The Keystone of Modern Authentication in a Zero Trust World part 1 — The Rise of the Smartphone as a Premier Authenticator

In the current digital era, smartphones have established themselves as a pivotal component in the technological landscape. These devices, often described as portable gateways, enable a wide range of daily tasks, from mundane activities like grocery shopping to more critical functions such as conducting secure online transactions. Beyond their conventional use for social media interaction and various productivity apps, smartphones are playing a crucial role in the emerging paradigm of zero-trust security, a framework that necessitates rigorous authentication at every step.

As shown in figure 1, the global reach of smartphones is astounding, with penetration rates soaring beyond 80% and approaching 90% by 2025. Users are increasingly reliant on these devices, dedicating an average of three hours daily to their screens. However, the average screen time statistics for 2024 reveal an even more engaged picture. Globally, people average 6 hours and 58 minutes of screen time per day, a nearly 50-minute increase per day since 2013. This widespread usage does more than facilitate communication; it embeds smartphones deeply into the tapestry of our digital lives. Notably, almost half (49%) of children aged 0 to 2 years are interacting with smartphones, and Generation Z averages around 9 hours of screen time per day. These figures underscore the multifaceted role of smartphones as indispensable tools, serving as constant companions, trusted advisors, and now, as the forefront of our digital identity security.

The smartphones’ prominence in the field of digital security, particularly in a world teeming with wearable tech and specialized security tokens, is largely due to the multifaceted authentication capabilities of smartphones. They effectively combine knowledge-based security (like passwords), possession-based elements (the device itself), and inherent user characteristics (through biometric features such as fingerprints or facial recognition). This combination creates a comprehensive and robust security framework. Consequently, smartphones stand out as a more adaptable and secure alternative for authentication purposes, surpassing many traditional methods in both convenience and effectiveness. Additionally, the integration of advanced encryption technologies and the development of more sophisticated biometric systems have further solidified the position of smartphones in the authentication process. These advancements not only enhance security but also offer a more user-friendly experience, encouraging broader adoption.

Smartphone vs. Wearables: Convenience Reigns Supreme

Fitness trackers and smartwatches, while offering the convenience of health monitoring and notifications, frequently lack robust security protections. This shortcoming is particularly evident during the synchronization process with other devices or cloud services. In many cases, these wearables transmit data without encryption, leaving it vulnerable to interception by unauthorized parties. Additionally, the Bluetooth and Wi-Fi capabilities integrated into these devices are often minimally secured, if at all.

In their study “Cybersecurity Analysis of Wearable Devices: Smartwatches Passive Attack” published in Sensors in 2023, Silva-Trujillo and colleagues conducted passive attacks on six different smartwatches to identify vulnerabilities during their pairing stages. The methodology adopted for these attacks was passive in nature. This approach was instrumental in determining which devices were most susceptible to exploitation due to their weak pairing protocols. The objective was to assess the feasibility of reading real-time information about users through these vulnerabilities.

Their findings revealed that some smartwatches do not incorporate the latest security protocols, even if they are equipped with the newest Bluetooth technology. This was evident in the comparison between the Fitbit Versa 2, which operates on Bluetooth 4.0 and hence lacks the most advanced pairing security protocol, and the Fitbit Versa 3. Despite having Bluetooth 5.0, the Versa 3 still employed the same security protocol as its predecessor. Among the six smartwatches evaluated, no one met maximum security and one failed to fulfill even the minimum requirements (see figure 2).

In contrast, smartphones stand out with their advanced biometric sensors, such as fingerprint readers, facial recognition, and potentially iris scanners. These features enable robust multi-factor authentication options, negating the need for additional devices. Smartphones are further secured by dedicated hardware modules known as secure enclaves, which isolate cryptographic keys and authentication credentials from the operating system and other installed applications, enhancing the device’s security. Additional features like hardware-backed attestation, Trusted Platform Modules (TPMs) and GPS/location services ensure that only authorized applications can access sensitive information. However, security is just one piece of the puzzle. The smartphone’s true power lies in its user-friendliness. It’s already an inseparable part of our daily routines, eliminating the need for additional devices or clunky authentication processes. Push notifications, one-tap verifications, and seamless integrations with various platforms transform MFA from a friction-inducing hurdle to a streamlined experience. Convenience fuels compliance, encouraging users to embrace MFA without the frustration of fumbling with hardware tokens or dedicated apps.

