Blogs

Why digital certificates for mobile devices?

By trent posted Jun 26, 2014 01:05 PM

  

 

Login and Passwords fail

 

holding-two-phones-elite-daily-1024x682.jpg

 

If you’ve conquered texting you’ll attest to the fact that bigger keyboards made your thumbs come alive. A few typos never stopped you from getting the message out. Unfortunately, using that same keyboard to enter login and passwords to access enterprise networks and applications requires repeated accuracy and patience.

 

Passwords are a problem in that users have to remember them, so unless forced to, they’re short or written down. And then there are password expiration policies in active directory (AD) that sometimes won’t sync with smart devices and causes them to repeatedly re-authenticate and lock out an account. No fun for all.

 

In a nutshell, this is why a built-in certificate authority (CA) for BYOD and IT-issued mobile device deployments makes sense. The device’s certificate is issued by the built-in CA, which guarantees the link between a physical identity and a cryptographic public key.

 

Users are left with the job of having to protect their device, which they’re more inclined to do versus protecting a password or updating them before they expire.

 

Also, passwords are inherently vulnerable to phishing attacks, whereas user certificates are not. The use of certificates never involves revealing any secret data to the peer, so an attacker impersonating the server cannot learn anything of value that way.

 

What’s in it for IT

 

  • Don’t pollute your PKI - most customers will confirm that opening up a PKI to personal devices is about as popular as a root canal. Especially revocation management. It’s all a can of worms. A fully contained database within ClearPass keeps things clean and simple.
  • Let’s fix issuing and managing certificates - the built-in ClearPass Onboard CA issues the certificate at the time the new device is configured or onboarded. Best part, certificate download and revocation can be performed by a user. Based on role, a revocation portal displays appropriate certificate information and grants appropriate privileges. There’s even a way to pull down a new cert before the old expire. No IT involvement.
  • Certificate information that sticks – each certificate issued by ClearPass Onboard includes user and device specific information making it unique. Moving a cert created for an iPhone A to iPhone B doesn’t work because even twins have unique characteristics. No more worrying about unauthorized devices connecting.

While passwords remain cheap and easy, in reality they imply low security in a #GenMobile workplace. So instead of blaming a user when a problem develops (we know the average user can’t choose a secure password), the use of certificates is the new standard for secure enterprise mobility.

 

 

Onboard certs.png

 

For more information, take a look at ClearPass Onboard to get your thumbs back.

 

http://www.arubanetworks.com/products/clearpass/device-management/

3 comments
2 views

Comments

rrich
Jul 22, 2014 09:49 AM

I am asked this question frequently by administrators. I agree - not using certificates works fine - until it doesn't.

 

Then it's very messy, as users are already used to authenticating  to corporate WiFi, and it's hard to "put the Genie back in the bottle."  Using certificates from the start will avoid this problem and keep users from getting locked out of the larger corporate infrastructure. 

trent
Jun 27, 2014 11:35 AM

Danny,

 

Thanks for the add. This has been coming up a lot! While this works for multivendor networks I probably need to extend the story in a later blog to include Auto Sign-On for Aruba Wi-Fi customers. 

 

http://www.arubanetworks.com/products/clearpass/auto-sign-on/

 

tf

dannyjump
Jun 27, 2014 02:10 AM

Trent,

 

What a great introduction to the beneifts and merits of why we have a Certificate Authority deeply embeded with in the ClearPass product.

 

Can I suggest that our readers who want to learn more about ClearPass's PKI and how we can leverage this technology take a look at a TechNote I wrote, 'ClearPass - Certificates 101 TechNote'. It can be found at the following link along with many other TechNotes we have published.

 

CPPM - Certificates 101 Technote V1.0 .pdf   additional  Tech Notes