Access control is going mobile — is this the way forward?

Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.

“These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector. As threat actors invest in infostealers to grow their credential repository, enterprises are pushed into a new defense landscape where identity can no longer be guaranteed,” wrote the X-Force report.

The only way to prevent the use of valid credentials is to make sure that the person using the account is the person who was issued the credentials. This requires organizations to focus on access control to validate the identity of every user every time they access sensitive information.

However, the traditional username and password credentials are easily used for cyber crimes. Hackers often break into accounts by figuring out the password using artificial intelligence (AI). Additionally, credentials are often sold on the dark web, making it very easy for a cyber criminal to use valid credentials to launch a breach or attack.

To reduce this risk and increase the likelihood of only valid users gaining access, organizations are turning to mobile credentialing. With this type of identity validation, a user must validate their identity using a mobile device. When the identity is established, the user is assigned a digital key that is unique to their device. Some technologies use a QR code, while others use a link. Each time the user accesses the system, the device uses the digital key to ensure that the assigned person uses the credential. Mobile credentialing can be used for physical access, such as a secure data center located in a building, or for virtual access, such as to a database containing sensitive customer data.

Organizations using mobile credentialing often see the following benefits:

• Reduced risk: Because users keep their mobile devices with them, the odds of a cyber criminal having access to the credentials and the device are low. Because users need physical access to a device, stolen credential attacks are more challenging to pull off than traditional access control.
• Lower cost: Mobile access requires less administration, meaning it’s less expensive to operate and maintain. Administrators can more easily add and delete users than traditional access management.
• Easier to create temporary credentials: With mobile credentialing, system administrators can now more easily and quickly create temporary credentials, such as a contractor or vendor.

However, mobile credentialing also brings some challenges. Common issues include:

• Personal device requirement: Some employees do not want to use their personal devices for work purposes. Organizations must overcome this challenge either by issuing a keycard or business devices.
• Device must be charged and operational: If the user’s device is out of battery or not currently working, they cannot access applications and systems needed for work-related tasks. Organizations should create an alternative access method for these situations.

As more organizations begin using this type of credentialing, employees and users will become used to turning to their personal devices to log in. Organizations that adopt this technology can now evolve their practices and usage as the technology advances. Organizations can reduce the risk of breaches involving valid credentials by reducing their overall risk and vulnerability.