0

We have a long-standing ActiveSync device policy that requires an unlock code for all phones that use corporate email.

It seems that iPhones with "swipe to unlock" and Android phones with similar technology process this policy different: iPhones allow a swipe to unlock feature, while Android does not.

  • Is "swipe to unlock" just as secure as a pin code?

  • Is the iPhone swipe to unlock hardware / software "better" than Android's comparable feature?

  • Can the Android thumbprint unlock be enabled by the end user / administratively enabled?

  • Can we disable the thumbprint on iPhones?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

2 Answers2

1

ActiveSync is just a protocol and an expensive license to use certain patents. Each ActiveSync licensee writes their own code, and it is up to them how they handle provisioning policies.

My understanding is that the iOS ActiveSync client considers enabling TouchID to be secure enough to meet any password lock requirements set by policy.

Microsoft have talked about adding a policy option to disallow biometrics, but even if they did, individual clients don't have to implement it.

Graham Hill
  • 15,394
  • 37
  • 62
1

As with most things in security, there isn't really a "correct" answer. It's an interpretation question for the intent of the active sync policy.

As for the level of security, a 4 digit numeric pin gives a one in ten thousand chance of guessing, but it is easy to try multiple guesses. The security of a finger print reader comes down to two primary values, the false positive and false negative rates. A high false negative rate isn't a huge deal for unauthorized access, but it may frustrate users, additionally, it restricts the ability to use lockout functionality since you can't lock a user out before it is unlikely that a legit user would have been able to get in.

A false positive rate on the other hand is a direct factor since if the sensor and software have a high false positive rate, they will allow more people that are not the original user access to the phone.

I couldn't easily find false positive data for the iPhone, but it does sense pores which makes it somewhat resisted to fake fingers. Overall though, finger print scanners in general don't have the highest reliability against an attacker with resources. Pin's aren't great either though, so it is probably a toss up in general as to whether finger prints are equivalent to a PIN or not.

Comparatively, if a full password was required, then I would expect the fingerprint to no longer be accepted as a finger print is not as strong as a reasonably or even moderately strong password.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110