Gartner predicts that, by 2016, 30 percent of organizations will use biometric authentication on mobile devices, up from five percent today.
“Mobile users staunchly resist authentication methods that were tolerable on PCs and are still needed to bolster secure access on mobile devices. Security leaders must manage users’ expectations and take into account the user experience without comprising security,” said Ant Allan, research vice president at Gartner.
The increased number of devices in play also exacerbates the exposure of critical information. Implementing standard power-on password policies is made much more complex by the acceptance of BYOD practices, with the inevitable clash over user rights and privacy.
While complex passwords can be especially problematic for users to type on mobile devices, if these devices hold corporate data or provide access to corporate systems such as email without further login, even a default four-digit password is inappropriate.
“An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits,” said John Girard, vice president and distinguished analyst at Gartner. “However, even a six-character lowercase alphanumeric password can provide billions of values. For most practical purposes, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smartphones and tablets.”
Gartner recommends that a password policy requiring use of at least six alphanumeric characters, and prohibiting dictionary words, is enforced on devices with access to corporate information via mobile device management (MDM) tools.
“The best practice is to use encryption that is not tied to the primary power-on authentication, meaning the key cannot be recovered from the device after a soft wipe operation has been performed.”
In addition, Gartner recommends that a further authentication method, at a minimum, another password — should be used for access to sensitive corporate applications and data.
In some cases, higher-assurance authentication is required. In PCs (traditionally), a standalone device may be used to provide a hardware token that might be used to provide additional authentication.
“Traditional authentication of this kind is often spurned in mobile use cases, because of the poor user experience with most kinds of hardware tokens,” said Allan.
Software tokens, such as X.509 credentials on the endpoint, provide options in this case, but often need MDM tools to be implemented properly and still require additional controls to provide the higher-assurance authentication necessary in some organizations.