Organizations often encounter issues when trying to implement best practices in mobile device security while also ensuring a seamless user experience. This is because end users can be hesitant to install additional apps on their mobile device, while others engage in risky practices such as jailbreaking or rooting their phones, sometimes even using custom operating systems (OS) and altering the internal read-only memory (ROM).
While this practice may not sound like cause for concern, let’s examine in this blog post why they can actually pose a serious problem when it comes to device security.
Table Of Contents
Why SMS and OTP Are Not Considered Secure for MFA
Back in 2017, the National Institute of Standards and Technology (NIST) deprecated the use of SMS messages for receiving multifactor authentication (MFA) or one-time passwords (OTP) as a security measure. Unfortunately these practices are still widely used today, but it’s important to understand why this method of authentication is no longer recommended.
Although not immediately obvious, the answer is actually quite simple. When you receive a phone call or an SMS, you have no control over the security of your mobile phone provider’s network. This means that the weakest link in your security chain is really the person behind the counter of your mobile phone provider. With identity theft so common today, it can be shockingly easy for someone to impersonate you and thus obtain a completely new SIM card for your cell phone without your knowledge.
This is exactly why Silverfort does not recommend – or support – using phone calls or SMS texts for OTP codes. Because when you’re developing a security product, it’s important to strive for the highest standards even if this means a slight inconvenience.
How Jailbreaking and Rooting Compromise Security
This brings us to another element of the security discussion: users who jailbreak or root their phones. Jailbreaking or rooting is not actually the issue, but there are definitely security concerns that arise once these actions have been performed.
Consider Samsung Knox. Samsung builds their phones in a way that “blows a fuse” (referred to as the “bit”) if a device is rooted, loaded with a custom OS, or altered in any way beyond its intended usage. You can no longer use a Knox secure container, even if setting the phone back to factory, because the physical bit is now “blown.”
Now, you might view this as simply a warranty denial tactic but it is crucial to acknowledge the potential security concerns at the enterprise level. A Samsung phone with the Knox bit still intact means that the device possesses at least the amount of security that Samsung has integrated into its operating system. This means Samsung can implement secure containers on the phone for enterprise solutions.
Let me say that I am not promoting Samsung as a platform or suggesting people switch to it. I simply want to emphasize that Samsung has recognized this as a security measure that people should be aware of. When your device is rooted, jailbroken, or operating on a custom OS, you can no longer guarantee that the security measures put in place are functioning as intended or being appropriately updated. And this is a critical consideration — particularly if your job involves protecting your company’s interests and assets.
Why does this matter? Because security applications on your devices – including Silverfort – need to trust that the device is secure, updated, and does not pose a risk to the enterprise. And the best way to ensure this is by checking if the device is rooted, jailbroken, or compromised in any way. If any of these conditions are detected, a good security application will not allow the device to be paired.
The Critical Role Security Tokens Play in Mobile Device Security
Let’s examine the security measures employed when you pair your device.
Generating a secure token requires considering multiple aspects of your device, such as the CPU ID, RAM serial number, screen resolution, and other factors. All of these are used to create a unique token for your device. In fact, this token is so unique that if you were to clone your phone and transfer the cloned information to a new device, your security token would not work until you deleted it and re-paired your device.
It may be somewhat inconvenient, but this level of security is highly effective. This is because by utilizing all these factors to generate the token, you can be confident that no one can clone your phone and thus compromise your security mechanisms.
This also explains why, when you buy a new phone and restore from a backup, you need to re-enroll your device across the various authenticators available today. In some case you might not need to re-enroll your device, but this would reduce the security measures for the reasons described above.
This information is so important to understand it because our world so heavily relies on mobile devices. For example, when was the last time you left your house without your mobile device? Mobile device security is more critical than ever, and this is why Silverfort takes a proactive approach to protect your company’s security.
Share your feedback! We’d love to hear what you thought of this article and get your perspective on mobile device security.