Mobile tablets are growing significantly in the enterprise, and are presenting new security and usability challenges.
Multi-factor access authentication technologies are difficult to use with mobile devices due to frequent timeout. For example, a person would have to type RSA SecurID tokens 20 to 30 times a day. Also, smart cards require hooking a reader to the mobile terminal. Furthermore, finger print readers have a high failure rate and inconvenient.
It is also noted that traditional two-factor authentication technologies cannot protect the device from loss. Also, when a device is lost, the user session may stay open, and can be exploited by the person who finds the device.
This invention caters to a very sophisticated enterprise mobile security problem, and requires a sophisticated orchestration of common technologies in order to provide high security with high usability. Numerous large companies have tried to solve the mobile security problem, with no good success.
Previous patents by the current inventor taught authentication based on Bluetooth proximity as well as proximity logout, auto-login, multi-factor authentication, however, the prior art does not teach automatically injecting multi-factor capability and access control to applications. They do not teach converting access security on legacy applications, and providing single sign-on.
U.S. Pat. No. 8,045,961 by the current inventor, System for wireless authentication based on Bluetooth proximity, teaches a Bluetooth device that facilitates login using a Bluetooth device that stores the user credentials and that supplies them wirelessly over Bluetooth communication channel. It does not teach automatic login if the Bluetooth channel stayed above a threshold during a recent period of time, otherwise, asking for user credentials. It does not teach converting access security on legacy applications, and providing single sign-on.
US patent applications 20120210443 by Blaisdell et al Securing and managing apps on a device teaches wrapping an application with a security layer. It teaches adding a light security layer that can be used by administrators as well as parents such as geo-fencing (to set policies on app downloaded by children). It does not teach updating access security on an existing application or adding robust multi-factor authentication and single sign on to enterprise applications.
US patent applications 20120304310, 20120246731 and 20120246484 by Blaisdell et al, Secure execution of unsecured apps on a device, teach modifying security parameters of an application. It teaches adding a light security layer that can be used by administrators as well as parents (to set policies on app downloaded by children). It does not teach updating access security on an existing application or adding robust multi-factor authentication and single sign on to enterprise applications.
Injecting code into an existing application to change its behavior is known in the prior art and in the hacker community. Mocana for example offers a commercial service that wraps applications with geo-fencing and other data security functions. The current invention uses the wrapping concepts to automatically update access security in a uniform way on multiple applications. It ties an application to a second authentication device, injects passwords into an application and triggers login. The wrapping engine enables to insert these functions automatically, and to upgrade all the applications of an enterprise. Moreover, the wrapping engine enables to provide single sign-on across all applications. It is worth mentioning that the wrapping engine now enables a uniform way to control all application access using a configuration console: proximity logout enables to ensure that applications are automatically closed, proactive loss prevention ensures that company devices are protected, and real-time notification ensures that IT is alerted in real time when an incident occurs.
Previous patents and patent applications by the current inventor introduced multi-factor authentication and proximity logout, however they required developers to insert multi-factor authentication. This resulted in enterprises not being able to apply one single access security layer to all existing and future applications.
Most MDM (Mobile Device Management) and MAM (Mobile Application Management) solutions on the market today (Good, Mobile Iron, AirWatch, Zenprise, Bitzer, Tangoe, Symantec . . . ) cannot provide adequate device security and application access security:
Usability: Users have to login to their email application and calendar on their mobile device every time they need something. They need to first enter the PIN code to unlock their device, and then enter the password for the email client such as Good. This is extremely annoying as the user has to enter password 20-30 times a day, twice every time. Intelligent auto-login is needed.
Device loss: MDM, MAM . . . are not aware when a device is left behind, and are incapable of securing the device. Proximity alarm is needed.
Session is left un-attended: Most MDM and MAM can secure the data, but cannot secure access. They are incapable of authenticating the user, or detecting that a user swap has occurred. If a user connects to an enterprise portal, and leaves the device on a table to go to restrooms, anybody that finds the device has un-restricted access the network. Proximity logout is needed.
Theft of a device after the user is logged in: High profile people using tablets are high targets for theft. The thief waits till the target logs in to the system, and then takes the tablet away. Most MDM and MAM solutions are incapable of addressing this problem as they cannot detect user swap. Proximity logout and proximity alarm are needed.
Remote wipe: While most MDM solutions provide remote wipe capability, they are ineffective in remote wiping the data. That is because when an employee looses a mobile device (iPad, Android . . . ); it generally takes him/her several hours to notice the loss. After that, the employee will take several hours/days to report the loss, and may never report it. When IT tries to remote wipe the device, the device is most probably out of reach, out of battery, or out of SIM card. A hacker would have found plenty of time to get the data off the device, or use the device for un-appropriate access. Real-time incident notification is needed.
The essence of the current invention is to modify the access security layer of any application automatically, using a wrapper engine in order to add: 1) multi-factor authentication 2) intelligent auto-login 3) proximity logout 4) pro-active loss prevention and 5) real-time incident notification and 5) single sign-on.
The essence is to modify access security in order to provide more access security with better usability. The essence is also to guarantee that security of the data and device is maintained under all conditions, including when the user of the device is not able to attend to the device.
Thus, a need exists for systems for automatically updating security of an application.