Fingerprint scanner or passcode: Which is more secure for the enterprise
When Apple launched the Touch ID fingerprint scanner on the new iPhone, the race was on to hack it. A crowd-funded website was set up, istouchidhacked.com, where people pledged money as incentive for the first person who could upload a video demonstrating the hack. It took only a few days for a hacking team called the Chaos Computer Club to do just that.
It took a much less sophisticated effort to learn that the passcode on my iPad had its own set of flaws. One evening I caught my four-year-old son picking up my iPad, no doubt in search of cartoons. To my astonishment he seamlessly entered my four-digit passcode and within seconds had the Netflix app streaming an episode of Curious George. I’d never told him my passcode; he’d simply watched me enter it time after time and had it memorized.
Trying to keep kids away from too many cartoons is one thing, but unauthorized access to a mobile device containing confidential enterprise data can be a whole lot more serious. So what’s the best way to protect your enterprise data?
Almost every smartphone can be secured with a four-digit passcode, which must be entered each time the phone is used or after a period of inactivity. Despite the almost universal availability of this feature, around 64 percent of mobile device users don’t use any form of screen lock. Of those that do use a passcode, about two-thirds use a four-digit pin, while the remainder use a longer pin, a password or an unlock pattern.
As my son demonstrated, a four-digit passcode can be relatively simple to break. A few glances at somebody unlocking their phone, and you’ll likely be able to deduce their passcode. A four-digit passcode is also susceptible to brute-force attacks (trying different combinations of passcodes until one works). It’s often not very difficult. According to a Time study, the most popular passcode is “1234,” followed by “0000.” Earlier versions of the iPhone and iPad could have their passcode cracked in under two minutes using malicious software.
Longer passcodes—actually passwords, as they consist of letters, numbers and other characters—make brute force attacks harder. But these suffer from the same deficiencies as passcodes (somebody can simply look over your shoulder to see what you entered), and often the user will write the password down so they will remember it, bringing more security concerns.
The Touch ID scanner on the iPhone 5s was one of the first fingerprint scanners to be added to a mobile device. It’s likely we’ll see this feature appearing on many more phones soon. Hacking Touch ID generated a lot of good headlines but did little to faze most security professionals.
Let me step you through the process. First, locate a pristine fingerprint that is authorized to unlock the phone (by itself not easy to find). Next, lift the print using a special type of glue and fingerprint powder to transfer the fingerprint to tape. Assuming you didn’t smudge the print you’re ready to start creating the fake fingerprint—with suitable experience it will take you a couple of hours and about $1,000 of equipment. Now give it a try, but you’d better cross your fingers as you only get five attempts before Touch ID will insist that you enter the passcode instead.
Clearly the everyday phone thief is not going to unlock your phone this way. Does that make fingerprint scanners safer than passcodes? Absolutely not—on the iPhone 5s you can at any point choose to unlock your phone with a passcode instead of the Touch ID sensor. So a fingerprint scanner is an alternative to passcodes but not a replacement.
Choosing the best option
Ultimately when it comes to security there is rarely a right answer. Nothing is completely secure. But some options are better than others. A four-digit passcode is better than no screen lock at all. A longer alphanumeric password or fingerprint scanner is better still.
The key is to ensure that whichever security policy you pick is enforced on all mobile devices where your enterprise data is stored. That’s where a mobile device management can help. With this you can ensure the correct screen unlock policy is applied (and even if fingerprint scanners such as Touch ID are permitted). And should a mobile device get lost or stolen you can remotely wipe the device to protect your enterprise data.
And most important of all, beware of sharp-eyed children.