Mobile Application Authentication Trends And Best Practices
For Security & Risk Professionals
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience by Andras Cser and Michael Facemire March 2, 2017
Why Read This Report
Key Takeaways
Authenticating users in native mobile applications is a key challenge for today’s security and risk (S&R) professionals. They must ensure that the user experience is seamless and that the app protects user data adequately. In this report, we look at various mobile application authentication methods, frameworks, and tools to provide S&R professionals with best practices for implementation.
Mobile-First Development Must Focus On DX The digital experience (DX) for customers on mobile devices is going to make or break your company’s digital transformation and content customization strategy. As customers increasingly transact from mobile devices, S&R pros must make the DX of the authentication experience seamless.
forrester.com
Device Fingerprints And Biometrics Will Play A Major Role In Mobile App Authentication With computing power increasing, password strength is decreasing. To address this issue, organizations will use device fingerprints, which a software development kit, bundled with the application, will generate, and user biometrics, such as fingerprint and facial recognition, to augment and ultimately replace passwords for mobile application authentication.
For Security & Risk Professionals
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience by Andras Cser and Michael Facemire with Stephanie Balaouras, Salvatore Schiano, and Peggy Dostie March 2, 2017
Table Of Contents 2 Mobile App Authentication Underpins Great Digital Experiences
Related Research Documents Forrester’s Customer IAM Security Maturity Assessment Model
S&R Pros Must Support Native Mobile App Authentication
How To Get Away With Murder: Authentication Technologies That Will Help You Kill Passwords
Well-Designed Mobile App Authentication Provides Additional Benefits
Transform And Protect Your Customers’ Mobile Moments With Seamless Authentication
4 Match The Right Mobile Authentication Method To Your Requirements 7 How To Code Apps For Reliable Authentication Recommendations
8 Standardize And Integrate Push Notification 9 Supplemental Material
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com © 2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Mobile App Authentication Underpins Great Digital Experiences Mobile apps are proliferating — as are breaches from mobile devices. 2016 worldwide mobile application revenue was $88.3 billion, with about $9.2 billion in paid application downloads.1 Forrester estimates that global eCommerce revenues will reach $2.38 trillion by 2020.2 The focus on mobile app authentication will increase for S&R pros because: ›› Apps can only customize DX if they authenticate the user. Your digital delivery will suffer if you don’t have good mobile authentication. Presenting a personalized user experience hinges on authentication because you can only provide a customized mobile application experience to a fully authenticated user. However, because business stakeholders favor great experience (e.g., simple passwords, users not having to type on miniscule mobile device keyboards) over great security, security will suffer if these teams are at odds. ›› Transaction protection requires authentication. Companies of all shapes and sizes are taking steps to provide the entire range of their services online (including registrations and transactions). Mobile applications must, therefore, provide the necessary security and protection for customers to perform these transactions and to eliminate concerns about account takeovers or theft of customers’ money, identity, etc. ›› Account takeovers replace card-present fraud. With the US moving to EMV-chip-based and signature-based authentication for card-present transactions, skimming and duplicating payment cards has become much harder. This has caused fraudsters to move their nefarious activities to card-not-present (CNP) transactions and takeovers of online accounts for banking, eCommerce, etc. Account takeovers jumped by 280% between Q2 2014 and Q2 2015.3 ›› Fraudsters reverse-engineer apps. Anyone can look at and, in most cases, reverse-engineer your mobile application’s binary file. And reverse-engineering reveals not only important security holes and intellectual property but also the inner workings of your company. Bad application coding can also reveal customers’ passwords, credit card numbers, and other credentials to hackers. Application stores (e.g., Apple App Store and Google Play) even contain applications that seem legitimate but are really just smokescreens to syphon off valuable customer information. ›› Compliance issues often degrade DX. When an app fails a security audit days before it ships, the development team will often degrade the overall (and often initial) experience to meet the shipping deadline. In this scenario, experience and security teams both lose. “One doesn’t win out over the other — any more than in any other design decision — in an Agile development process,” said Peter Hesse, chief security officer (CSO) of 10Pearls. S&R Pros Must Support Native Mobile App Authentication Most of the growth in eCommerce and online banking adoption is on mobile devices. And adoption of mobile applications mandates that S&R pros implement robust authentication for native mobile applications. Forrester defines native mobile application authentication as: © 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
2
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
A user providing his or her credentials for authentication in a native mobile application, which usually runs on Android, iOS, or Windows Phone operating systems. Credentials can be a combination of the following factors: 1) user name and password; 2) PIN; 3) one-time password; 4) biometrics (e.g., fingerprint, voice, and facial recognition); and 5) behavioral biometrics (e.g., how users interact with the screen, how they type in the application, and other sensor data). After the user provides credentials, the application can either work offline or online, after authenticating with back-end servers (see Figure 1).
