IT managers concerned about upgrading company or personal phones to iPhone 5 are being advised to think about two-factor authentication tools, given that 2FA apps will not migrate easily as they are fingerprinted to users' old handsets.
The reminder comes from Andy Kemshall, of tokenless authentication specialist SecurEnvoy, who makes the point that, although upgrading is straightforward – plug devices into iTunes and the software does the rest – when it comes to businesses whose employees use their iPhones for work, it's not quite so simple.
Kemshall suggests the following checklist: first, have you taken two copies of the iPhone system using iTunes, in case the restore fails?
Secondly, have you documented procedures in case you need to refer to Apple's business support operation?
Thirdly, have you remembered personal iPhone users? There are a significant set of BYOD (bring your own device) security and governance issues associated with the iPhone.
Fourthly, have you obtained explicit written permission from employees before upgrading their personal iPhones for them?
And, most important, the two-factor authentication issue. "I would bet that most companies haven't considered the last point and they aren't prepared for the influx of requests from users to migrate the two-factor authentication apps, such as soft tokens from RSA or SecurEnvoy's SecurAccess, to their new phones."
As Kemshall explains: "The reality is that most soft token apps require you to log a support call to request a new soft token seed record. For the majority of providers you might be shocked to find that it is going to cost you one or two help desk calls, plus the cost of a new token to get that user set up. You can't just migrate the existing licence: you have to buy a new one, get it set up and also ensure the old one is disabled."
No such advice comes without a plug, so here it is. For users of systems such as SecurEnvoy's, however, IT managers simply login to their 'manage my token' portal, authenticate with their old phone and scan the QRCode on the new phone, which both provisions the new phone and deletes the old phones seed record from the server.