of assurance.

How can Axiad help leverage mobile credentials?

Even with the security and ease-of-use improvements of mobile credentials, managing their issuance and lifecycles can be a burden on your IT team, particularly when you have users with additional credential methods. This can lead to a fractured system where IT needs to access multiple platforms in order to solve access issues.

Axiad’s SMARTidentity consolidates the management of your identity credentials for users, applications, and devices into one platform. By itself, that simplifies management of credentials significantly, saving time and money. But we also have solutions that empower users to resolve access issues related to their credentials. Axiad’s Self-Help Portal allows users to solve access issues without intervention from IT, while maintaining the most rigorous safety standards.

Our solutions also easily integrate with your existing IAM infrastructure to leverage and simplify your identity security and credential management. Whether that’s PKI or Yubikey deployment, we have solutions that are simple and fast to implement so that they won’t interrupt your business operations. We’ve built all of our products with an eye on the future, so whether it’s mobile credentials, or whatever the next iteration of identity security is, our scalable technology will stand ready to keep your organization secured, while simplifying all of your credential management needs.

About the Author

Jerome Becquart, COO, Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.