Several years back, I was working for a company that had outfitted its workforce with Blackberry devices. The users of these devices almost revolted against the evil Information Security Manager when he set forth the policy for those portable systems.
- – Every device MUST have a password set up on it.
- – Passwords on the mobile devices were aligned with notebook policy, for complexity, re-use, and aging.
- – Every device must have a timeout set for no longer than 5 minutes when idle.
- – When inserted into the holster, locking is instantaneous.
I remember being surprised and shocked at the response from my constituents, and was glad that I had gotten management buy-in well beforehand. People took these requirements personally, some even after the explanations and awareness training demonstrated the risks. These devices were designed to retain copies of every single email that is sent or received. They also hold countless documents and other treasures, and often carry other passwords copied down within their apps for convenience.
The argument most often presented was that it just took too long to always have to enter a password. It was too inconvenient to do it every time the phone rang or an email arrived. My response to that argument was that it was going to be the way it is, until I could find another method to provide the same or better security. One user in particular demanded that IT look into other methods immediately. Being fairly senior within the organization, I set about researching additional methods of securing mobile Personal Digital Assistants as they were called in the day.
One area that held great promise was biometrics; facial recognition, fingerprint readers, and retina scanners. Another was SmartCards, which could also have uses at the desktop. These at the time were bleeding edge technologies, were less than reliable, and were prone to all manner of problems. The costs were astronomical, so those ideas were presented and abandoned. A recent discussion has brought them back into my interest zone. A quick scan of the Internet indicates:
- Airborne Biometrics Group has invested substantially in development of FaceFirst, a product that enables automatic capture and compare of facial images in a non-invasive manner.
- FaceFirst provides a fully automated, user friendly, turnkey mobile and live-video surveillance facial recognition system, generating automated alerts whenever a face match is detected. The FaceFirst system was built in a cloud-architecture so that it can be run either at a single site or within a corporate or internet cloud, remaining flexible to remotely host the main matching and encoding engines and distilling a high definition video stream of each face that passes by the cameras. Their architecture leverages wide-area networking and cellular transmission capabilities via their proprietary algorithms that mitigates bandwidth requirements.
- Airborne also offers mobile face recognition capability. The software has been specifically engineered to run on most of the commodity mobile phone platforms available today.
- The cellphone merely acquires the image of the person, then logs into the backend system, places a query and then transmits back all the possible matches for the person of interest to determine if there is a positive identification match. When a match is determined, the system then returns all the biographical information associated with that confirmed suspicious person i.e. law enforcement arrest warrants.
- Airborne’s third interesting module offers mobile SLR capability. The system has been designed and engineered with the capability that allows the enabling most digital camera models to photograph either a single person, or even an entire crowd, and that image will then be wirelessly transmitted back to the matching engine in the cloud.
- RIM has a SmartCard Reader for the Blackberry, which uses proximity detection through bluetooth technology. Although I am not a fan of bluetooth, it could be interesting if implemented securely. Blackberry has also issued patents around biometrics, as evidenced in this Blackberry Cool posting.
Although the concept of fingerprint scanning sounds great in theory, it doesn’t always work as well as expected. For example, my IBM ThinkPad laptop has a built-in fingerprint scanner that I use to unlock my computer. It works quite well… most of the time. It takes a good five minutes for the hard drive to settle down when coming out of hibernation, and during that time, it fails to read. Every so often, when I try to login to my system, I have to run my finger over the scanner repeatedly because it doesn’t recognize the first or second attempts. It is possible in a networked environment for users to lock themselves out of their computers after too many failed scanning attempts. This could amount to additional workload for the IT department.
Still, since the problem is remote PDAs, not connected to the network, it may be less of an issue, and could offer a handy solution to someone’s convenience over security problems.