Zero-Trust: A World Where Smartphones Shine

In an era where trust cannot be assumed, smartphones emerge as key players in the Zero Trust framework, especially in authentication, aligning with NIST’s identification of authentication as a crucial component. Their omnipresence, coupled with advanced security features and user-focused design, positions them as essential in a future where access verification is continuous and precisely controlled. Smartphones are thus fundamental to ensuring a secure and seamless digital experience within the Zero Trust architecture.

The European Union’s recent advancements in digital identity further underscore the significance of smartphones in this context. The European Commission’s final agreement on the Regulation introducing European Digital Identity Wallets highlights this importance. All EU citizens are set to receive an EU Digital Identity Wallet, enabling secure access to a wide array of online public and private services throughout Europe. This Wallet is designed not just to securely store digital identities but also to facilitate various functionalities like opening bank accounts, making payments, and holding digital documents such as mobile driving licenses and medical prescriptions. It assures user-friendly access, maximum security, and personal data protection, with portions of its code made open source to prevent misuse or illegal surveillance.

As we conclude this blog post, it’s important to highlight that Excalibur has been a pioneer in recognizing the critical role of smartphones in security, a stance we adopted nearly a decade ago, well ahead of current trends. This foresight placed smartphones at the heart of our security protocols and solutions, aligning seamlessly with the evolving Zero Trust landscape and initiatives like the EU’s digital identity framework.

In the Excalibur system, the smartphone is unequivocally the cornerstone of the authentication process. Its role is so integral that without it, the standard operational capabilities of Excalibur are significantly limited. The smartphone’s advanced security features, like biometric verification, are crucial for providing robust and reliable user authentication, emphasizing its indispensable role in the system.

While Excalibur primarily relies on smartphone-based authentication, it acknowledges certain exceptional circumstances where a user might be without their smartphone, such as being offline. In these specific cases, Excalibur permits an alternative form of authentication exclusively for operating system logon (see figure 4). This is a carefully considered feature, recognizing the critical need for users to access their own laptops or workstations. However, it’s important to note that this alternative authentication is strictly limited and does not extend to other aspects of the Excalibur system. This limitation underscores the vital role of the smartphone in Excalibur’s security architecture.

The ability to log onto the operating system in the absence of a smartphone is a secondary, less preferred method of authentication. It is designed as a backup option to ensure continuous work efficiency without compromising the overall security framework. This selective allowance for offline logon reiterates the central importance of the smartphone in Excalibur. It serves as a reminder that while Excalibur can adapt to exceptional situations, the standard and most secure method of accessing its full capabilities is invariably through smartphone-based authentication. Therefore, the smartphone’s role in Excalibur is not just of primary importance; it is the essence of the system’s security and operational model. The provision for offline logon in special cases does not diminish this fact but rather highlights the smartphone’s critical importance in maintaining the integrity and effectiveness of the Excalibur system.

In this post, we’ve underscored the smartphone’s central role in authentication, a trend that our product, Excalibur, foresaw and incorporated long time ago by using smartphones as the universal key for diverse resources, from local systems to remote ones like SSH and RDP. In the forthcoming article of this series, we will explore the security of smartphones, discussing the best practices to safeguard them and why they are the primary target for hackers.

*** This is a Security Bloggers Network syndicated blog from Stories by Excalibur on Medium authored by Excalibur. Read the original post at: https://medium.com/@xclbr/the-keystone-of-modern-authentication-in-a-zero-trust-world-part-1-the-rise-of-the-smartphone-as-077dec61acf1?source=rss-c33ef172a8fe------2