This Security 101 topic is pretty straight forward.  You should always enable and require logins (fingerprint, password, code, etc.) to access your devices (computers, phone, tablets, etc.).  Regardless if “you have nothing to hide” or not.  A login to your device should be a bare minimum.  There is little inconvenience to you, but could seriously help you in the event one of your devices is lost or stolen.  Think about what is stored on your computer, phone, and tablet.  If any of these devices were lost, stolen, or accessed without your permission, how much personal, private information would a person have access to?  Would requiring a login prevent everyone from getting into your device?  Unfortunately, the answer isn’t a simple yes or no.  It would depend on the skill level of the person who had your device along with the tools they had at their disposal.  Most of the time though, it would certainly make it more difficult and prevent most people from accessing your device.  One of the biggest benefits of requiring a login to your device is it gives you more time to start performing your cautionary steps (tracking down your device, resetting passwords, revoking permissions for the device, etc.).

How does this impact me?  Although this is a simple security measure, it is quite often ignored by most people.  As mentioned earlier, think about the data stored on your device for a moment.  Look past just the files you have stored on the actual device and think about how many accounts you can access or login to without having to enter a password.  This is where things get alarming.  If your device was lost, stolen or accessed by someone without your permission, they would be able to access the files on your device and potentially be able to log in to your various accounts (i.e. email, bank, retirement, shopping, etc.).  Logging in to your bank would be bad of course, but think about all the data sitting in your email.  Have you ever sent loan paperwork to a bank or information to a tax preparer?  In both of those instances, the information is usually very personal/private information about yourself and your family members.  So, the data both physically on your device and the accounts it has access to are extremely important.

Lost or stolen devices can happen to anyone at any time and we never plan for those events.  We also don’t anticipate someone with malicious intentions accessing our device(s) without our permission, but that also happens.  This is where requiring a login (password, fingerprint, code, etc.) can be extremely helpful and provide much needed security.  Is it 100% security if your device is lost, stolen or ends up in the hands of someone with malicious intentions?  Of course not.  There are many factors at play such as how technical is the person that has the device, what tools do they have at their disposal and how strong is your password.  The difference between having a password or fingerprint requirement to access your device and not having one is the time it will take for someone to break in to your device, if they can at all.  In instances where your device is left unattended, requiring a password would slow someone down from being able to gain access until you return and gain control of your device again.  This is assuming of course the password isn’t something simple like your birth date or the last 4 digits of your phone number, which the person trying to access your device knows.  A strong password is obviously a must, but someone without your password wouldn’t be able to access the device easily or quickly.  In the event your device was lost or stolen, slowing someone down by requiring them to “hack” your password would allow you time to start resetting passwords and revoking access to accounts from that device.  Someone may have access to the information physically on the device if they are able to hack your login/password, but at least they wouldn’t have access to your accounts as well.  Requiring a login to your device will also give you time to remotely wipe the device if you have that feature enabled.  We will cover remotely wiping a device in Security 102.  Being able to remotely wipe your device is something to look in to since it is easy to implement, so wanted to at least mention it in our Security 101 discussion.

Leaving your device unattended for a short period of time is when requiring a login (fingerprint, code, password, etc.) could really help protect you and your data.  Here’s a real-world example.  Let’s say you leave your phone on the table in a coffee shop to put creamer in your coffee then stop to talk to the barista for a minute or two.  During this time, your table is not viewable due to how crowded the coffee shop is.  If someone sitting beside your table wanted to read your personal or company emails, they would need to “hack” your password first, which the odds of that happening prior to you returning to your table or someone not noticing are slim.  That is assuming of course the password isn’t on a sticky note on your device (please don’t do that).  In some cases, your device might timeout for a short period of time before allowing more login attempts, which again gives you enough time to return to your table.  If you did not have a login (fingerprint, code, password, etc.) enabled, that person sitting beside your table with malicious intentions could have accessed your device and had access to a lot of personal information or they could have installed some software so they could gain access to your device remotely later.  This real-world example would be the same if you were over someone’s house you didn’t know and had to visit the restroom, were at work and left one of your devices at your desk, etc.  In the end, there’s really no reason not to require a login to your device.

What can I do?  Since there are so many options available today with fingerprint readers, iris scanners, face scanner, password, passcode/pin, pattern, etc., there’s no reason not to at least enable one of them.  People have argued, and in some cases proven, that face scanners and fingerprint readers can be fooled, but in the end either of those options are better than nothing.  More importantly, fingerprint readers and face scanners are often fooled during a targeted attack, which usually doesn’t happen to normal users.  A 6, 8 or 9 digit pin/passcode is better than a 4 digit pin or generic screen pattern (as seen on Android devices), but having a 4 digit pin or screen pattern is better than not having one at all.  If you want a lot of a security and your annoyance factor is high, a 12 digital pin/passcode would be very strong.  If you would rather not be inconvenienced too much, the use of a fingerprint along with a 6-8 digit pin/passcode would be perfect.  The passcode should only be required when the phone is rebooted or when enabling/disabling certain features.  If using Android, you could cut down on the “annoyance factor” by setting up the “Smart Lock” feature, where your phone would bypass security when connected to a certain Bluetooth device (such as your car or smart watch) or within a certain geographic location (such as your home). 

There are downsides to keep in mind when using “Smart Lock” on Android.  If you enable “Smart Lock” for your smart watch, your Android device would be accessible to people if you leave it behind while going to the restroom at someone else’s house or leaving it at your table while in a coffee shop and visiting with a barista as we discussed previously.  This would be due to the device being “unlocked” while your smart watch is in Bluetooth range.  If you enable “Smart Lock” for the geographical area where your work is located, your Android device would be accessible if you left it behind when you went to lunch.  If you enable “Smart Lock” for the geographical area around your home, the Android device would be potentially unlocked if you were visiting your next door neighbor and of course would be accessible if you left it at home.  Not a big deal, but you should be aware that by enabling “Smart Lock” you are essentially disabling your login feature in some instances.

Even if you have a login enabled or “Smart Lock” disabled on your Android device(s), we always recommend not leaving your phone, laptop or tablet unlocked or unattended while at a coffee shop, airport, stranger’s home, etc.  The risk is just too great for it to disappear or be targeted by a skilled hacker who may be in the area, especially when you consider the information stored on the device or accounts/information the device has access to.  If you do have to leave it unattended for whatever reason though, at least make sure you have a login (password, passcode, fingerprint, iris scan, etc.) enabled/required so it would inhibit someone from getting access to it quickly and give you time to take precautionary measures if it were lost or stolen.

If your device has been lost, stolen or out of your control for an extended period and you suspect it has been compromised/accessed, we suggest resetting your main account password right away (Google, Windows, or Apple).  This should prevent someone from doing too much on your device if they do gain access to it by hacking your password.  If you used or accessed your password manager from the device, we would recommend changing your master password ASAP.  You can read our blog posting on password managers <insert title and link here> to learn more about things you should do if your master password is compromised.  Also think about all the apps you had on your device and start resetting those passwords as quickly as you can.  If you had any passwords saved in your web browser (not recommended) or stored in a file on your device (also not recommended), you will want to reset those passwords as well.  One other thing to remember, is you would want to revoke access to your various apps and accounts for any devices that are lost, stolen or compromised.  This also included devices you have given to people you know, sold or donated. 

We provide more in-depth tips on what to do if you have ever had a device lost, stolen or suspected it has been compromised (accessed without your permission) in our following blog post: https://logicalcybersecurity.com/basics/2017/5/30/lost-stolen-compromised-device).