BYOD and biometrics in the enterprise - ally or enemy?
by Richard Moulds - VP Strategy Thales e-Security - Friday, 3 January 2014.
BYOD continues its victory march as the enabler of choice among employees juggling increasingly intertwined home and work lives – for IT managers however it is the stuff of nightmares. The risks to the enterprise have been written about many times so I shall not repeat on this occasion.

However, as smartphone capabilities evolve, the balance between “IT friend” and “IT foe” must be constantly re-evaluated. The advent of mainstream biometric technology in smartphones is a great example of how the tables might be turning. But what is the true potential of this technology for the enterprise?

Biometric technology certainly opens up a host of new possibilities and an entirely new level of security for BYOD devices. For a start biometrics does ‘feel’ – pun intended - more secure than passwords. After all, biometric information can’t be easily guessed or shared among users, and therefore offer the potential to deliver a higher level of assurance, at least for basic device access.

But could the benefits go further? It’s inevitable that personal devices will hold ever-increasing amounts of corporate data – and with confidence in passwords fading it is hoped that biometrics will lead the way towards greater security and data protection within the enterprise.

Biometrics is particularly well suited to mobile devices with their plethora of on board sensors – including cameras, microphones and the fingerprint technology now boasted by Apple.

Traditionally, the only way to get this type of authentication technology in the hands of corporate users was by giving dedicated tokens which are costly and complex to deploy, often representing a barrier to all but the most security conscious (and well-funded) organizations.

Using the actual phone as a token is not only cheaper for businesses than issuing tokens to the workforce, it also means that the same experience can be applied when accessing apps from a phone or from the desktop or even physical access – and when it comes to security, consistency is a good thing.

This is where the phone really does become a corporate ally, bypassing the huge expense of giving staff traditional authentication tokens such as OTP widgets and smart cards. There’s also the fringe benefits that people never forget to bring their phone to the office and since it’s a familiar device the user experience is improved years of experience tells that happy users don’t try to dodge the system in an attempt to side-step inconvenient controls.

Sounds great, but the big question is whether biometrics is it ready for prime time? Biometrics is hardly a ‘one size fits all’ solution. For some, biometrics simply doesn’t work – the fingerprint won’t scan, the iris isn’t recognised and the voice goes unrecognised. Unlike passwords and tokens, biometrics is indicative rather than definitive, it’s not a binary go/no-go, there room for error – false negatives and false positives. This lack of reliability means that a fall-back is always necessary.

These secondary forms of authentication can range from behavioural traits to geo-location data and other credentials such as certificates – but all too often they come in the form of a good old-fashioned password. The danger with this is obvious – a cyber-criminal could simply bypass the sophisticated biometrics system by performing a basic password reset. The challenge is therefore to introduce strong comprehensive back-up systems without driving costs sky-high or complicating user experience.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th