Single Sign On in a Mobile World
Over a period of time the concept of Single Sign On has pushed its way into the very core of how an organization looks at User Authentication. This includes the Global Banks with infinitely high security standards, policies and procedures.
In the modern company, an employee logs onto their Domain account once, which opens to the door to an endless amount of corporate applications such as Email, Intranet, Finance Systems, Customer Systems and more. This approach means that user authentication, and security policy can move to a central function. So when the security policy for password expiry changes from 60 days to 30 days, the policy is only changed in one place and instantly applies to all users and all systems.
But how can this authentication experience be replicated in the Mobile world? How can a method of identifying an individual be securely deployed and managed, when a users primary device of interaction is their mobile phone?
A solution to this challenge has so many applications. Mobile Executives could use it to be always available on corporate workflow tools, such as Account Payable, or business processes that require executive approval; Consumers could have a single trusted authentication mechanism which opens the door to dozens of cloud services such as Facebook, Banking, Shopping, Memberships; Mobile could then be used as a primary authentication for virtually any service. Imagine a world where your mobile is locked by a bank grade PIN, just like your ATM card is today. But instead of only granting you access to your Card at an ATM or POS, the PIN unlocks your phone and along with some internal authentication a user can access Facebook, Email, etc all as a trusted user. Therefore negating the need for a user to manage multiple user name & password relationships. With such a trusted mechanism in place, a consumer could enter a shop, purchase goods, wave their Mobile Phone with NFC, a payment request is pushed to the users phone to approve the payment using their PIN. This would enhance the application of NFC to cover larger value transactions other than public transport.
Take the idea further, a consumer would wave their Mobile Phone to access doors, and where necessary additional authentication is requested of the user in more secure sensitive situations. Therefore removing the need for the work issued security card, instead the employees electronic ID in their Mobile is registered and used as the primary means for identifying who they are. The same can be used for to access your home, and while your at it, you house recognizes your home and adapts to your preferences, turns on heater, switches on the TV to the news with items specific to you similar to your Facebook or Twitter account.
The reality is all the technology to do this exists today. NFC is now standardized, door readers exist in a large majority of corporate buildings, 500 million of us have Facebook and 100 million have Twitter, Secure USSD PIN requests can be sent to a Mobile Phone authenticating at a physical level that you are you, you have your registered SIM card(MSISDN/ICCID), you are using the same Mobile Handset(IMEI) and you are located(GPS) in a place that suggests you are actually the person requesting the service. But why are we not seeing this wide adoption of innovative eco-systems to enable this? The answer is turf protection. The NFC guys aren't openly talking to the door security companies, who aren't advising their customer to adopt an open authentication. The banks are still caught up on understanding mobile, let along embracing its true power. And no one, and I mean NO ONE has looked to fully utilize the power of Facebook as a global means to identify someone and their preferences.
Anyone want to give it a go? I am keen :)