Q

IMEI authentication: OK as a mobile authenticator?

Is IMEI authentication a secure choice when considering a mobile authenticator? Randall Gamby explains why it may not be a wise choice.

Attackers recently used social engineering to convince mobile device users to hand over their International Mobile Equipment Identity (IMEI) numbers. I'm assuming this should never be used as an authentication factor, correct? Is it good practice to advise users/customers to never give out their IMEI numbers?

Ask the expert!

Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)

There are two reasons why an organization wouldn’t use an International Mobile Equipment Identity (IMEI) when considering possible mobile authenticators. The first is that if the IMEI authentication number is compromised, which is possible using special tools, the IMEI can be easily ported to a stolen telephone that allows the rogue telephone operator to take advantage of the services the original device had access to, such as SMS authentication codes. 

More importantly, an IMEI is tied to a device, not an individual. If a user loses his or her unlocked telephone but doesn’t report it, anyone who picks up the telephone can use its applications. Identities should be technology-neutral, not tied to a device. 

To answer the second question, users and/or customers should never give out their IMEI numbers, or any other mobile-identifying information, unless the individual has initiated a call with his or her provider.

This was first published in June 2012

Dig deeper on Active Directory and LDAP Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close