3. 1. The best solution is largely dependent on the
nuanced situation and company policies
surrounding information security.
2. Biometrics with OTP technology will improve
security for Enterprise data.
3. The choice of template data storage platform
depends on the requirements of the system and
organization.
HYPOTHESIS
4. PROJECT OBJECTIVES
a)How do members of the enterprise currently interact with
biometrics enabled mobile devices or smart cards?
b)How do multi-factor authentication techniques, such as
the incorporation of OTP, for biometric authentication on
mobile devices affect overall usage?
c) How should templates be stored on mobile devices?
d)How should companies allow portable biometrics while not
compromising security and privacy of the biometric.
Key Takeaway: security, privacy, and convenience
are the primary concerns in portable biometrics
6. CHALLENGES FOR IMPLEMENTATION
1. BYOD initiatives in the modern enterprise
a. Experience across devices is not uniform
b. Monitoring apps and devices
c. Insecure cloud services or apps
d. Remotely wiping devices (2)
2. User Interactions
a. Malicious Applications
b. Poorly selected or absent pins/passwords
c. Poorly managed security updates
d. Lost devices
(3)
7. LITERATURE REVIEW FINDINGS:
•Assume that the networks between the mobile
device and the organization cannot be trusted
•Informed consent and privacy legislation
•Ensure all biometric data will be securely
stored and safeguarded.
KeyTakeaway:The only effective way to implement portable biometrics
in the workplace is to create stringent and informed corporate policies
8. SOLUTION ON BYOD
•Largely dependent on the situations and
preferences of the enterprise:
•Allow all BYOD (Embrace)
•Allow limited device types, OS versions,
users (Contain)
•Don’t allow any BYOD (Block)
Key Takeaway: There is no silver bullet
4
9. BYOD Regulatory Apps
Types:
1.Data in Remote workspace
2.Data on device
Challenges:
1.Legacy software
2.Multiple Mobile Platforms
5
Key Takeaway: Organizations should maintain a
distinction between corporate data and personal data
10. One Time Password (OTP)
Currently:
Something "you have"
provides you with
something “you know"
With biometrics:
Something "you have"
prompts you to provide
proof of "what you are" to
gain something “you know”
(5)
Key Takeaway: Marrying OTP and Biometrics will
be effective in the described use cases
7
6
11. Storage Options
Device Storage
Local storage in the memory of
a singular device that allows
that device to access and use
data without making it
accessible to other devices
through sharing mechanisms.
Cloud Storage
Cloud storage is storage on an
internet server that can be
accessed by a multitude of devices
from any location.
Definition: "a model for enabling
convenient, on demand network
access to a shared pool of
configurable computing resources
… that can be rapidly provisioned
and released with minimal
management effort or service
provider interaction" (NIST 8)
9
12. CLOUD V DEVICE STORAGE
Cloud Advantages Cloud Disadvantages Device Advantages Device Disadvantages
Extremely Portable Requires trust in the
server
Encryption allows better
privacy for the user
Requires trust in the user
Offers the option for
multi-device use
May reduce privacy for
the user
User has full control over
access and deletion of
device
Device could be stolen or
lost, and template lost
with it
The template may be less
secure
Uses storage capacity
already available from
the phone
Employee interaction
with the template is less
visible to the enterprise
May have additional fees
associated with data
storage
Localized use
Key Takeaway: Neither is a perfect solution
13. NEXT STEPS
1.Develop prototypes to test OTP systems and how
biometrics affects their hackability and usability.
2.Work with Cloud team to test whether device storage
or cloud storage is better for use in the enterprise.
• Hypothesis: The best storage method depends on the
circumstances
• Follow up testing if the hypothesis is correct: Which
circumstances require which form of storage and why?
3.Create a survey to distribute to members of the
enterprise gaging current security awareness and
reactions to privacy concerns.
KeyTakeaway: Assessment of technology and Best
Practices document