Nearly a third of businesses to use biometrics by 2016

Nearly a third of organisations (30 per cent) will use biometric authentication for mobile devices by 2016, according to Gartner.

A report by the analyst firm claims the less secure authentication methods used in mobile devices, especially personal devices, pose a security risk to businesses. Despite this, currently biometrics are only used in five per cent of devices.

The analysts said mobile devices now had access to the same applications and data as PCs and laptops but did not have the same level of security. It added the increased number of devices has exacerbated the exposure of critical information, and implementing standard power-on password policies is made much more complex by the acceptance of BYOD practices, with the inevitable clash over user rights and privacy.

It also said the entering of complex passwords on mobile devices was especially problematic for mobile users. "If these devices hold corporate data or provide access to corporate systems such as email without further login, even a default four-digit password is inappropriate," the analyst firm said.

"An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits," said John Girard, vice president and distinguished analyst at Gartner. "However, even a six-character lower case alphanumeric password can provide billions of values. For most practical purposes, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smartphones and tablets."

The analysts recommended that a password policy requiring use of at least six alphanumeric characters, and prohibiting dictionary words, is enforced on devices with access to corporate information via mobile device management (MDM) tools.

It warned that while some organisations attempt to counter the risks from a lost or stolen device by implementing controls that wipe a device after a limited number of incorrect password entries, or by remote command. "This practice does not wholly mitigate the risk because solid-state memory is nearly impossible to overwrite," said Girard.

"The best practice is to use encryption that is not tied to the primary power-on authentication, meaning the key cannot be recovered from the device after a soft wipe operation has been performed."

It said organisations should evaluate biometric authentication methods where higher-assurance authentication is required. Suitable authentication modes include interface interactivity, voice recognition, face topography and iris structure. These modes can be used in conjunction with passwords to provide higher-assurance authentication without requiring any significant change in user behaviour.

"Mobile users staunchly resist authentication methods that were tolerable on PCs and are still needed to bolster secure access on mobile devices," said Ant Allan, research vice president at Gartner. "Security leaders must manage users' expectations and take into account the user experience without compromising security."