Towards Smartphoneless authentication
Smartphones have long been recommended for the convenience they offer, and there’s no denying their tremendous impact on the user experience. As part of a multi-factor authentication solution, while they may be a popular choice, experience has shown that they may not be the most secure way to protect your systems and data. Let’s take a closer look at Smartphoneless.
What are the challenges regarding mobile authentication?
Challenge 1: Mobile Authentication requires you to have, or provide, a mobile phone
First things first, Mobile Authentication requires users to have a smartphone. So for end-customer authentication, it’s not always a suitable option as they don’t all have a compatible smartphone. As for employee and partner authentication, companies are increasingly resisting the provision of smartphones – aiming to reduce costs and logistics issues.
Challenge 2: Mobile authentication is vulnerable to certain cyber attacks
Many concerns have been expressed about the risk of compromising mobile devices. When authenticating via SMS OTP, there is a risk of information recovery via SMiShing (SMS phishing attack). As for authenticating via Authenticator app, there is a tendency to forget about fatigue attacks MFA. A cyberattack that tricks users into allowing access to the device due to an overload of push notifications.
What is Smartphoneless authentication?
You may be wondering what we mean by smartphoneless authentication. Quite simply, this is a way to verify a user’s identity without recourse to a smartphone. It’s an alternative way to use multi-factor authentication (MFA) when you don’t have, or don’t want to have a smartphone as part of the process to authenticate/login. This can be done combining:
- a knowledge factor (such as a PIN) or an inherence factor (such as a fingerprint),
- with a possession factor other than a mobile.
Most of the time we think of the desktop token? Still, you’d be surprised to hear that there are other alternatives, like the browser token for example.
Why switch to Smartphoneless authentication? What benefits?
More and more organizations are starting to make the change to smartphoneless authentication because in many instances, the smartphone itself can cause constraints – not just for users, but for developers and integrators as well.
In fact, by allowing users to authenticate and access their apps, network and data without the need of a mobile device there are a number of valuable key benefits:
Unburdens users of the need to rely on a mobile
By not being reliant on a smartphone means you are not tied to a specific and additional equipment other than the device you are trying to log on. Besides, imagine that your mobile ran out of battery, what a disastrous login experience…
Reduce the logistical burden for IT teams
This advantage is particularly important for employee access. Indeed, from an administrative point of view, it implies less logistics to equip and update the users’ equipment.
This reduction in workload and equipment requirements results in lower costs for companies.
Protect yourself from targeted attacks
Smartphoneless authentication allows to protect against certain attacks such as SMS phishing (SMiShing) or fatigue attacks MFA performed through mobile push.
Will Smartphoneless authentication become the new standard?
It’s not surprising that organizations want to implement changes so that they can reduce their level of risk and improve their business processes.
That’s why inWebo has come up with a software alternative to smartphone authentication. This solution is in fact what we call “Deviceless” and relies on the user’s browser as a trusted device to authenticate and access its applications in a simple, secure and smooth way.
One thing is for sure, users will quickly adapt to the freedom of not being tied to their Mobile to be able to connect to their apps and data.
Deviceless or Smartphoneless authentication?
Deviceless authentication is a Smartphoneless authentication. In a way, it is a kind of sub-category since it is even more specific as it relies on the browser token. It can be done from any device and with any browser. It doesn’t have to be the user’s, or even the company’s device. Looking back, this Deviceless technology adds 3 additional benefits to the above list.
Deviceceless counts + 3 advantages versus Smartphoneless
Deviceless facilitates and secures BYOD ("Bring Your Own Device")
Work habits are changing and more and more personal computers are being used for business purposes. Deviceless removes the security risks associated with BYOD and secures all access to internal applications and networks. No smartphone or business laptop are required, just a browser.
Easy to configure and use
Importantly, this new user authentication method requires no installation and can be deployed on a large scale in a few clicks. A real boon for integrators.
A very good way to provide secure multi-user connections
The same browser can be used by different users who will all have their own authentication. For organizations reliant on shared computers, this is a great benefit, ensuring both a high level of security and the ability to identify each and every user accessing the system.
inWebo’s MFA technology has been designed to ensure that even if it is manipulated by third parties, it will be impossible to use: instead of using a simple cryptographic key, as all other MFA solutions do, inWebo has made their keys dynamic and random. A unique and patented technology.
With the browser token, the cryptographic keys are stored in the user’s browser rather than on their computer. And these keys change randomly each time the user generates a OTP at the point at which he or she wants to connect to the system.
This way, once the keys have been used, they can’t be used again, so they are completely useless to anyone trying to ‘hack’ the system. Each user identity is protected, and the likelihood of security breaches is drastically reduced, especially as the Browser token is the most secure against phishing attacks.
The future will be Deviceless
So, is it likely that we’ll all be making a change to a smartphoneless future when it comes to authentication? Although we don’t have a crystal ball, the signs certainly point in that direction.
We’re all looking for innovative ways to ensure the security of our systems and processes, but we also want to make sure our users have a simple experience.
Smartphoneless is a way of authenticating, i.e. verifying a user’s identity, without the use of a smartphone. It is an alternative way of using multifactor authentication (MFA).
Smartphoneless authentication is done through a MFA using a knowledge factor (PIN) or an inherent factor (fingerprint) combined with a possession factor other than the mobile. Most of the time, smartphonless is done using a desktop or laptop token. But there is also an alternative technology that allows authentication with a browser token.
In the case of authentication by OTP SMS, the elimination of the use of cell phones, thanks in particular to Smartphoneless, makes it possible to avoid the risks of phishing attacks by SMS, or “smishing”.