Apple Touch ID vs. Android face unlock/pattern with EAS

[antef]

It appears that Apple's Touch ID can be used in lieu of entering your PIN for a corporate EAS account on your phone. This is obviously a great convenience especially if your work requires a longer 6-8 digit PIN instead of 4. What I find odd is that Apple is able to do this without being explicitly allowed by the corporate EAS policy. It seems like just because you have to set a PIN initially, that this is good enough for EAS and Apple can satisfy the PIN requirement with Touch ID from there on out. I think Touch ID is much more secure than a PIN so there shouldn't be much reason why a corporation would want to block it, but isn't it odd that they can't?

Similarly, why can't the same be done with face unlock or pattern on Android? Admittedly I don't think either of those SHOULD be considered adequate security as they're both easily defeated - but from an implementation standpoint, how come those two security features are allowed to be disabled by EAS but Touch ID is allowed to work in lieu of a PIN? Is Apple "faking" a PIN success to make this work?

Finally...is anyone considering switching from Android purely for this feature? If you hate entering a lock screen PIN for EAS, it seems the only other option with Android is to use something like TouchDown which only requires your PIN for getting into the app instead of your phone. This is actually a really good idea to keep things separate and to avoid encrypting/locking your whole phone, if corp wants to wipe, they just wipe the data in TouchDown instead of the whole device. I'm not sure why more apps, including the stock Email app, don't offer this as an option.

 

[JAG87]

Probably because Touch ID is embedded so far into iOS that there is no distinction between entering your fingerprint or your PIN, and this is not controllable through EAS. There should be an option to force disable Touch ID through a proper MDM however.

 

[bearxor]

Probably because Touch ID is embedded so far into iOS that there is no distinction between entering your fingerprint or your PIN, and this is not controllable through EAS. There should be an option to force disable Touch ID through a proper MDM however.

As of right now, MaaS360 doesn't support that feature.

But yes, this is the correct reasoning. iOS treats TouchID as if it were a PIN or pass code.

 

[JAG87]

As of right now, MaaS360 doesn't support that feature.

But yes, this is the correct reasoning. iOS treats TouchID as if it were a PIN or pass code.

Seems like it does...

http://www.maas360.com/products/mobile-device-management/apple-ios/

MDM Configuration Options for iOS 7 Devices:
Touch ID Control: Turn on/off fingerprint unlocking and report whether it is enabled on a device

 

[ttott]

touch ID is more convenient, I think. pattern can be forgot; face unlock is too much time consuming.

 

[bearxor]

Seems like it does...

http://www.maas360.com/products/mobile-device-management/apple-ios/

Well it must have just been turned on, haha. I had checked a couple of weeks ago and didn't have the option but cruising through the security settings this morning I did see it. Now I have to see if it works!

 

[antef]

Probably because Touch ID is embedded so far into iOS that there is no distinction between entering your fingerprint or your PIN, and this is not controllable through EAS. There should be an option to force disable Touch ID through a proper MDM however.

So this raises the implementation question I mentioned in the OP. Apple is essentially substituting a PIN with another security measure and then passing a PIN success along to Exchange. Is this really acceptable practice? Let's say in theory that Touch ID was actually really bad and easily defeated - it doesn't seem to make sense that they should be able to substitute a PIN with it and have Exchange not know the difference. Likewise with Android, what is stopping Google from implementing face unlock or pattern the same way? Both are not adequate replacements for a PIN, but what's to stop Google from implementing it to work in lieu of a PIN like Apple has done with Touch ID.

There's little doubt that Touch ID is secure and very convenient for the user, I'm just wondering what enables Apple to masquerade it as a PIN and what stops others from doing the same with less secure measures.

 

[bearxor]

I'm just wondering what enables Apple to masquerade it as a PIN and what stops others from doing the same with less secure measures.

Choice?

 

[antef]

Choice?

I would just imagine that a solid protocol like EAS would not permit that type of thing. You would think that if an org is requiring a PIN, they'd be able to rely on that across all devices implementing EAS. If Touch ID was at some point found to be insecure, an org would have no recourse other than to switch to a full-blown MDM - an extreme measure if a true PIN was all that they wanted to require.

