Hey ISC2 folks,
Interesting debate I was involved in. Long story short:
A smartphone app uses authentication mechanism utilizing username-password combination. There are some controls that require the generation of strong password, minimum length, expiration, non repeating etc. After the user has registered and created their password though, the system gives an option to the user to generate a 4 digit PIN and use it when logging in instead of the user name/password combination.
I guess I am asking - do you think that makes sense? Why would a strong password be required when after it - a user can simply use a 4 digit PIN (4 digit PIN = low security /around 10k combinations/)?
Additionally - are you aware of such practice is possible for mobile apps for regulated industries like banks/health?
You should probably consider binding in a third party app as well, SSO, CASB, as well as lockout on your phones/tablets and into your mobile apps and of course MAM to go with MDM.
A lot of these have the concept of intelligent authentication bakes in the info about the authentication as well as anti-malware and other bits and pieces and if they are any good they will protect the credentials, and step-up or step down or even lockout functions* as needed):
https://swivelsecure.com/solutions/intelligent-authentication
https://global.blackberry.com/en/enterprise/blackberry-enterprise-mobility-suite
https://www.okta.com/products/
Users notice very quickly if they lose their phones.
If the user does get coerced, then unless you have panic buttons, plausibly deniable codes to enter etc then an attacker will get in:
It's all the more layered, and I trust well-implemented PIN'n'In much more than I do loads of passwords.
In the future:
* This phone seems compromised, therefore will have minimal trust etc.