FIGURE 1 The Typical Authentication Flow In Mobile Application Architecture
User name Password
User
Certificate Mobile application
Online server
Cache
Biometrics
Well-Designed Mobile App Authentication Provides Additional Benefits The experience of the user when logging into a mobile application will make or break the user experience. Application authentication plays a critical role in user experience, as it’s the first thing the user encounters after downloading the application. One-off solutions can also be costlier and less secure than a repeatable mobile application authentication framework. S&R pros who design and implement repeatable mobile app authentication will:
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
3
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
›› Lower mobile app-dev costs and app-dev securing costs, while maintaining security. If you develop your own mobile apps, you will face having to develop and integrate security sooner or later. You need to allow your developers to work — without forcing them to be security experts. Lowering the cost of securing your app will help you do this. ›› Understand that repeatable security is better security. Security should not be a checkbox item or one-off task. Providing a framework or checklist forces consistency. Perform penetration testing once for all apps. Then log and audit all access in one place. ›› Deliver more business value instead of getting bogged down in security. If developers (e.g., independent software vendors and in-house developers) don’t reinvent the wheel with every app, they can focus on delivering business value.
Match The Right Mobile Authentication Method To Your Requirements Authentication gives you the keys to the kingdom. Native mobile application authentication can use any combination of various methods. The ones that you implement will depend on: 1) your budget and internal developer skill sets; 2) the value and sensitivity level of transactions that you need to protect; and 3) the impact on customer experience (see Figure 2). ›› A user name with password authentication is simple but weak. While user name- and password-based authentication is the most ubiquitous and relatively easy to implement, it poses several problems. Passwords are easy to intercept and crack, both online and on a malwareinfested device. Hackers may use previously hacked passwords from another breach against other targets, including mobile devices. Typical use cases for user name- and password-based authentication are low-value, low-risk transactions or read-only access. A mobile application can cache a password. However, if it does, it should ensure that a screen lock protects the device. ›› Certificates are invisible but largely useful for only app and device authentication. Mobile applications use PKI X.509 client certificates to authenticate the application and device with the back-end service (e.g., online banking server). The online banking server usually issues self-signed certificates to the user’s device/app and binds the certificate to the device or application so that the certificate cannot be moved to another device. Certificates are the ideal solution for cases like embedded services (e.g., digital wallets) in which, for example, the digital wallet and the cards in it are jointly signed by the digital wallet operator and card issuers. If the user loses or deactivates the device, the online back-end server adds the certificate on the lost device to its certificate revocation list (CRL). ›› Biometrics can replace passwords — especially in combination. Biometric authentication (e.g., fingerprint, voice, and facial recognition) allows users to authenticate a mobile application with or without a password. Matching the authentication biometric sample with the enrollment sample can happen either on the device or on the server. Biometrics are usually easy to use, but they are not
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
4
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
deterministic (i.e., have a nonzero false accept and false reject rate) and need to be tuned. Serverside matching also raises privacy concerns: Users don’t want their unencrypted and entire biometric samples (e.g., entire image of a fingerprint or headshot) stored in the cloud. FIDO’s UAF provides a standard and strategy for repeatable second-factor and biometric authentication integration.4 ›› Mobile app developers need to integrate risk-based authentication SDKs into apps. Risk-based authentication (RBA) and device fingerprint/reputation vendors provide software development kits (SDKs) for iOS, Android, and other mobile platforms. These SDKs collect device fingerprinting data and other telemetry for behavioral biometrics.5 Using the SDK, the RBA vendor’s server (typically a software-as-a-service [SaaS] offering) checks the user’s login attempts on the device, determines if the login is low risk (e.g., usual geolocation from a known good device), and allows the user to log in with simple credentials (e.g., user name and password). If it’s a highrisk attempt (e.g., from a new location on a bad device that was already involved in fraud), it may prompt two-factor authentication with biometrics or one-time passwords. ›› Behavioral biometrics provide continuous authentication. The problems with password-based one-time authentication are the following: 1) Once hackers get your password, they can completely impersonate you and act on your behalf and 2) the authentication is a one-time yes-or-no event. But behavioral biometrics study how the user interacts with the touchscreen and (physical or virtual) keyboard on a device to determine whether the user who is interacting with the device is the right user. If prolonged and profound differences in behavior occur, behavioral biometrics simply terminate the session (i.e., log the user out). The technology is invisible to the user to the point that S&R pros have to educate users about it. Behavioral biometrics also require a burn-in period to build the profiles of legitimate users by monitoring their interactions.6 ›› One-time password authentication presents user challenges and is insecure. Using a software token to generate a one-time password (OTP) or sending the OTP to the device and having the user input that OTP works well on desktops, because in these cases, the password is sent through a different channel from that on which the user actually logs in. This mechanism (unless you use an external hardware device, which is cumbersome) is insecure because the password gets delivered to the same endpoint on which the app runs and the authentication occurs.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
5
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
FIGURE 2 Mobile Application Authentication Methods
Authentication method
Pros
User name with password
Easy to crack and Simple and ubiquitous, with local obtain user caching of passwords passwords
Client PKI X.509 certificate
Invisible after installation and hard to copy, requiring a key management solution
Fingerprint biometrics
Cons
Typical use cases
Sample vendors
Low-value, low-risk, and typically nonmonetary transactions
CA Technologies, IBM, in-house productions, Oracle, and RSA
Difficult to import certification with a need to maintain revocation list
Device enrollment and device authentication with back-end server
Entrust, Symantec, and self-signed certificates
Supported by FIDO and easy to use
Sensitive to dirt or water on sensor or finger
Temporary password replacement, eCommerce and banking app login, and client-side matching
Apple, BIO-key, Digent, KeyLemon, and Samsung
Voice biometrics
