Anyone following media reports on the security consciousness of consumers of online apps, or the disinterest they exhibit in developing one, will likely be familiar with what this writer considers a long term trend to look for “something easy” to implement, even at the expense of any real promise of security. This trend was on display at the recent Google I/O 2014 Developer event. During the Android Apps for smart phone segment the audience witnessed a streamlined approach to device authentication. The presenter first noted how difficult it can be to repeatedly authenticate an Android smart phone via a PIN method, and then went on to show how the process can be circumvented by a new Android feature built on what could be called “proximity based authentication based on trusted, related devices”.
The presenter demonstrated a successful attempt to authenticate his smart phone via his Bluetooth smart watch. The phone had evidently been programmed to consider the smart watch a trusted object. So, bingo, with the smart watch strapped to his wrist, the presenter quickly gained access to the smart phone without any need to comply with the “complex” PIN method.
Anyone watching the web cast of this presentation will note the audience applause. So, it would appear, at least the app developer community favors this type of simple method of proving a user has a valid access to a device.
Fast forward a month after this event and read an article posted to the Wall Street Journal. This one, titled “The Password is Finally Dying Here’s Mine” was published on July 14, 2014 and was written by Christopher Mims. Mims presents this demonstration as an example of something with a real promise of data security: “It might seem foolish to replace an authentication token that you keep in your head (a password) with one you keep in your pocket (like a phone) but consider: The former can be obtained by hackers, and the latter you can shut down the moment it goes missing.”
This writer has a few questions: 1) Just because an online hacker isn’t wearing my Bluetooth watch, does this mean he/she can’t spoof it? 2) What about a “brick and mortar” thief, who steals my Bluetooth watch and my smart phone and my tablet? What’s to keep him/her away from my data?
Mims goes onto refer to a user’s ability to “wipe” a device, meaning a smart phone, etc. Readers may want to maintain a skeptical attitude of this claim, as well.
Bottom line, given the pervasive insecurity of online data communications, one would hope app consumers (at least smart ones) would favor security over convenience.
© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved