Farpoint Group Technical Note — November 2008
which hold or have access to sensitive corporate and personal data contained in e-mails, documents, and spreadsheets has created an easy portal for criminals, including profes- sional information and identity thieves. Some companies wisely implement mobile- device-management remote-lock/wipe (or “zap”) features to protect data, but there can often be a substantial delay before a user recognizes that their device is missing and this action is taken. Even then, the protection provided by remote lock/wipe is easily circum- vented if the thief removes the battery or shields the device from wireless signals.
Information access – Once one has access to the device, the next issue is securing any sensitive data stored on it. One might argue that the use of fingerprint-recognition tech- nology for access to the device is enough, but this ignores the possibility that sensitive data might be stored on a removable memory card, or that a dedicated information thief might even disassemble the device and extract any FLASH memory chips or other stor- age medium. Farpoint Group thus recommends that any sensitive (as defined by a local security policy) data stored on any mobile device be encrypted and made available only to an authorized user and then only upon the authentication of that user. Just as finger- print recognition can provide authentication, it can also be used as a basis for the gen- eration of or access to encryption keys. It would be incredibly difficult for anyone to work around such a protection mechanism, which is obviously much more challenging than guessing a pin code or finding same via exhaustive search or a dictionary attack.
Network access – Similarly, fingerprint-recognition data can be used to provide identi- fication information for logging into a network, and can also serve as a key element in generating or accessing an encryption key or a one-time-password required for a virtual private network (VPN) or similar network-security scheme. The embedding of finger- print recognition capability in a mobile device eliminates the need for a separate pass- word/key generator, such as those that are frequently implemented as small hardware devices with a simple LCD display and synchronized with the target system. There is, after all, little chance a fingerprint can be stolen or otherwise compromised – and fin- gerprints are not expensive, will not suffer from dead batteries, and cannot be lost. And, of course, given ten different fingerprints, users can apply different fingers to initiate access to different networks or services easily, efficiently, and accurately.
Service/application authorization and access – Finally, fingerprint recognition can be used to authorize access to specific network services or applications, leaving little doubt that a user is who they claim to be and that they are in fact authorized (via RADIUS or a similar mechanism) to be initiating the services that they request.
So, in summary, a fingerprint reader installed in a mobile handset or similar device can be used as the primary vehicle for authorizing access to the device itself, encrypting data stored on the device or on a network to which it connects, authorizing access to secured or encrypted data and allowing access to any security keys required for decryption and access, gaining access to a given network, and authorizing access to services and applications on the network – essentially every security-related activity required by enterprise users. But consider also these common consumer-class applications, using exactly the same technologies: