The consumerization of IT and business bring your own device (BYOD) programs have resulted in potential security problems for IT leaders, according to Gartner Inc. (http://www.gartner.com).
User expectations of a clean and simple mobile user experience often outweigh security concerns, and the same valuable data guarded by complex passwords and security measures on personal computers [PCs] can be left vulnerable on mobile devices. Gartner predicts that, by 2016, 30% of organizations will use biometric authentication on mobile devices, up from five percent today.
“Mobile users staunchly resist authentication methods that were tolerable on PCs and are still needed to bolster secure access on mobile devices,” says Ant Allan, research vice president at Gartner. “Security leaders must manage users’ expectations and take into account the user experience without comprising security.”
While most organizations require robust passwords on laptops, smartphones and tablet devices often have access to the same applications and critical data but not the same levels of security. The increased number of devices in play also exacerbates the exposure of critical information. Implementing standard power-on password policies is made much more complex by the acceptance of BYOD practices, with the inevitable clash over user rights and privacy.
While complex passwords can be especially problematic for users to type on mobile devices, if these devices hold corporate data or provide access to corporate systems such as email without further login, even a default four-digit password is inappropriate. However, support for more robust power-on authentication is patchy, with only a few mobile operating systems and devices supporting biometric authentication. Even in cases that do offer this support, the implementation may not be good enough for business use.
“An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits,” says John Girard, vice president and distinguished analyst at Gartner. “However, even a six-character lowercase alphanumeric password can provide billions of values. For most practical purposes, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smartphones and tablets.”
Gartner recommends that a password policy requiring use of at least six alphanumeric characters, and prohibiting dictionary words, is enforced on devices with access to corporate information via mobile device management (MDM) tools.