A changeable biometrics modality, working with VoIP
Potential disruptions with background noise and enrollment
Call centers, highrisk transactions, and server-side matching
Agnitio (Nuance), SpeechPro, ValidSoft, VoiceVault, and VoiceTrust
Facial recognition
Difficult to spoof, with enhanced live detection
Backlighting can cause false negatives
High-value, highrisk transactions, combined with other modalities
Lambda Labs, Luxand, and Rekognition
Risk-based authentication and device fingerprint/ reputation
Seamless and implicit, providing great CX with the ability to predict good devices, not just bad
Unpredictable, customer needs explanation and possibility of false rejects
Mobile app enrollment and fraud prevention
CA Technologies, Gemalto, IBM, iovation, Oracle, ThreatMetrix, and RSA
Continuous behavioral biometric authentication
Implicit, providing a great CX without being a one-time decision
Customer needs explanation and possibility of false rejection
Online banking, navigational pattern analysis
Allure Security, BehavioSec, BioCatch, IBM, NuData, and RSA
One-time passwords
Simple to implement
Limited security on mobile device, impact to customer experience, possibility of SMS phishing and inbox takeover
Initial authentication
Duo Security, Twilio/Authy, and RSA
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
6
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
How To Code Apps For Reliable Authentication “That was a great login experience,” said no one — ever. Great customer experience is at the core of mobile success; this mantra drives developers every day. It makes sense that many development tools can construct and track experience metrics. But if an app renders corporate data insecure, the greatest experience in the world won’t save those development jobs, and there is a dearth of tooling for automating mobile security. A fragmented matrix of mobile experiences drives this lack of tooling: Mobile websites, mobile apps, chat experiences, and mobile platform experiences (e.g., Apple Siri, Google Assistant, Microsoft Cortana) are just the start. Then consider all the ways to build these experiences, and you understand why vendor tooling is so sparse. Instead, leading development shops secure mobile experiences and deliver a great customer experience by: ›› Creating user stories for securing data, not logging in. “My identity at the mobile device must be a separate identity at the back-end system.” User stories like this define both a client-side security model and a back-end security transformation step, which is required to access any data. “Nobody else can log in as me” is a more valuable statement than “users must log in.” Defining user stories in this way, before development starts, ensures that developers don’t obviate security for baseline login functionality. ›› Not forcing a login for nonsecure or lightly secure experiences. A one-time user name and password login, at the beginning of the first session that a user ever initiates, should be good forever. This assumes that a regular pattern of logins exists and that the user doesn’t explicitly log out (e.g., clear the cache), uninstall/reinstall the app, or change phones. Do this by creating a locally cached credential that has an expiration of 45 to 90 days, and refresh that expiration each time that a user opens the app. And parts of the app that need no security at all, like a bank-branch finder, must not live behind the initial login screen, which is lazy engineering. ›› Using a second layer of security for safer experiences. Require a second layer of security when a user is executing a transaction or dealing with sensitive data, like a four-digit app-specific PIN. This PIN serves as the seed to encrypt and decrypt an area of local storage that contains the sensitive data or necessary details to complete the transaction. ›› Leveraging certificate pinning to bind an app to an API. Path, a social networking app that went viral in 2011, learned the hard way that simply communicating over SSL does not guarantee data security.7 Certificate (or SSL) pinning ensures that users are accessing the correct (and uncompromised) version of an app and that third parties cannot access the API (including man-inthe-middle attacks). While this requires more network development overhead than not using it, the consequences of not using it are also much worse.8
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
7
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Recommendations
Standardize And Integrate Push Notification Developers don’t always have standardized tools for instrumenting apps with world-class authentication, so development organizations will need to establish their own standards. This includes the strategy around the parts of the app to secure, along with the technology to implement it. S&R pros: If you want to be successful, employ a combination of the following best practices. ›› Define and standardize core solutions for mobile app authentication. While there are quite a few open source OAuth and OpenID Connect implementation libraries out there, supporting these may be costly in the long term (you get married to your developers who understand your app authentication code). Using commercial tools like the aforementioned is usually a lower-cost solution in the long term: You get support, and it’s easier to hire developers with product-specific knowledge. ›› Fit mobile apps into your single-sign-on framework. Even if the application is the first in a larger family of apps that you are planning to roll out, make sure that the application can support single sign-on with other web and mobile applications. This greatly reduces user and customer frustration (users don’t have to authenticate each time they switch apps). ›› Keep an eye on updated guidelines. Because of malware taking over mobile phones’ SMS inboxes, the National Institute of Standards and Technology has guidelines that state: “OOB using the PSTN (SMS or voice) is deprecated and may no longer be allowed in future releases of this guidance.”9 It recommends native push notifications instead. While SMS text messages may be your only choice in some less-mature geographies, internet-based push notifications are much more secure. ›› Leverage existing investment in mobile development platforms. Many of the mobile development platforms like Kinvey, Kony, and Oracle Mobile Cloud Service include tools for integrating client-side security with back-end service-side security. These security tools are often overlooked parts of the platform, but they are a great place to start when building a set of standards for securing both mobile app and web experiences. ›› Keep internet of things in mind as the next stage for app authentication. Apps and websites dominate mobile experiences today, but that will not be the case for long — the next phases of mobile are coming and will include platform experiences, chat, and connected devices. Developers will build this future by composing smaller, more granular parts into a larger holistic experience. They’ll then secure these paradigms by embedding security into experience fragments so that the larger construct will be as secure as today’s apps. This will lead to security normalization development tools, like the data access normalization tools that exist today and those that the API management vendors provide.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
8
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Engage With An Analyst Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives. Analyst Inquiry
Analyst Advisory
Webinar
To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.
Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.
Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.
Learn more.
Learn more.
Learn more.
Forrester’s research apps for iPhone® and iPad® Stay ahead of your competition no matter where you are.
Supplemental Material Survey Methodology ForecastView is a syndicated subscription service delivering access to more than 40 forecasts annually across North America, Europe, Asia Pacific, and Latin America. Our forecasts employ a unique methodology: By leveraging consumer demand-side data balanced with company supply-side metrics, we provide a highly detailed understanding of each market. Forrester’s ForecastView service provides reliable insight into the online, mobile, and emerging technology markets. It offers a framework for understanding market drivers and inhibitors and helps clients to plan and prioritize investment decisions. ForecastView provides detailed data and market metrics from our major forecast models over a five-year period for the markets of eCommerce, consumer technology, mobile, online content, financial services, and interactive marketing.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
9
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
As part of the forecast modeling, Forrester develops comprehensive historical and base-year market size estimates based on a variety of sources, including public financial documents, executive interviews, Forrester’s proprietary primary consumer and executive research, and analysis of the internet traffic database. All of Forrester’s forecasts are designed by a dedicated team of forecasting analysts who build the models, conduct extensive industry research, and manage the process of formally building consensus among Forrester’s analysts. Forecast analysts have backgrounds in investment banking, management consulting, and market research, where they developed extensive experience with industry and company forecasting.
Endnotes Source: “Mobile App Usage - Statistics & Facts,” Statista (https://www.statista.com/topics/1002/mobile-app-usage/).
1
Source: Forrester Data: Online Retail Forecast, 2016 To 2021 (Western Europe), Q4 2016 Update; Forrester Data: Online Retail Forecast, 2016 To 2021 (US), Q4 2016 Update; Forrester Research Online Retail Forecast, 2015 To 2020 (Latin America); and Forrester Data: Online Retail Forecast, 2016 To 2021 (Asia Pacific).
2
Source: “Debit Card Account Takeover and Online Fraud, Side Effects of EMV, on the Rise, says Auriemma Consulting Group,” Nasdaq GlobalNewswire press release, November 9, 2015 (https://globenewswire.com/news-relea se/2015/11/10/785462/10155791/en/Debit-Card-Account-Takeover-and-Online-Fraud-Side-Effects-of-EMV-on-theRise-says-Auriemma-Consulting-Group.html).
3
See the Forrester report “Brief: Don’t Ignore FIDO.”
4
A device fingerprint is a unique identifier based on the combination of login context elements, such as IP address, geolocation, installed fonts and software on the device, browser version, time shift between the device and the server, screen resolution, and other device attributes. To learn more, see the Forrester report “The Forrester Wave™: RiskBased Authentication, Q1 2012.”
5
See the Forrester report “Vendor Landscape: Behavioral Biometrics.”
6
For more details on how Path and other apps were improperly securing mobile data, refer to the VentureBeat website. Source: “Your address book is mine: Many iPhone apps take your data,” VentureBeat, February 14, 2012 (http:// venturebeat.com/2012/02/14/iphone-address-book/).
7
For details on how to properly implement SSL pinning, refer to the Cigital blog post. Source: John Kozyrakis, “An Examination of Ineffective Certificate Pinning Implementations,” Cigital blog, March 9, 2016 (https://www.cigital.com/ blog/ineffective-certificate-pinning-implementations/).
8
These specifically are 5.1.3.2. out-of-band verifiers. Source: “Draft NIST Special Publication 800-63B Digital Identity Guidelines,” National Institute of Standards and Technology (https://pages.nist.gov/800-63-3/sp800-63b.html).
9
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
10
We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Products and Services ›› ›› ›› ›› ›› ››
Core research and tools Data and analytics Peer collaboration Analyst engagement Consulting Events
Forrester’s research and insights are tailored to your role and critical business initiatives. Roles We Serve Marketing & Strategy Professionals CMO B2B Marketing B2C Marketing Customer Experience Customer Insights eBusiness & Channel Strategy
Technology Management Professionals CIO Application Development & Delivery Enterprise Architecture Infrastructure & Operations ›› Security & Risk Sourcing & Vendor Management
Technology Industry Professionals Analyst Relations
Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. 137204 For more information, visit forrester.com.
