Security update: Biometrics, cloudy passwords and the ongoing Android Vs Apple debate
Last month’s launch of iOS 7 and the iPhone 5s raised a lot of questions for the mobile security industry. Will biometrics catch on, are cloud-stored passwords really secure and, of course, the eternal debate rolls on – which is more secure Apple or Android?
Are biometrics the next big thing?
So many factors need to be in place for a technology to catch on. Context is everything – how usable is it, do consumers want it and how much does it cost? The past year has seen an explosion in awareness of privacy and security issues by everyday end users. With this in mind, it’s likely now is the right time for Apple to bring out biometric capabilities.
From the industry perspective, having a well-implemented, widely-deployed, integrated biometric sensor (Touch ID) in the new iPhone 5s is a great security addition.
Adding in additional layers of authentication to an app could be of potential interest for a number of use cases. It will also be interesting to see how developers can take advantage of Touch ID.
While Touch ID is a timely and welcome innovation, it shouldn’t be considered a security cure-all. This is especially true in the context of BYOD, where devices are likely to have multiple fingerprints registered to the device.
Biometrics control access, which is important, but controlling data that can be accessed is even more essential. If you allow a user free reign once they gain access to the device, your security policy is flawed.
Imagine a husband having fingerprint access to his wife’s personal iPad that she also uses for business. We wouldn’t want the husband to have inappropriate access to Enterprise apps and data, but at the same time what right does a company have to limit use of a personal device at home? For this reason, enterprises will still demand authentication to be separate from that of the device.
Biometrics does offer a way to crystalise one of the big challenges facing the mobile industry: identity management. It’s a more nuanced task, as the balance needs to be struck between what information is reasonable to enter and requiring something unique or that only the genuine person will know. Biometrics could be it.
Passwords in the cloud
A huge haul of passwords is a challenge for pretty much anyone who uses a computer these days. We know we need strong, unique passwords but keeping track of them is difficult.
Apple is now offering a service, which will store passwords and credit card details. The information can then be auto-filled when signing into a website or making a purchase. A great idea, but users need to be wary of what information is stored and ready for auto-fill. In this regard it’s not too different from many other services out there, but being incorporated into iCloud it’s likely to get significantly more use.
The simplest way to think about it is like this – our lives require different containers. Am I comfortable having my Facebook or Twitter password saved on iCloud ready for auto-fill? Probably. Am I comfortable having passwords for a banking app or an app that contains sensitive corporate data? Not on your life.
Apple VS Android… how can they be secured?
There are differences between platforms when it comes to security. One difficulty stems from the vast number of different flavours of Android. Estimates put the number of Android phone models at about 4,000. That stands against just six iPhones and an assortment of Windows phones.
There are other technical ways that the different operating systems can be hardened, but trying to secure the whole device or OS is really a backward approach. Ultimately there are specific pockets of data that need protecting and the focus should be on those areas.
The best way to tackle secure mobility is to essentially ignore the OS and take a containerised approach that looks at securing specific apps or programmes and, most importantly, the data within – rather than the whole device. This allows IT teams to worry less about which device an employee is using and focus on protecting the asset that is most important to the company, the information.
While offering personal privacy to end-users it also removes concerns about which device enterprise employees are using. As long as the managed container is secure, the device or OS is of no real consequence.
Security technology delivers endless innovations, but seeing something as cool and sci-fi as a thumbprint-access for a mobile phone can make it easy to forget what the focus should be.
Regardless of the innovation, ultimately it’s just another tool to find new ways to secure information, and protect our privacy.
This was posted in Bdaily's Members' News section by Phil Barnett .