The consumerization of IT and business bring your own device (BYOD) programs have resulted in potential security problems for IT leaders, according to Gartner.
User expectations of a clean and simple mobile user experience often outweigh security concerns, and the same valuable data guarded by complex passwords and security measures on PCs can be left vulnerable on mobile devices.
Gartner predicts that, by 2016, 30% of organizations will use biometric authentication on mobile devices, up from 5% today.
“Security leaders must manage users’ expectations and take into account the user experience without comprising security,” said Ant Allan, research vice president at Gartner.
Gartner has identified some potential security impacts of the consumerization of IT, and has made some recommendations for IT security leaders.
First, a password policy requiring the use of at least six alphanumeric characters, and prohibiting dictionary words, is enforced on devices with access to corporate information via mobile device management tools.
For lost or stolen devices, the best practice is to use encryption that is not tied to the primary power-on authentication, meaning the key cannot be recovered from the device after a soft wipe operation has been performed.
Second, Gartner recommends that a further authentication method — at a minimum, another password — should be used for access to sensitive corporate applications and data.
In some cases, higher-assurance authentication is required. Software tokens, such as X.509 credentials on the endpoint, provide options in this case, but often need MDM tools to be implemented properly and still require additional controls to provide the higher-assurance authentication necessary in some organizations.
Finally, security leaders should evaluate biometric authentication methods where higher-assurance authentication is required.
Suitable authentication modes include interface interactivity, voice recognition, face topography and iris structure. These modes can be used in conjunction with passwords to provide higher-assurance authentication without requiring any significant change in user behavior.
Moreover, as a mobile device itself provides a rich node of identity-relevant contextual data, this information can also be used to increase the trust in the claimed identity. It is possible that the combination of passive biometric authentication and contextual authentication will provide sufficient assurance in medium-risk scenarios without the need for “gateway” authentication events using passwords or tokens.
It is also important, when planning a comprehensive authentication policy that includes mobile devices, to consider the burden on organizations and users alike so that the policy is sustainable. Combinations of X.509 credentials on the endpoint, low-friction biometric modes and contextual authentication will likely fit the bill.