When Apple announced it would require two-factor authentication earlier this year, experts like Dr. Thad Phillips predicted that the move would have a major impact on the industry. Phillips, an IT information security professional and CISO at a healthcare organization in Pensacola, Fla., believes that because we may be seeing more Apple tech in once-dominated Windows environments, there’s plenty for IT pros and solutin providers to navigate, especially when it comes to cybersecurity.
With more than 20 years of experience in IT, Phillips has answered some of the most important questions about what two-factor authentication really means, and what solutions could help bridge the Microsoft/Apple gap in many increasingly mobile workplaces.
What makes Apple’s new security protocol so different?
It offers a centralized ability to log in to applications through face ID and touch ID with biometrics. Biometrics is a step ahead of Facebook and Google, but the big difference is the privacy push that Apple is doing. They are limiting the data sharing that they are giving out to other parties. Because they have integration going for them, they can play an interesting role as a middleman. They don’t want other vendors to know your email address, for example, and [access your] contact information. It’s a huge privacy push.
What are some ways this new protocol could have an impact on overall data security?
From a cybersecurity perspective, Apple is limiting the amount of data it’s storing from users. That’s a really good thing. This will force other companies over time to use stronger security measures, but they will have to be careful from a business model approach – they don’t want to limit data they are collecting like Apple is doing. They will need to go about it in a different way because they don’t want to disrupt the business model.
Who will be impacted the most?
Obviously, Apple is getting more people [to trust them and to buy into their products. The end user is also going to be impacted positively because Apple is not collecting as much data with seamless integration through biometrics. The two-factor authentication and protections limit users from all of this exposure.
Apple is also reigning in their developers. They are forcing builders to use this technology. If you are a developer of an app with Apple, Apple is going to force you—in a nice way—to use Apple’s sign on. This will occur in the upcoming OS 13.
Do you expect we’ll see big changes in the way data is ultimately mined?
Yes, especially among the third-party folks. They may be forced to rely on Apple for authentication. But the third party still wants user info, so they will go a different route in capturing this data. We will see [vendors] making changes on their end to combat against the added security by finding new ways to ask additional questions of users, likely in the apps themselves.
What do solution providers need to know right now about how to navigate Apple’s new security successfully?
From a security perspective, this is a good thing. Solution providers should know that it will crack down on fraud [and breaches]. And, in general for business, you’re going to improve security in your company. If you’re using a “bring your own device” model and [an employee may be using their own phone, for example] you can better control the security of that phone.
Could you give an example of how this works?
Companies of various sizes and technical complexities may use a combination of administrative, physical and technical safeguards to protect their work computing environments. A written policy, like having users sign terms and conditions, coupled with appropriate training on safeguarding protected information, is a great start. However, when workforce members are allowed or encouraged to bring in their own mobile devices (because the organization may not have the means or simply don’t want to purchase additional devices), then a more layered technical safeguards approach may be more viable.
What’s a good solution?
A business may choose to incorporate a mobile device management solution (MDM) to manage both company-issued and personal devices. This is sometimes construed by workforce members as overly invasive and can become a political quagmire. Regardless, the new Apple sign-in security features that incorporate dual factor authentication (and the ability to better identify “bots” in their authentication process) will help businesses of any size and complexity if their users are being protected by the technology they already own and use in their personal lives.
Do you expect we’ll see more of Apple in the corporate world as a result of this new security feature?
There are differing opinions out there on this one, but what I’m seeing is Apple infiltrating the business market like they did with the personal device market through the use of iPhones and iPads; it gets them in the door. From there, the next logical jump is the end-point device, such as desktops and PCs. Apple’s ability to stay proprietary and control their products is a huge security management win, but the big underlying current is the shift to cloud in organizations, and with MSFT (Azure), Amazon (AWS) and Google taking the lead in the business environments. Where Apple fits into this will really tell the tale for the big picture.
If you’re a cybersecurity expert—or want to be—now’s the time to join our IT Security Community. Learn more!