Why digital certificates for mobile devices? Because logins and passwords fail

By Trent Fierro, Blog Contributor
Share Post

If you've conquered texting you'll attest to the fact that bigger keyboards made your thumbs come alive. A few typos never stopped you from getting the message out. Unfortunately, using that same keyboard to enter login and passwords to access enterprise networks and applications requires repeated accuracy and patience.holding-two-phones-elite-daily-1024x682.jpg

Passwords are a problem in that users have to remember them, so unless forced to, they're short or written down. And then there are password expiration policies in active directory (AD) that sometimes won't sync with smart devices and causes them to repeatedly re-authenticate and lock out an account. No fun for all.

In a nutshell, this is why a built-in certificate authority (CA) for BYOD and IT-issued mobile device deployments makes sense. The device's certificate is issued by the built-in CA, which guarantees the link between a physical identity and a cryptographic public key.

Users are left with the job of having to protect their device, which they're more inclined to do versus protecting a password or updating them before they expire.

Also, passwords are inherently vulnerable to phishing attacks, whereas user certificates are not. The use of certificates never involves revealing any secret data to the peer, so an attacker impersonating the server cannot learn anything of value that way.

 What's in it for IT

  • Don't pollute your PKI - most customers will confirm that opening up a PKI to personal devices is about as popular as a root canal. Especially revocation management. It's all a can of worms. A fully contained database within ClearPass keeps things clean and simple.
  • Let's fix issuing and managing certificates - the built-in ClearPass Onboard CA issues the certificate at the time the new device is configured or onboarded. Best part, certificate download and revocation can be performed by a user. Based on role, a revocation portal displays appropriate certificate information and grants appropriate privileges. There's even a way to pull down a new cert before the old expire. No IT involvement.
  • Certificate information that sticks – each certificate issued by ClearPass Onboard includes user and device specific information making it unique. Moving a cert created for an iPhone A to iPhone B doesn't work because even twins have unique characteristics. No more worrying about unauthorized devices connecting.

While passwords remain cheap and easy, in reality they imply low security in a #GenMobile workplace. So instead of blaming a user when a problem develops (we know the average user can't choose a secure password), the use of certificates is the new standard for secure enterprise mobility.

Onboard certs.png