Thursday, September 12, 2013

The new shiny... Meh...

I have read a number of accounts and seen several videos showing the spiffy new fingerprint reader on the iPhone and I am not terribly impressed.  As noted in a number of reports, this is not a new technology.  I have been dealing with Lenovo and Dell laptops that have fingerprint readers for about 10 years.  However, the general way we have dealt with them is to disable them on all of our issued computers.  Some users have gotten around that and enabled them, much to their own detriment.  We did not feel that the technology was ready for primetime as a security feature in our environment.  Costs to properly integrate it outweighed the benefit when compared to our current security protocols.  Plus, in the end, most of the people complaining that we should use it really wanted it for the ease of use.

When the people who liked the ease of use decided to enable the readers themselves, install the software and begin using the convenience of the finger swipe to access their computer, we in IT were not involved.  What we noticed were two fairly regular occurrences.  First was the fact that password expiration meant that when they had to change the password after 90 days, they had forgotten it.  Which I guess makes the password really secure once 90 days is up, cause now nobody can access the computer or files.  If they were remote, we found that they could not update the password unless they were connected to our network.  Since they could not get to the VPN software due to the method of lockout, they could not do anything other than travel to an actual company office or FedEx us the laptop.  We liked the FedEx option because we could remove the software and disable the hardware.  The laptop was returned with a lovely note (as well as the note being emailed to their boss) advising them that they were not to do that again.  Second was that the fingerprint software tied the fingerprint into the encryption certificates, which meant that our master certificate was no longer any good for decrypting the data when their computer crashed.  This was even better when we found that they had disabled the backup software because they felt it was too much of a drag on the computer when they were working.  I tried not to laugh in their face when this came to light.

So, despite the various pundits telling us that this will usher in a new era of security where passwords are a thing of the past, I really don't think so.  I have not seen anything commercially available that will stand up to the Mythbusters tests.  This item is no different.  In fact, it is likely that just by handling your phone, you are leaving the key on the surface of the device.  A dedicated individual will steal the device and use that to crack the "Password".  If they were dedicated enough to crack an actual password for a computer, they will be dedicated enough to fill in the blanks that the Mythbusters left out of their show for fingerprints.  So no, it will not usher in a new era of security, it will usher in a new era of lazy people who are caught unaware when their data is stolen.  Then again, some idiot thought that it would be a great idea to give temporary contractors access to the most secret documents in our government, so I won't be shocked by the fiascoes that will result in this "New Era".

No comments:

Post a Comment