I was asked to investigate how to run certificate-based authentication on both Windows Mobile 6.5 and Symbian (Nokia) devices.

The most common type of authentication when running ActiveSync is Basic Authentication. This basically means that when the client (in this case your mobile phone) makes a request, it will supply a username and password. For security, SSL encryption is used so your username and password is not sent over the Internet in cleartext. Sure, you could skip the SSL certificate but that would be a very stupid thing to do.

This SSL certificate needs to be issued by a CA (Certificate Authority). The easiest way is to buy it from a well-known CA such as Geotrust, Equifax, Thawte etc. The reason for this is because the CA has to be trusted by the device, otherwise you have to add the Root CA certificate manually. Your device (just like Windows client) comes with a number of built-in CA’s it trusts and you should get a SSL certificate from one of them. For Windows Mobile, you find the trusted CA’s in Start -> Settings -> System -> Certificates and Root tab.

Yo get complete access to the mailbox, all the device needs is the username and password (and the serveraddress of course). What if you want additional security? Then certificate-based authentication could be an option. With this, instead of configuring a username and password, the device uses a client certificate (for the actual user, not the device). Basically, on the configure page where you usually supply username and password, it will just say “you’re using a certificate to authenticate instead“.

But, what about the “two-factor authentication” that certificates are supposed to supply? Then there is something you should have (the certificate) and then something you should know (a password, often a code if we’re talking smartcards) but there’s no password? Well, what I suspect, it’s because you usually (or at least SHOULD) configure the mobile phone with a phone password (not to be confused with the PIN for the SIM-card). So every time you switch on the phone, you need to supply this password and often you also make sure the mobile phone asks for this password after X minutes of inactivity.

Also note, that when you deploy certificate-based authentication, you prevent users who have only a username and password from synchronizing. However, there are ways to have two different server addresses where one is used for basic authentication and the other one for certificate-based authentication.

The verdict: Certificate-based authentication is not as easy to manage if you have a lot of phones. Since you will need  to add your Root CA certificate and issue client certificates for the user to each mobile phone, you should expect either highly skilled users and good HOWTO’s or even expect to personally help every user. Of course, there are tools like System Center Mobile Device Manager and other 3rd party tools to make this much easier, but if you’re just looking at ActiveSync and have a mix of models and brand – I would suggest you think it through before moving away from basic authentication, even though certificates are considered more secure.