 

[JAG87]

I would just imagine that a solid protocol like EAS would not permit that type of thing. You would think that if an org is requiring a PIN, they'd be able to rely on that across all devices implementing EAS. If Touch ID was at some point found to be insecure, an org would have no recourse other than to switch to a full-blown MDM - an extreme measure if a true PIN was all that they wanted to require.

My brain imploded when you called EAS a solid protocol. It's not just TouchID configuration that EAS can't administer, there's a ton of other stuff. In fact it's easier to list what little EAS can do than what it can't do.

 

[antef]

Choice?

Thinking about this again now with the release of the GS5. You said it's simply a "choice" Apple made to allow Touch ID to work in lieu of an Exchange PIN, a choice that Google did not make with pattern or face unlock. I wonder if Google ever considered doing so, so that Exchange users would have options other than PIN for unlocking their phone. Question now is, did Samsung implement their own fingerprint scanner the same way as Apple, i.e. using it in place of your Exchange-required PIN? This could be a major factor for me in my next phone. If Samsung's scanner lets me never enter my PIN like on iPhone then I'm very interested in it - however if it reverts to requiring you to enter your PIN on the lock screen as soon as I add my Exchange account, then it's pretty worthless.

 

[Suspicious-Teach8788]

I would just imagine that a solid protocol like EAS would not permit that type of thing. You would think that if an org is requiring a PIN, they'd be able to rely on that across all devices implementing EAS. If Touch ID was at some point found to be insecure, an org would have no recourse other than to switch to a full-blown MDM - an extreme measure if a true PIN was all that they wanted to require.

EAS is far from solid. The fact that TouchDown can sandbox its app and require PIN only for the app itself and not for the Android OS is a pretty big change. Furthermore, EAS policies where your phone gets erased on too many failed PIN attempts are modified through TouchDown where only TouchDown itself is wiped and not the phone.

There's also hacked Email.apks floating around where you they circumvent EAS.

 

[antef]

EAS is far from solid. The fact that TouchDown can sandbox its app and require PIN only for the app itself and not for the Android OS is a pretty big change. Furthermore, EAS policies where your phone gets erased on too many failed PIN attempts are modified through TouchDown where only TouchDown itself is wiped and not the phone.

There's also hacked Email.apks floating around where you they circumvent EAS.

I don't think there's anything hacky or "circumvential" about what TouchDown does. It simply presents itself as the "device." What it does is no different than something like Knox except that it's just an app instead of an entire OS partition. TouchDown is a great solution to avoid having to enter your Exchange-enforced PIN every time you unlock your phone.

However, using the built-in email app with enforced security isn't such an annoyance with something like TouchID (you still have to encrypt and deal with the possibility of remote wipes, but the everyday inconvenience of the PIN vanishes). So I'd really like to see something on Android do this, and I'm wondering if Samsung's is implemented the same way, or if it will revert to PIN lock screen as soon as you add Exchange.

 

[Suspicious-Teach8788]

I don't think there's anything hacky or "circumvential" about what TouchDown does. It simply presents itself as the "device." What it does is no different than something like Knox except that it's just an app instead of an entire OS partition. TouchDown is a great solution to avoid having to enter your Exchange-enforced PIN every time you unlock your phone.

However, using the built-in email app with enforced security isn't such an annoyance with something like TouchID (you still have to encrypt and deal with the possibility of remote wipes, but the everyday inconvenience of the PIN vanishes). So I'd really like to see something on Android do this, and I'm wondering if Samsung's is implemented the same way, or if it will revert to PIN lock screen as soon as you add Exchange.

I like TouchDown's implementation from the point of view of convenience, but from a security perspective, it's terrible. If you've downloaded attachments from your e-mail, they are now in the open if you have an insecure lockscreen. The idea behind EAS forcing you to have a PIN is that not any user can just get into corporate data. By only locking down TouchDown, you're not really locking down the corporate account.

None of these features are meant to be some sort of uncrackable system, but at least Samsung's Knox as you mentioned separates the partition. Is that partition locked out until you enter the PIN?

