Our phone, the gateway to our digital identity

In our experience, there is a growing maturity around the security of IT Systems (both infrastructure and application) and while we think there is a long way to go, recent years has felt positive. GDPR has been an influence on this with the requirement that an organisation place emphasis on security by design and protecting data. Since IT Systems are growing better and less likely to fall foul of more straight forward attacks, attention has turned to people.

As mobile phones have become so ubiquitous, it's become natural for people to use their phone for many everyday tasks such as email, banking, gaming, shopping and so on. Alongside this, there has been a push for people to use two-factor authentication and rightly so.

As well as pushing two-factor authentication, more and more sites and experts are recommending strong and unique passwords for each site to help counter an attack known as credential stuffing, which is where a username and password once known to work on one site, are tried on another site.

With passwords getting more complex and harder to remember, its become very common and familiar for people to get back into sites by following simple and easy to use password reset processes, which often follow the pattern of sending you a new temporary password or a link to create a new one. Herein lies the start of a major problem, but we'll come back to that problem.

Alongside the suite of familiar everyday apps, its become common two have authenticator apps whose job is to make living with two factor authentication easier by having one app that holds the two factor codes or approval flows.

Coming back to our problem. When we want access to a website and have forgotten or don't know the password, we follow the password reset process. So what happens when the person using the phone isn't the owner of the phone?  The major concern we want to highlight is that to get into many websites all you really need is access to someone's email and one great option is their phone. You can probably imagine how easy it has now become to take over someone's identity if they don't secure their phone with a fingerprint, face, password or pin. In fact, its alarmingly simple and has motivated this post.

If we could say anything to people, it would be this. As soon as you buy a new phone, the first thing you must do is setup authentication so people cannot just turn on your phone and take over your digital identity.

Having two factor authentication wont protect you, because without phone authentication when you turn it on, people can just open the authenticator app you probably have and use it.

We would also like to point out, that mobile phones aside, access to your emails should be one of the services you prioritise over most to have a strong and unique password as its a major vector in causing you a headache that's very hard to recover from.

We draw particular attention to email because most websites do their security communications via email, so if someone controls your email, potentially without you knowing, they can just ignore and delete the warnings, change of address and name details that are going on and the first time you notice, is when your bank is being emptied or loans are being taken out in your name.

For organisations, the best way to approach this is two-fold, think about mobile phone use in your company and consciously decide what you will and wont permit access to, then look at implementing a Mobile Device Management solution.