Given the current prevalence of mobile devices, especially smartphones, it comes as no surprise that they are becoming more and more entwined with everyday aspects of our lives. We don't just use them to make calls, to text, or to browse the internet anymore. We can use them to do just about anything, and that includes using them as a means to provide our credentials.
Since people almost always have their phones on them, it makes sense -- to some extent -- to use them as a means to store and validate one's credentials. Banking information, ticketing purposes, access control -- they can all be handled through smartphones now. But this, of course, begs the question of just how safe the practice really is.
"That's possible with NFC, they're using that," says Dionisio Zumerle, a Gartner analyst, of the practice of using smartphones for access control purposes in the enterprise. "But you also have to take into account that a lot of methods they use are only available with certain hardware on certain devices. It's something that we see emerging, but it's not in the mainstream world just yet."
For those enterprises that do use mobile devices for storing credentials for things like access control purposes, there are some methods that are implemented to lock them down. The methods are not always particularly sophisticated, however; Irfan Asrar, a researcher for McAfee, says that these credentials are typically secured with native security.
"They may have some additional BYOD policies enforced on them," says Asrar. "But most of what we've been seeing has been using the basic authentication with the OS."
Zumerle says there are also some slightly more advanced methods of protecting credentials.
"With NFC there is secure element, which can be used to secure the credentials," he says. "Usually it involves a separate component, like a Smart Card or an SD card."
With secure element, the application code and data is securely stored and executed on the external chips. According to the Smart Card Alliance, the secure element "provides delimited memory for the apps and other functions that can encrypt, decrypt, and sign the data packet."
For those that are looking for a slightly more convenient means of using their mobile devices for NFC-based transactions, Zumerle said that there was a new method introduced with Android 4.4 (KitKat) called host-based card emulation, or HCE. With HCE, users no longer need the secure element (the external card) to conduct transactions via NFC. While this practice makes things more convenient for both the user and app providers, it obviously comes at the expense of security.
Sign up for CIO Asia eNewsletters.