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience by Andras Cser and Michael Facemire March 2, 2017
Why Read This Report
Key Takeaways
Authenticating users in native mobile applications is a key challenge for today’s security and risk (S&R) professionals. They must ensure that the user experience is seamless and that the app protects user data adequately. In this report, we look at various mobile application authentication methods, frameworks, and tools to provide S&R professionals with best practices for implementation.
Mobile-First Development Must Focus On DX The digital experience (DX) for customers on mobile devices is going to make or break your company’s digital transformation and content customization strategy. As customers increasingly transact from mobile devices, S&R pros must make the DX of the authentication experience seamless.
forrester.com
Device Fingerprints And Biometrics Will Play A Major Role In Mobile App Authentication With computing power increasing, password strength is decreasing. To address this issue, organizations will use device fingerprints, which a software development kit, bundled with the application, will generate, and user biometrics, such as fingerprint and facial recognition, to augment and ultimately replace passwords for mobile application authentication.
For Security & Risk Professionals
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience by Andras Cser and Michael Facemire with Stephanie Balaouras, Salvatore Schiano, and Peggy Dostie March 2, 2017
Table Of Contents 2 Mobile App Authentication Underpins Great Digital Experiences
Related Research Documents Forrester’s Customer IAM Security Maturity Assessment Model
S&R Pros Must Support Native Mobile App Authentication
How To Get Away With Murder: Authentication Technologies That Will Help You Kill Passwords
Well-Designed Mobile App Authentication Provides Additional Benefits
Transform And Protect Your Customers’ Mobile Moments With Seamless Authentication
4 Match The Right Mobile Authentication Method To Your Requirements 7 How To Code Apps For Reliable Authentication Recommendations
8 Standardize And Integrate Push Notification 9 Supplemental Material
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA +1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com © 2017 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Mobile App Authentication Underpins Great Digital Experiences Mobile apps are proliferating — as are breaches from mobile devices. 2016 worldwide mobile application revenue was $88.3 billion, with about $9.2 billion in paid application downloads.1 Forrester estimates that global eCommerce revenues will reach $2.38 trillion by 2020.2 The focus on mobile app authentication will increase for S&R pros because: ›› Apps can only customize DX if they authenticate the user. Your digital delivery will suffer if you don’t have good mobile authentication. Presenting a personalized user experience hinges on authentication because you can only provide a customized mobile application experience to a fully authenticated user. However, because business stakeholders favor great experience (e.g., simple passwords, users not having to type on miniscule mobile device keyboards) over great security, security will suffer if these teams are at odds. ›› Transaction protection requires authentication. Companies of all shapes and sizes are taking steps to provide the entire range of their services online (including registrations and transactions). Mobile applications must, therefore, provide the necessary security and protection for customers to perform these transactions and to eliminate concerns about account takeovers or theft of customers’ money, identity, etc. ›› Account takeovers replace card-present fraud. With the US moving to EMV-chip-based and signature-based authentication for card-present transactions, skimming and duplicating payment cards has become much harder. This has caused fraudsters to move their nefarious activities to card-not-present (CNP) transactions and takeovers of online accounts for banking, eCommerce, etc. Account takeovers jumped by 280% between Q2 2014 and Q2 2015.3 ›› Fraudsters reverse-engineer apps. Anyone can look at and, in most cases, reverse-engineer your mobile application’s binary file. And reverse-engineering reveals not only important security holes and intellectual property but also the inner workings of your company. Bad application coding can also reveal customers’ passwords, credit card numbers, and other credentials to hackers. Application stores (e.g., Apple App Store and Google Play) even contain applications that seem legitimate but are really just smokescreens to syphon off valuable customer information. ›› Compliance issues often degrade DX. When an app fails a security audit days before it ships, the development team will often degrade the overall (and often initial) experience to meet the shipping deadline. In this scenario, experience and security teams both lose. “One doesn’t win out over the other — any more than in any other design decision — in an Agile development process,” said Peter Hesse, chief security officer (CSO) of 10Pearls. S&R Pros Must Support Native Mobile App Authentication Most of the growth in eCommerce and online banking adoption is on mobile devices. And adoption of mobile applications mandates that S&R pros implement robust authentication for native mobile applications. Forrester defines native mobile application authentication as: © 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
2
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
A user providing his or her credentials for authentication in a native mobile application, which usually runs on Android, iOS, or Windows Phone operating systems. Credentials can be a combination of the following factors: 1) user name and password; 2) PIN; 3) one-time password; 4) biometrics (e.g., fingerprint, voice, and facial recognition); and 5) behavioral biometrics (e.g., how users interact with the screen, how they type in the application, and other sensor data). After the user provides credentials, the application can either work offline or online, after authenticating with back-end servers (see Figure 1).
