Password-based mobile access, alternatives and experiences

In current networked organizations, the rise of mobile devices has become not just a nice-to-have, but is now necessary and expected by users. It is no longer feasible for most organizations to simply reject access to mobile devices; instead, they must now look towards crafting policies and technologies to manage their presence and also protect internal resources. Commonly, most network resource actions are controlled largely via the username and password pair. This may suffice in closed, relatively limited environments. However, this paradigm is largely incompatible with mobile technologies, with issues such as user friendliness problems, bleeding of security mechanisms into personally owned equipment, and an all-or-nothing access model. In this paper we discuss the shortcomings of the user/password access model, and describe our experiences in alternative access systems with an eye to mobile device presence. We describe methods for a passwordless activation and authorization systems, application design patterns that account for mobile-specific security concerns, and a more nuanced, fine-grained trust system to ensure badly behaved mobile devices are limited in the damage they can cause.