Six-Digit Passcodes: Two Small Steps for Smartphones, One Giant Leap for Mobile Security

September 10, 2015
| |
3 min read

Yesterday in San Francisco, Apple launched the iPhone 6S and iPhone 6S Plus alongside iOS 9. While tweens may be thrilled with the new rose gold color option, as a passionate security advocate, I’m much more excited about the positive mobile security changes iOS 9 will likely bring about.

Apple will now default its devices to six-digit passcodes instead of four — a move that’s two small steps for users but one giant leap forward for mobile security as a whole. With the addition of two digits, iDevices will instantly become tougher for cybercriminals to crack, now thwarting them with 1 million possible combinations versus the previous 10,000.

What Do Passcodes Mean for Businesses?

This bold move by Apple serves as an opportunity — and a wakeup call — for companies to refresh and strengthen their own current bring-your-own-device (BYOD) policies. In fact, new IBM research into 1 million BYOD and corporate-issued devices revealed that today:

  • Nearly 90 percent of companies only require simple, numeric pins;
  • Almost 80 percent of those companies enforce the most basic option to protect the data on these phones: a four- to five-digit PIN, which can be cracked in as little as 18 minutes, according to the iOS Hacker’s Handbook.

What we’re running on our phones only compounds this increasingly complex problem. Another IBM study found that nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. Moreover, 67 percent of companies allow employees to download unvetted apps to their work devices.

This opens enormous windows of opportunity for attackers, and they are increasingly capitalizing on these vulnerabilities.

While Apple’s latest security update is a well-timed win in the fight against increasingly organized and resourceful cybercriminals, in order for mobile security improvements to be accomplished at an industry level, companies must also continue to be mindful of the very reason BYOD has become a global phenomenon: user convenience.

 

 

Balancing Convenience With Security Protection

Apple’s new six-digit default is a perfect example of how to help users better protect personal and corporate data while still maintaining the ease of use they crave through touch authentication.

IBM partners with our clients in order to help them better calibrate the convenience and security equation. To get started, here are several best practices to consider:

  1. Communication is critical. Many employees don’t understand the risks of using unsecured mobile devices and apps, nor are they trained on the security of mobile content access and management in the workplace.
  2. Companies that seek to implement strong mobile device security would also do well to allow employees to use biometric authentication to ensure mobile devices remain convenient and secure.
  3. Investigate ways to strengthen the security of corporate data living on mobile devices even further, such as linking to an overall corporate identity management system or considering two-factor authentication.

Overall, flexibility is key to accomplishing mobile security goals. As mobile technology continues to evolve and expand, it’s also encouraging to see the industry continue to make it easier for users to protect themselves.

Yesterday’s news is a strong step in the right direction, but there’s much more to be done. Passcodes are simply the user’s first line of defense and remain only one piece of the puzzle. Security teams should use this moment to further rally around mobile security initiatives, such as stronger authentication of the data and apps that reside on the device, which will help us protect ourselves against rising threats in simple yet effective ways.

Download the white paper ‘The New Hackers’ Playground’ to learn more about mobile security

Caleb Barlow

Caleb Barlow is an accomplished security professional and former Vice President at IBM Security, where he led IBM's Threat Intelligence and Incident Response...
read more