Six-Digit Passcodes: Two Small Steps for Smartphones, One Giant Leap for Mobile Security

Yesterday in San Francisco, Apple launched the iPhone 6S and iPhone 6S Plus alongside iOS 9. While tweens may be thrilled with the new rose gold color option, as a passionate security advocate, I’m much more excited about the positive mobile security changes iOS 9 will likely bring about.

Apple will now default its devices to six-digit passcodes instead of four — a move that’s two small steps for users but one giant leap forward for mobile security as a whole. With the addition of two digits, iDevices will instantly become tougher for cybercriminals to crack, now thwarting them with 1 million possible combinations versus the previous 10,000.

What Do Passcodes Mean for Businesses?

This bold move by Apple serves as an opportunity — and a wakeup call — for companies to refresh and strengthen their own current bring-your-own-device (BYOD) policies. In fact, new IBM research into 1 million BYOD and corporate-issued devices revealed that today:

  • Nearly 90 percent of companies only require simple, numeric pins;
  • Almost 80 percent of those companies enforce the most basic option to protect the data on these phones: a four- to five-digit PIN, which can be cracked in as little as 18 minutes, according to the iOS Hacker’s Handbook.

What we’re running on our phones only compounds this increasingly complex problem. Another IBM study found that nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. Moreover, 67 percent of companies allow employees to download unvetted apps to their work devices.

This opens enormous windows of opportunity for attackers, and they are increasingly capitalizing on these vulnerabilities.

While Apple’s latest security update is a well-timed win in the fight against increasingly organized and resourceful cybercriminals, in order for mobile security improvements to be accomplished at an industry level, companies must also continue to be mindful of the very reason BYOD has become a global phenomenon: user convenience.



Balancing Convenience With Security Protection

Apple’s new six-digit default is a perfect example of how to help users better protect personal and corporate data while still maintaining the ease of use they crave through touch authentication.

IBM partners with our clients in order to help them better calibrate the convenience and security equation. To get started, here are several best practices to consider:

  1. Communication is critical. Many employees don’t understand the risks of using unsecured mobile devices and apps, nor are they trained on the security of mobile content access and management in the workplace.
  2. Companies that seek to implement strong mobile device security would also do well to allow employees to use biometric authentication to ensure mobile devices remain convenient and secure.
  3. Investigate ways to strengthen the security of corporate data living on mobile devices even further, such as linking to an overall corporate identity management system or considering two-factor authentication.

Overall, flexibility is key to accomplishing mobile security goals. As mobile technology continues to evolve and expand, it’s also encouraging to see the industry continue to make it easier for users to protect themselves.

Yesterday’s news is a strong step in the right direction, but there’s much more to be done. Passcodes are simply the user’s first line of defense and remain only one piece of the puzzle. Security teams should use this moment to further rally around mobile security initiatives, such as stronger authentication of the data and apps that reside on the device, which will help us protect ourselves against rising threats in simple yet effective ways.

Download the white paper ‘The New Hackers’ Playground’ to learn more about mobile security

Share this Article:
Caleb Barlow

Vice President - IBM Security

Caleb Barlow is an accomplished security professional and Vice President at IBM Security, where he leads IBM's Threat Intelligence and Incident Response Teams globally. He was the visionary behind X-Force Command, the worlds most sophisticated watch floor and cyber range. Mr. Barlow has a broad background having led technical teams in product development, product management, strategy, marketing and cloud service delivery. He has led multiple acquisitions including Fiberlink MaaS360 and Net Integration Technologies. Mr. Barlow routinely advises chief information security officers, boards of directors and government officials on security practices, frameworks and strategies to manage the business risk associated with cyber security. Mr. Barlow is a sought after speaker on the subject of security. He has appeared on the TED stage, NBC TODAY, NBC News, Bloomberg Television, CNBC Squawk Box, Yahoo News, Al Jazeera America and the BBC World Service. Caleb's views have appeared in the Wall Street Journal, Washington Post, USA Today, eWeek, FastCompany, Seventeen and dozens of other publications. He has testified to the US Congress and in 2015 he was invited by the President of the UN General Assembly to discuss his views at the United Nations.