 

[antef]

I like TouchDown's implementation from the point of view of convenience, but from a security perspective, it's terrible. If you've downloaded attachments from your e-mail, they are now in the open if you have an insecure lockscreen. The idea behind EAS forcing you to have a PIN is that not any user can just get into corporate data. By only locking down TouchDown, you're not really locking down the corporate account.

None of these features are meant to be some sort of uncrackable system, but at least Samsung's Knox as you mentioned separates the partition. Is that partition locked out until you enter the PIN?

Are you sure downloaded attachments are in the open? I'm pretty sure TouchDown devs have given thought to this as it's one of the most important parts of email security and lots of corporations endorse its use. I was under the impression that downloaded attachments are only downloaded to TouchDown's protected/encrypted sandbox and aren't available to general file explorers. So those files still require entering your TouchDown PIN to access. Have you been able to download files and access them outside of TouchDown entirely?

 

[bearxor]

Attachments in Touchdown are saved to the /Downloads directory and I believe you can easily reveal that directory when attached to a computer. You can also tap and hold and save wherever you want.

It looks like the iOS versuon is compatible with 7's backgrounding API now. Might be worth me taking another look at the iOS version again.

 

[Suspicious-Teach8788]

Are you sure downloaded attachments are in the open? I'm pretty sure TouchDown devs have given thought to this as it's one of the most important parts of email security and lots of corporations endorse its use. I was under the impression that downloaded attachments are only downloaded to TouchDown's protected/encrypted sandbox and aren't available to general file explorers. So those files still require entering your TouchDown PIN to access. Have you been able to download files and access them outside of TouchDown entirely?

It goes to /Downloads as the other poster said. I'm not trying to slam the security of TouchDown because I want an insecure lockscreen for my phone. However, it's certainly a security concern IMO that TouchDown is so insecure. In many ways it's almost as bad as the hacked Emails.apk.

With that said given it's so easy to bypass these EAS settings, I don't see how TouchID is any worse.

On the note of TouchID, I'm a pretty huge proponent of it. It's nice to have, and I'd implement it in a heartbeat. It's debatable if it's as secure as a PIN (and certainly it's less useful if your fingerprint gets compromised), but it's the ease of unlocking that matters. No having to push 6 digits (damn EAS), yet offering decent security. I can easily unlock on the road and combined with always listening, I think that's a pretty safe solution to use for hands free (or nearly hands free at least).

 

[antef]

It goes to /Downloads as the other poster said. I'm not trying to slam the security of TouchDown because I want an insecure lockscreen for my phone. However, it's certainly a security concern IMO that TouchDown is so insecure. In many ways it's almost as bad as the hacked Emails.apk.

With that said given it's so easy to bypass these EAS settings, I don't see how TouchID is any worse.

On the note of TouchID, I'm a pretty huge proponent of it. It's nice to have, and I'd implement it in a heartbeat. It's debatable if it's as secure as a PIN (and certainly it's less useful if your fingerprint gets compromised), but it's the ease of unlocking that matters. No having to push 6 digits (damn EAS), yet offering decent security. I can easily unlock on the road and combined with always listening, I think that's a pretty safe solution to use for hands free (or nearly hands free at least).

TouchDown isn't insecure, the ability to save to /Downloads or anywhere that's not encrypted is governed by server policy. Are you sure your company enforces device encryption? See here: https://nitrodesk.zendesk.com/entries/20943898-Can-I-save-attachments-with-my-own-file-path-

Maybe you're claiming that feature isn't working as designed, but this is how it should be working. So yes, it's great that TouchDown can offer what is essentially a safe sandbox/partition and permit the rest of our device to be untouched.

But back to TouchID and the question I keep posing: Has Samsung implemented their fingerprint scanning the same way (where it can act in lieu of an EAS-enforced PIN), and will Google ever do the same for one of the options in AOSP? Right now pattern and face unlock can't be as convenient for us since Google disables them with EAS, instead of allowing them to masquerade as your PIN. They could, for example, come out with a more secure pattern lock, like CM's version, and allow that to work in place of a PIN like TouchID. But for now I want to know if Samsung's works like Apple's, or if it gets turned off when you add EAS like pattern and face unlock do.