Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deyan
Contributor I
‎02-07-2018 05:52 AM
‎02-07-2018 05:52 AM

Authentication controls - PIN vs Usrnm/Password

Hey ISC2 folks,

 

Interesting debate I was involved in. Long story short:

A smartphone app uses authentication mechanism utilizing username-password combination. There are some controls that require the generation of strong password, minimum length, expiration, non repeating etc. After the user has registered and created their password though, the system gives an option to the user to generate a 4 digit PIN and use it when logging in instead of the user name/password combination. 

I guess I am asking - do you think that makes sense? Why would a strong password be required when after it - a user can simply use a 4 digit PIN (4 digit PIN = low security /around 10k combinations/)?

Additionally - are you aware of such practice is possible for mobile apps for regulated industries like banks/health?

Reply
0 Kudos
10 Replies
Early_Adopter
Community Champion
‎03-05-2018 08:28 AM
‎03-05-2018 08:28 AM

You should probably consider binding in a third party app as well, SSO, CASB,  as well as lockout on your phones/tablets and into your mobile apps and of course MAM to go with MDM.

 

A lot of these have the concept of intelligent authentication bakes in the info about the authentication as well as anti-malware and other bits and pieces and if they are any good they will protect the credentials, and step-up or step down or even lockout functions* as needed):

 

https://swivelsecure.com/solutions/intelligent-authentication

https://global.blackberry.com/en/enterprise/blackberry-enterprise-mobility-suite

http://appconfig.org

https://www.okta.com/products/

https://vip.symantec.com

 

Users notice very quickly if they lose their phones. 

 

If the user does get coerced, then unless you have panic buttons, plausibly deniable codes to enter etc then  an attacker will get in:

 

https://xkcd.com/538/

 

It's all the more layered, and I trust well-implemented PIN'n'In much more than I do loads of passwords.

 

In the future:

 

http://www.patentlyapple.com/patently-apple/2018/01/apple-won-44-patents-today-covering-heart-rate-m...

 

*  This phone seems compromised, therefore will have minimal trust etc.

 

 

Reply
0 Kudos