There are three important parts to authentication that you should consider:
- User to device: the user is only granted access to the device after successfully authenticating to it.
- User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.
- Device to service: Only devices which can authenticate to the enterprise are granted access.
For each, a number of decisions must be made about which authentication mechanisms are appropriate, taking into account both security and usability:
Passwords are the most common way users authenticate to devices and services. We have separate Password Guidance for details on how to create an appropriate password policy for your organisation.
Many EUDs include technology that strengthens user to device passwords against an offline brute force attack. This includes combining passwords with a cryptographic key held in hardware-protected storage, as well as limiting the ability for an attacker to attempt to repeatedly manually guess passwords.
This means that passwords for user authentication to the device can simpler and shorter, although it is important for users to take care they are not overlooked entering their password.
For user to device authentication, many EUDs now come with biometric sensors such as fingerprint readers, facial recognition or iris scanners.
These technologies can vary in the false positive and negative rates as well as their ability to detect a spoof biometric. There is significant variation in how biometric capabilities are implemented in different EUDs, so it is important to assess the security of both how biometric data is stored and decisions are made within a particular device.
Some devices have hardware-protected storage which can be used to release a cryptographic key following successful biometric authentication. This provides a strong level of protection for the biometric authentication process against physical attacks.
Certificates are long-term credentials which contain a private key and signed public key. Access to the private key is required to authenticate to other services, and can be used to either authenticate the device or the user to that service.
The private key should be protected from access by malicious software (via sandboxing or other access control mechanism), and should be protected from hardware extraction (via the device’s data-at-rest encryption, or protecting the private key with an encryption password if it can’t otherwise be protected).
- Keys or tokens
Keys or tokens are often short-lived credentials used to provide access to a service. Typically another user-to-service authentication mechanism is used to acquire a key or token which is then used for subsequent re-authentication attempts. This is common for web based services
These authentication mechanisms should be chosen and combined in a way which maximises the usability of a device, whilst offering appropriate security.
For example a single user to device password authentication mechanism can be used, which subsequently allows access to a token or certificate used for time bounded device or service authentication.
Where one authentication mechanism provides insufficient security, multi-factor authentication can be used.
Further details about how each type of EUD supports authentication approaches can be found in the device-specific EUD Security Guidance documents.