FIGURE 1 The Typical Authentication Flow In Mobile Application Architecture
User name Password
User
Certificate Mobile application
Online server
Cache
Biometrics
Well-Designed Mobile App Authentication Provides Additional Benefits The experience of the user when logging into a mobile application will make or break the user experience. Application authentication plays a critical role in user experience, as it’s the first thing the user encounters after downloading the application. One-off solutions can also be costlier and less secure than a repeatable mobile application authentication framework. S&R pros who design and implement repeatable mobile app authentication will:
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
3
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
›› Lower mobile app-dev costs and app-dev securing costs, while maintaining security. If you develop your own mobile apps, you will face having to develop and integrate security sooner or later. You need to allow your developers to work — without forcing them to be security experts. Lowering the cost of securing your app will help you do this. ›› Understand that repeatable security is better security. Security should not be a checkbox item or one-off task. Providing a framework or checklist forces consistency. Perform penetration testing once for all apps. Then log and audit all access in one place. ›› Deliver more business value instead of getting bogged down in security. If developers (e.g., independent software vendors and in-house developers) don’t reinvent the wheel with every app, they can focus on delivering business value.
Match The Right Mobile Authentication Method To Your Requirements Authentication gives you the keys to the kingdom. Native mobile application authentication can use any combination of various methods. The ones that you implement will depend on: 1) your budget and internal developer skill sets; 2) the value and sensitivity level of transactions that you need to protect; and 3) the impact on customer experience (see Figure 2). ›› A user name with password authentication is simple but weak. While user name- and password-based authentication is the most ubiquitous and relatively easy to implement, it poses several problems. Passwords are easy to intercept and crack, both online and on a malwareinfested device. Hackers may use previously hacked passwords from another breach against other targets, including mobile devices. Typical use cases for user name- and password-based authentication are low-value, low-risk transactions or read-only access. A mobile application can cache a password. However, if it does, it should ensure that a screen lock protects the device. ›› Certificates are invisible but largely useful for only app and device authentication. Mobile applications use PKI X.509 client certificates to authenticate the application and device with the back-end service (e.g., online banking server). The online banking server usually issues self-signed certificates to the user’s device/app and binds the certificate to the device or application so that the certificate cannot be moved to another device. Certificates are the ideal solution for cases like embedded services (e.g., digital wallets) in which, for example, the digital wallet and the cards in it are jointly signed by the digital wallet operator and card issuers. If the user loses or deactivates the device, the online back-end server adds the certificate on the lost device to its certificate revocation list (CRL). ›› Biometrics can replace passwords — especially in combination. Biometric authentication (e.g., fingerprint, voice, and facial recognition) allows users to authenticate a mobile application with or without a password. Matching the authentication biometric sample with the enrollment sample can happen either on the device or on the server. Biometrics are usually easy to use, but they are not
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
4
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
deterministic (i.e., have a nonzero false accept and false reject rate) and need to be tuned. Serverside matching also raises privacy concerns: Users don’t want their unencrypted and entire biometric samples (e.g., entire image of a fingerprint or headshot) stored in the cloud. FIDO’s UAF provides a standard and strategy for repeatable second-factor and biometric authentication integration.4 ›› Mobile app developers need to integrate risk-based authentication SDKs into apps. Risk-based authentication (RBA) and device fingerprint/reputation vendors provide software development kits (SDKs) for iOS, Android, and other mobile platforms. These SDKs collect device fingerprinting data and other telemetry for behavioral biometrics.5 Using the SDK, the RBA vendor’s server (typically a software-as-a-service [SaaS] offering) checks the user’s login attempts on the device, determines if the login is low risk (e.g., usual geolocation from a known good device), and allows the user to log in with simple credentials (e.g., user name and password). If it’s a highrisk attempt (e.g., from a new location on a bad device that was already involved in fraud), it may prompt two-factor authentication with biometrics or one-time passwords. ›› Behavioral biometrics provide continuous authentication. The problems with password-based one-time authentication are the following: 1) Once hackers get your password, they can completely impersonate you and act on your behalf and 2) the authentication is a one-time yes-or-no event. But behavioral biometrics study how the user interacts with the touchscreen and (physical or virtual) keyboard on a device to determine whether the user who is interacting with the device is the right user. If prolonged and profound differences in behavior occur, behavioral biometrics simply terminate the session (i.e., log the user out). The technology is invisible to the user to the point that S&R pros have to educate users about it. Behavioral biometrics also require a burn-in period to build the profiles of legitimate users by monitoring their interactions.6 ›› One-time password authentication presents user challenges and is insecure. Using a software token to generate a one-time password (OTP) or sending the OTP to the device and having the user input that OTP works well on desktops, because in these cases, the password is sent through a different channel from that on which the user actually logs in. This mechanism (unless you use an external hardware device, which is cumbersome) is insecure because the password gets delivered to the same endpoint on which the app runs and the authentication occurs.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
5
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
FIGURE 2 Mobile Application Authentication Methods
Authentication method
Pros
User name with password
Easy to crack and Simple and ubiquitous, with local obtain user caching of passwords passwords
Client PKI X.509 certificate
Invisible after installation and hard to copy, requiring a key management solution
Fingerprint biometrics
Cons
Typical use cases
Sample vendors
Low-value, low-risk, and typically nonmonetary transactions
CA Technologies, IBM, in-house productions, Oracle, and RSA
Difficult to import certification with a need to maintain revocation list
Device enrollment and device authentication with back-end server
Entrust, Symantec, and self-signed certificates
Supported by FIDO and easy to use
Sensitive to dirt or water on sensor or finger
Temporary password replacement, eCommerce and banking app login, and client-side matching
Apple, BIO-key, Digent, KeyLemon, and Samsung
Voice biometrics
