Apple iPhone 5s TouchID and Exchange ActiveSync (updated)
2013/10/17: Added support statement by Microsoft below
Just today I was curious how the Apple biometric convenience solution TouchID on the iPhone 5s would impact password policies enforced by Exchange ActiveSync(EAS).
I frequently run into complaints from Android users who previously used a Pattern Lock instead of a PIN to unlock their phones. When my EAS policy sets specific password requirements, the Pattern Lock is replaced by the phone OS to the more traditional PIN (or alphanumeric password) unlock. Unfortunately, for those users, there is no Pattern Unlock support in EAS. Would this also be the case with TouchID in iOS 7 as it has no explicit support for these biometric features?
As I don’t own an iPhone 5s (Lumia 920 FTW! ) I’ve asked around on Twitter and got some feedback on this subject (read the whole Twitter thread) and a link to a MacRumors forum discussion (here). It seems as if TouchID is an overlay for any PIN requirement, users claim to have EAS policies with specific password requirements and certain lock-times. They now only have the TouchID interface, which unlocks the phone after said lock-times. It appears that after a successful TouchID identification, it would then answer the password challenge. Basically, TouchID replaces any complex password policy set by ActiveSync (confirmed by The UC Architects fellow John A. Cook). There appears to be a requirement to enter the PIN after starting the phone for the first time, and when you don't unlock the phone for 48 hours, but besides that it’s TouchID only. And how many times do you restart your phone or leave it alone for two days?
Although convenient for users, it does raises security concerns. Basically, it renders EAS password complexity useless. Whether you have a simple PIN or a 16 letter alphanumeric password set, it doesn’t make a difference. This makes the quality of TouchID important. Although Apple calls TouchID highly secure, it would seem that it has already been hacked after two days by the German Chaos Computer Club using easily available tools.
What is an Exchange Admin to do? Well, in the MacRumors discussion someone mentions an upcoming feature that would give Exchange admins the option to disable biometric features. However, this is the first I’ve ever heard about a new Exchange ActiveSync feature. Mind you, the EAS feature set hasn’t been updated since Exchange Server 2010 Service Pack 2 and that was only a minor update. It’s theoretically possible, but it wouldn’t be very practical. The update has to come out and be installed on Exchange servers (probably only for 2013 and perhaps 2010) and, even then, the devices would have to support that new version of ActiveSync. That would take a lot of time. I don’t think this scenario is going to happen.
What then? Well, those on Exchange Server 2010 or 2013 (on-prem or hosted via Office 365) can block or quarantine iOS 7 with ABQ as I wrote in a recent post. But, as TouchID is currently only available on the iPhone 5s, that would block a lot of devices that don’t have this biometric feature and potential security issue. It’s more of a hardware/device issue than a software issue. The alternative would be to block DeviceModel, it seems the iPhone 5 (Either S, C or both. Unfortunately I cannot check this at the moment) has a DeviceModel value of iPhone5C2. Something like this would quarantine these devices :
New-ActiveSyncDeviceAccessRule -QueryString “iPhone5C2? -Characteristic DeviceModel -AccessLevel Quarantine
For most organizations this TouchID hack is possibly a non-issue. For instance, there are still a lot of Exchange organizations without any EAS password policies. But for those that are very security minded or have certain legal requirements, the ABQ feature in Exchange can be very helpful in this case.
P.s. Feel free to leave DeviceModel values in the comments, if yours vary from mine.
Edited 17 October 2013:
Apparently Microsoft has updated their Mobile Device Mailbox Policies page on the 19th of september (release date iOS7), which states explictly:
The iOS7 fingerprint reader is not supported as a device password. If
you enable the fingerprint reader to secure your iOS7 device, you will
still need to create and enter a password if your mobile device mailbox
policies require a password.
The language is a little bit confusing as experiences show that the password is needed only once after booting. After that FingerprintID is sufficient. I think the point they are trying to make is that even though TouchID is present and used, you still need to set a password if the policy requires it. Thanks to Exchange MVP and The UCArchitects fellow Paul Cunningham for the catch!