What Does Fingerprint Scanning Mean For BYOD?

Fingerprint Scanning

Since its inception, any Apple announcement of a new product (or product revision) marks an important event in the technology world. From the first iPhone in 2007, any iPhone related announcement has become an event in the mobile industry and the latest iPhone 5s was no exception.

Apple’s latest update – the inclusion of a fingerprint scanner within the iPhone 5s, draws attention to one of the big challenges in today’s information security market – mobile security. The mobile market has grown dramatically in the last couple of years. Not only in the number of devices deployed, but also in the security challenge it presents to IT organisations.

When mobile devices have the computing power of a small desktop, hacking into the organisational network via an employees’ mobile device is just a matter of time.

This is clearly a growing concern for enterprises that support Bring Your Own Device (BYOD) policies, however up until the Apple announcement, employees – and this should read as all of us – have used the nonsensical 4-digit PIN to protect their devices (default option).

You see, we protect our desktops, cloud apps and web-based applications with password-management mechanisms, two-factor authentication and different IAM technologies, but when it comes to our mobile phones and tablets we use this ridiculously weak password that is four digits and in most cases is our ATM pin number or data of birth – there is no default on the value of the password only the length.

Now, factor in another security risk: physical security. How many times have you lost your well-protected desktop? Compare this to the number of times your mobile device was lost, forgotten in a restaurant or even stolen?

Once your smartphone finds itself into a stranger’s hands, all they needs is to guess your 4-digit PIN and all your personal info (images, phone numbers, banking applications, private IM conversations) and enterprise data (emails and data that can be shared through other mobile applications) are exposed.

And, if like many, you store other passwords on your device, then what is there to stop the person looking at the notepad on the device and gaining access to all your additional passwords and usernames for your digital world.

The number of unanswered issues and questions that Apple had with the current implementation creates a consensus in the blogosphere that the Apple fingerprint sensor is intended for convenience more than security.

The unresolved issues include the question of how well Apple protects the fingerprints data that is stored on Apple servers and on the actual mobile device. Another concern is Apple’s decision not to provide enterprises with APIs that will enable storing of the fingerprint data in the enterprise’s database. These issues should be resolved in subsequent iPhone releases.

As more sensitive (personal and enterprise) information is stored on mobile devices, I believe that the Apple move is a small step in the right direction, providing a new, additional layer of security that is lacking in today’s devices. With its fingerprint sensor, Apple has turned the spotlight on an important security challenge, which will undoubtedly lead to the development of more robust security features on mobile devices as these platforms mature.

Jason Hart

Jason Hart is VP Cloud Solutions, SafeNet. As a former ethical hacker with 18 years experience in the Information Security industry, Jason has used his knowledge and expertise to create technologies that ensure organisations stay one step ahead of the risks presented by ongoing advances cyber threats and risks. Jason has published articles and white papers and continually appears on BBC, ITV, CNN, and CNBC as well as Radio 5, Sky News and BBC World News as an expert adviser on cyber security matters and issues. Jason regularly provides advice and guidance to Governments, Law Enforcement and Military agencies on Information Security matters globally.