Gartner eyes biometric authentication for workplace mobiles

Gartner recommends that businesses should use biometric authentication on mobile devices in light of BYOD

Gartner estimates that a third of organisations will use biometric authentication for mobile devices by 2016, up from 5 per cent today.

A report from the analyst suggests that the less secure authentication generally used on mobile devices and, in particular, personal devices used in the workplace, has increased businesses vulnerable to security threats.

Despite having access to the same sensitive applications and data as workplace PCs and laptops, Gartner says that mobile devices often do not have the same level of security. This is in part due to user desire for a simple user experience and the greater difficulties in inputting complex passwords into mobile devices.

The firm's own recommendation is that business passwords for devices with access to corporate information should require the use of at least six alphanumeric characters and prohibit dictionary words.

"An eight-digit numeric password will require hours to recover, and that will discourage casual hackers with toolkits," said John Girard, vice president and distinguished analyst at Gartner. "However, even a six-character lowercase alphanumeric password can provide billions of values. For most practical purposes, hackers are not prepared to pursue this large a set of combinations due to the relatively slow speeds involved in brute force attacks against smartphones and tablets."


Gartner therefore suggests that organisations should consider biometric authentication methods such as voice recognition, face topography and iris structure and argues that such methods can be used in conjunction with passwords to increase security with minimum impact on required user behaviour.

"Mobile users staunchly resist authentication methods that were tolerable on PCs and are still needed to bolster secure access on mobile devices," said Ant Allan, research vice president at Gartner. "Security leaders must manage users' expectations and take into account the user experience without comprising security."