A changeable biometrics modality, working with VoIP
Potential disruptions with background noise and enrollment
Call centers, highrisk transactions, and server-side matching
Agnitio (Nuance), SpeechPro, ValidSoft, VoiceVault, and VoiceTrust
Facial recognition
Difficult to spoof, with enhanced live detection
Backlighting can cause false negatives
High-value, highrisk transactions, combined with other modalities
Lambda Labs, Luxand, and Rekognition
Risk-based authentication and device fingerprint/ reputation
Seamless and implicit, providing great CX with the ability to predict good devices, not just bad
Unpredictable, customer needs explanation and possibility of false rejects
Mobile app enrollment and fraud prevention
CA Technologies, Gemalto, IBM, iovation, Oracle, ThreatMetrix, and RSA
Continuous behavioral biometric authentication
Implicit, providing a great CX without being a one-time decision
Customer needs explanation and possibility of false rejection
Online banking, navigational pattern analysis
Allure Security, BehavioSec, BioCatch, IBM, NuData, and RSA
One-time passwords
Simple to implement
Limited security on mobile device, impact to customer experience, possibility of SMS phishing and inbox takeover
Initial authentication
Duo Security, Twilio/Authy, and RSA
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
6
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
How To Code Apps For Reliable Authentication “That was a great login experience,” said no one — ever. Great customer experience is at the core of mobile success; this mantra drives developers every day. It makes sense that many development tools can construct and track experience metrics. But if an app renders corporate data insecure, the greatest experience in the world won’t save those development jobs, and there is a dearth of tooling for automating mobile security. A fragmented matrix of mobile experiences drives this lack of tooling: Mobile websites, mobile apps, chat experiences, and mobile platform experiences (e.g., Apple Siri, Google Assistant, Microsoft Cortana) are just the start. Then consider all the ways to build these experiences, and you understand why vendor tooling is so sparse. Instead, leading development shops secure mobile experiences and deliver a great customer experience by: ›› Creating user stories for securing data, not logging in. “My identity at the mobile device must be a separate identity at the back-end system.” User stories like this define both a client-side security model and a back-end security transformation step, which is required to access any data. “Nobody else can log in as me” is a more valuable statement than “users must log in.” Defining user stories in this way, before development starts, ensures that developers don’t obviate security for baseline login functionality. ›› Not forcing a login for nonsecure or lightly secure experiences. A one-time user name and password login, at the beginning of the first session that a user ever initiates, should be good forever. This assumes that a regular pattern of logins exists and that the user doesn’t explicitly log out (e.g., clear the cache), uninstall/reinstall the app, or change phones. Do this by creating a locally cached credential that has an expiration of 45 to 90 days, and refresh that expiration each time that a user opens the app. And parts of the app that need no security at all, like a bank-branch finder, must not live behind the initial login screen, which is lazy engineering. ›› Using a second layer of security for safer experiences. Require a second layer of security when a user is executing a transaction or dealing with sensitive data, like a four-digit app-specific PIN. This PIN serves as the seed to encrypt and decrypt an area of local storage that contains the sensitive data or necessary details to complete the transaction. ›› Leveraging certificate pinning to bind an app to an API. Path, a social networking app that went viral in 2011, learned the hard way that simply communicating over SSL does not guarantee data security.7 Certificate (or SSL) pinning ensures that users are accessing the correct (and uncompromised) version of an app and that third parties cannot access the API (including man-inthe-middle attacks). While this requires more network development overhead than not using it, the consequences of not using it are also much worse.8
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
7
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Recommendations
Standardize And Integrate Push Notification Developers don’t always have standardized tools for instrumenting apps with world-class authentication, so development organizations will need to establish their own standards. This includes the strategy around the parts of the app to secure, along with the technology to implement it. S&R pros: If you want to be successful, employ a combination of the following best practices. ›› Define and standardize core solutions for mobile app authentication. While there are quite a few open source OAuth and OpenID Connect implementation libraries out there, supporting these may be costly in the long term (you get married to your developers who understand your app authentication code). Using commercial tools like the aforementioned is usually a lower-cost solution in the long term: You get support, and it’s easier to hire developers with product-specific knowledge. ›› Fit mobile apps into your single-sign-on framework. Even if the application is the first in a larger family of apps that you are planning to roll out, make sure that the application can support single sign-on with other web and mobile applications. This greatly reduces user and customer frustration (users don’t have to authenticate each time they switch apps). ›› Keep an eye on updated guidelines. Because of malware taking over mobile phones’ SMS inboxes, the National Institute of Standards and Technology has guidelines that state: “OOB using the PSTN (SMS or voice) is deprecated and may no longer be allowed in future releases of this guidance.”9 It recommends native push notifications instead. While SMS text messages may be your only choice in some less-mature geographies, internet-based push notifications are much more secure. ›› Leverage existing investment in mobile development platforms. Many of the mobile development platforms like Kinvey, Kony, and Oracle Mobile Cloud Service include tools for integrating client-side security with back-end service-side security. These security tools are often overlooked parts of the platform, but they are a great place to start when building a set of standards for securing both mobile app and web experiences. ›› Keep internet of things in mind as the next stage for app authentication. Apps and websites dominate mobile experiences today, but that will not be the case for long — the next phases of mobile are coming and will include platform experiences, chat, and connected devices. Developers will build this future by composing smaller, more granular parts into a larger holistic experience. They’ll then secure these paradigms by embedding security into experience fragments so that the larger construct will be as secure as today’s apps. This will lead to security normalization development tools, like the data access normalization tools that exist today and those that the API management vendors provide.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
8
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
Engage With An Analyst Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives. Analyst Inquiry
Analyst Advisory
Webinar
To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.
Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.
Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.
Learn more.
Learn more.
Learn more.
Forrester’s research apps for iPhone® and iPad® Stay ahead of your competition no matter where you are.
Supplemental Material Survey Methodology ForecastView is a syndicated subscription service delivering access to more than 40 forecasts annually across North America, Europe, Asia Pacific, and Latin America. Our forecasts employ a unique methodology: By leveraging consumer demand-side data balanced with company supply-side metrics, we provide a highly detailed understanding of each market. Forrester’s ForecastView service provides reliable insight into the online, mobile, and emerging technology markets. It offers a framework for understanding market drivers and inhibitors and helps clients to plan and prioritize investment decisions. ForecastView provides detailed data and market metrics from our major forecast models over a five-year period for the markets of eCommerce, consumer technology, mobile, online content, financial services, and interactive marketing.
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
9
For Security & Risk Professionals
March 2, 2017
Mobile Application Authentication Trends And Best Practices The Right Authentication Method Can Make Or Break A Great Digital Experience
As part of the forecast modeling, Forrester develops comprehensive historical and base-year market size estimates based on a variety of sources, including public financial documents, executive interviews, Forrester’s proprietary primary consumer and executive research, and analysis of the internet traffic database. All of Forrester’s forecasts are designed by a dedicated team of forecasting analysts who build the models, conduct extensive industry research, and manage the process of formally building consensus among Forrester’s analysts. Forecast analysts have backgrounds in investment banking, management consulting, and market research, where they developed extensive experience with industry and company forecasting.
Endnotes Source: “Mobile App Usage - Statistics & Facts,” Statista (https://www.statista.com/topics/1002/mobile-app-usage/).
1
Source: Forrester Data: Online Retail Forecast, 2016 To 2021 (Western Europe), Q4 2016 Update; Forrester Data: Online Retail Forecast, 2016 To 2021 (US), Q4 2016 Update; Forrester Research Online Retail Forecast, 2015 To 2020 (Latin America); and Forrester Data: Online Retail Forecast, 2016 To 2021 (Asia Pacific).
2
Source: “Debit Card Account Takeover and Online Fraud, Side Effects of EMV, on the Rise, says Auriemma Consulting Group,” Nasdaq GlobalNewswire press release, November 9, 2015 (https://globenewswire.com/news-relea se/2015/11/10/785462/10155791/en/Debit-Card-Account-Takeover-and-Online-Fraud-Side-Effects-of-EMV-on-theRise-says-Auriemma-Consulting-Group.html).
3
See the Forrester report “Brief: Don’t Ignore FIDO.”
4
A device fingerprint is a unique identifier based on the combination of login context elements, such as IP address, geolocation, installed fonts and software on the device, browser version, time shift between the device and the server, screen resolution, and other device attributes. To learn more, see the Forrester report “The Forrester Wave™: RiskBased Authentication, Q1 2012.”
5
See the Forrester report “Vendor Landscape: Behavioral Biometrics.”
6
For more details on how Path and other apps were improperly securing mobile data, refer to the VentureBeat website. Source: “Your address book is mine: Many iPhone apps take your data,” VentureBeat, February 14, 2012 (http:// venturebeat.com/2012/02/14/iphone-address-book/).
7
For details on how to properly implement SSL pinning, refer to the Cigital blog post. Source: John Kozyrakis, “An Examination of Ineffective Certificate Pinning Implementations,” Cigital blog, March 9, 2016 (https://www.cigital.com/ blog/ineffective-certificate-pinning-implementations/).
8
These specifically are 5.1.3.2. out-of-band verifiers. Source: “Draft NIST Special Publication 800-63B Digital Identity Guidelines,” National Institute of Standards and Technology (https://pages.nist.gov/800-63-3/sp800-63b.html).
9
© 2017 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378
10
We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Products and Services ›› ›› ›› ›› ›› ››
Core research and tools Data and analytics Peer collaboration Analyst engagement Consulting Events
Forrester’s research and insights are tailored to your role and critical business initiatives. Roles We Serve Marketing & Strategy Professionals CMO B2B Marketing B2C Marketing Customer Experience Customer Insights eBusiness & Channel Strategy
Technology Management Professionals CIO Application Development & Delivery Enterprise Architecture Infrastructure & Operations ›› Security & Risk Sourcing & Vendor Management
Technology Industry Professionals Analyst Relations
Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. 137204 For more information, visit forrester.com.
