Tuesday, April 10, 2012

Mobile Security Conundrum

Typing a password on your mobile device can be a pain. The keyboard is tiny and the password gets in the way of convenience and productivity which are the reasons to use a smartphone in the first place. Chances are you only have a short password that consists of 4 or 5 characters. Your password is probably a string of easy to type numbers like “1-2-3-4” or a simple word. Strong passwords consisting of a combination of lowercase and uppercase letters, numbers, special characters and at least 8-10 characters in length are not very useful on a mobile device.

The problem is that mobile devices are easy to lose and when they fall into the wrong hands, the simple passwords are just too easy to hack. On top of that, it is quite likely that many of your important files have been copied onto your device via synchronization.

With device-to-device data synchronization via cloud based synchronization tools ranging from the consumer-oriented ones like Dropbox to the enterprise-focused OpenText Tempo, security is becoming increasingly a concern. For a minute, let’s not worry about the security of the actual repository and the private cloud vs public cloud debate. Let’s talk about the security of the data stored on the device.

The synchronization ensures that there is a current copy of your files on each mobile device which is tremendously convenient, especially if you are switching between devices throughout the day like I do - iPhone, iPad, work PC and home iMac. But the convenience comes at a price - you have to trust that each device is secure and the security starts with a good password. But good, strong passwords are just too impractical on a mobile device and most users don’t use them.

How do we solve this conundrum?

Well, there's not much you can do in the short term other than educating the users or perhaps imposing draconian password rules if the device connects to your corporate network. The draconian approach may work but it will likely result in undesired behavior - the users will find ways around your network security.

In the long term, the device manufacturers will need to step up. The devices will need to be secured via a typing-free authentication method. One such method involved biometrics. Fingerprint scanner, face recognition or retina scan could solve the problem. Some of us frequent travelers have signed up for easy border crossing services such as Nexus or GlobalEntry which use the retina scan technology. It works! In fact, these technologies are available for our smartphones today, albeit they are not quite the mainstream yet. Scanning is still relatively slow if I want to make a quick phone call but probably faster and easier than typing a strong password. And much more secure!

Voice print based passwords are another possibility. Combining the pass phrase with the color and intonation of your voice is faster and more convenient than typing on a small screen. But the ambient noise might represent a challenge. Besides, I don’t want to sit on a plane next to someone repeating his password once every five minutes...

Another possibility is the use of NFC technology (near field communication) which uses an RFID chip. This chip could be carried on the user’s body in the form of an ID card, bracelet or ring (remember Scott McNealy’s Java ring from the 1998 JavaOne conference?). Such loosely attached chips could still be lost or stolen but even with that risk, the security might be stronger than a “1-2-3-4” password. The chip could be also implanted into the person’s body which would make things much more secure and much more convenient. Imagine if your device could verify your identity several times per minute without ever interrupting your work!

OK, OK, I can hear your screams about Big Brother and the government’s invasion into your privacy. But what privacy? If you move around a city, your image is captured on hundreds of security cameras. To get a driver’s license or a passport, you’ve surrendered your picture and fingerprints. Consciously or unconsciously, you pass through multiple security checkpoints every day - from transportation security, public building entrances, hotel check-ins to in-store purchases. Oh, and your mobile phone includes a GPS chip that can be tracked by law enforcement even if the phone is switched off.

Alright, implanted RFID chips may be still a bit of a stretch. But somehow, we will need to solve the conundrum with strong security on mobile devices...

No comments:

Post a Comment