| >(which is the most common device to be a work phone, and thus also connected to work email and work networks) So your VPN isn't adding any extra layer of auth? This doesn't seem like a TouchID problem. . . This is also a security design problem. You shouldn't be transmitting sensitive information via e-mail. If I want sensitive data stored in your e-mail, I'd start with a phishing attack long before I decide that physically jacking your phone and coming up with a complicated finger-print stealing process is the way to go. >This is not possible on the iPhone, To unlock the phone. You can add addition layers after the iPhone auths all you want. >consumers are under the false impression that fingerprints are the best security available, and they become frustrated to learn that Apple has been lying to them when corporate IT tells them fingerprints actually suck Heh. If your clients trust Apple's marketing more than their own IT people this again speaks to me of a severe communication problem among the IT people. >You can steal someone's fingerprint by simply having access to something they touched Not with high enough resolution to reliably fool TouchID in few enough attempts to keep it from passcode locking you out. You're fixation on worst-case scenarios where your adversaries benefit from multiple passes of blind luck doesn't make for great or realistic risk-assessment. >Network access to a corporate environment that has millions of SSNs, credit card numbers, etc. You think that a few hours of fiddling around with a latex mold is "too much work" for this? Think again. And you're not monitoring for suspicious activity or any additional access control on a data source that has all that sensitive information? You're just letting people mosey on into it with just their phones without so much as a warning flag going up somewhere? >Fingerprints are inherently insecure. Using fingerprints for more accounts is, thus, more insecure. This is both highly simplistic and wrong. For one thing, passwords are also inherently insecure, especially when people write them on sticky notes and put them under their monitors. Secondly, not all accounts need maximal security. Not all activities within an account need to give people access to the maximal extent of their privileges. Insisting on going all out on every single thing people try to do fosters insecure habits and insecure system design. You're making the problem worse. >Apple refers to TouchID as "the gold standard", "one of the most powerful passwords in the world", says "it is the most advanced technology", calls it "very high security". None of which is false for the use cases they're talking about. You're talking about access to sensitive PII, which Apple did not tell you to gate behind TouchID. I also have years of experience in Infosec and setting the record straight on things takes all of 30 seconds of explanation and taking the time to understand their business context. All it takes is to not treat your clients with contempt. |