In a recent survey by SearchMobileComputing.com, 70% of participants said that when it came to mobile devices used for business, device loss or theft was their top security concern. Yet only half of them had a policy that required power-on passwords, and just 41% enforced their policies.
Password logins have long been a staple on corporate desktops and laptops. All popular mobile operating systems now support power-on passwords, which could easily deter unauthorized use of a lost or stolen device. So why don't more mobile users actually enable password authentication? And what can be done to improve that?
Password promise and pain
If you left your PDA or smartphone in a cab, a power-on password would prevent whoever found it from casually browsing content, racking up calls, and sending email as you. That password would also dent resale value and perhaps even prompt safe return.
Note that I said "casually." Short, simple passwords are notoriously weak -- easily guessed, easily shared. To deter brute-force guessing, many companies establish minimum password length and complexity rules. Some also use strike counters to lock down or hard-reset a mobile after repeated login failures. Enforcing such measures can make password authentication more effective. But they don't improve usability.
Compared with laptops, PDAs and smartphones are used far more frequently, for much shorter tasks, demanding near-instantaneous availability. Authentication methods that get in the way are disabled; this is the main reason that PINs go unused on mobile devices. Convenience often trumps security -- especially if nothing enforces policy.
Making passwords more palatable
Putting aside security strength for the moment, how could employers make PDA and smartphone passwords more user-friendly? Companies do have reasons for insisting on power-on passwords. Passwords cost nothing to create. They are supported by just about every device. They are familiar to users and help desks.
In fact, if passwords are required, most users would prefer to use the same password to unlock everything they touch. Enterprise mobile security products can help by using single-sign-on to transparently log the user into their WLAN, VPN and Windows domain following power-on authentication.
Too-frequent prompting for even one password can still be a problem, however. Sleep timers may require login after just seconds or minutes of inactivity. To make this more tolerable, some mobile security products can defer auto-locking by detecting passive use or owner proximity, such as when GPS route navigation is under way or a paired Bluetooth headset/speakerphone is active. Grace timers can also let users skip re-authentication if their device is reawakened within a reasonable period. For example, you might have your PDA sleep after two minutes of inactivity to conserve battery power but prompt for password entry only when asleep for longer than 30 minutes.
Another beef are passwords required to place a simple phone call. Even smartphones that make this singular exception can still annoy users by requiring passwords for contact list dialing or appointment notification. Here again, enterprise mobile security products can help by applying more granular access control policies. For example, an employer might choose to allow password-free notifications but not schedule browsing or permit a locked phone to call a "short list" of contacts (e.g., voicemail, home, help desk).
Speaking of help desk, those strike counters are handy when a PDA is truly lost, but what about the poor soul who forgets his own password three weeks into a trip to the Far East? Many enterprise security products have a scheme to reduce the pain (and cost) of lost passwords. Some can demand a long emergency PIN, known to the user or supplied by the help desk, to unlock the device. Others can generate a challenge, which the user gives the help desk during a phone call to obtain the magic emergency response phrase.
Stronger and easier
Long, complicated passwords may be harder to guess than short PINs, but they're also a pain in the neck to remember and type correctly. Some aftermarket mobile security products can replace passwords with something that's easier to recall and less challenging to enter on a device with tiny little keys or no keyboard at all.
For example, you might be required to tap specified locations on a wallpaper image from your last vacation or choose the right sequence from a randomly ordered set of symbols. The idea is to prompt users for something more meaningful than a cryptic alphanumeric password, while requiring nothing more than a stylus or finger for entry.
These methods are more user-friendly (and sometimes safer) than passwords, but they still depend on "something you know." That is, something that someone else might guess or watch you do and mimic later. Alternatively, mobile devices can be locked by "something you have" (like a smart card) or "something you are" (a biometric).
For example, some mobile security products support public key authentication, based on a digital certificate stored on a removable media smart card (MMC, SD). This is strong because certificates are nearly impossible to forge. It can be easier because, like a car key, as long as the card is inserted, the mobile is unlocked. However, to prevent a lost PDA/media combo from being compromised, the certificate itself may be locked by – yes – a password.
Biometric methods have languished on the back-burner for a long time, partly because of cost. But they have gained favor recently on ultra-light notebooks, PDAs and smartphones.
For example, numerous smartphones now include fingerprint readers that offer an alternative to power-on passwords. A few mobile security products can also process handwritten signatures (entered with a stylus) or voiceprints (entered by speaking a phrase into your smartphone).
Such methods make unlocking a mobile relatively painless and prevent it from being used by anyone except the owner. However, employers may want to complement biometrics with a backup password for admin access or as a workaround in cases where the biometric becomes unusable (e.g., voiceprint in a noisy crowd).
If you are an individual who carries a personal PDA or smartphone and you do not already PIN-lock that device, give some serious thought to enabling that PIN. Although enterprise mobile security products may be out of your reach, you can easily find "personal" mobile security products that offer some of the features described in this tip.
If you run a business with workers who use PDAs or smartphones, there's no time like the present to start locking those mobile devices. Laptop data breaches are epidemic -- it won't be long before unprotected mobiles will start making similar headlines. Data encryption is key to winning that war, but the first battle you must wage is authentication. On PDAs and smartphones, enforcing long, complex passwords may result in mutiny. In the end, those devices (and their data and connectivity) will actually be safer if you go the extra mile to make authentication easier.