back to article Samsung forgets fingerprints, focuses its eye on YOURS

When Samsung shoved the Galaxy S5 out the door last year, one of the things it put front and centre was the new ability to log on with one's fingerprint. Fast forward twelve months and Sammy looks to be giving that idea a finger of a different sort, by signing a deal with the Stanford Research Institute (SRI) to put iris- …

  1. Antonymous Coward
    Facepalm

    I see...

    Therefore I am... You.

    I wish the mobe industry could see too. "Biometrics"... all "biometrics"... are IDs not passwords. FFS!

    1. Calleb III

      Re: I see...

      So, what's your point? The standard method of authentication is to provide 2 things that you "know" - user name and password, with bio-metrics you provide 1 (or more) thing that you "have".

      Neither method is 100% secure, one of them is far more convenient (and probably more secure) for the 80% of the people, can you guess which one?

      1. Anonymous Coward
        Anonymous Coward

        Re: I see...

        Bio-metrics are not "something you have."

        Bio-metrics are "something you are."

        Iris scanners though? Really? I'll have to look into it more, for the differences from retina scanning... but retina scanning has the whole "personal invasion" aspect due to being able to detect things like, if a woman is pregnant.

      2. Antonymous Coward
        Facepalm

        Re: I see...

        "Neither method is 100% secure, one of them is far more convenient (and probably more secure) for the 80% of the people, can you guess which one?"

        No need to guess (thanks) but you clearly need to read on...

        One of your "methods" is 0% secure. One of your "methods" is your identity and not a password. These two things are different - one of them is not secret. "can you guess which one?" Is your hair colour a password? If I don an appropriate wig do I become you? Hair colour is (a factor of) your identity not your password. It is not secret.

        If you insist on considering your physical attributes, such as iris pattern, to be your password, then just remember you should: Use a different iris for every device/account (in case one is insecure/malicious/etc), change it regularly (every few months should suffice), never get photographed - or you'll have to go 'round changing all your irises (what a chore that'd be), and so on...

        Sorry if the beginning of my splaff seemed somewhat cryptic, it's the title of a nice little deconstruction of your misconception: http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2573/original/congress2014.pdf. I'd meant to find an English translation to link to but got bored looking for one and gave up. Don't worry if your German isn't up to much - it's a slide presentation so should be easy enough to follow.

        These days some people actually seem to be using their phones for stuff they actually might want to keep actually secure. Online banking, payments and other fappenings, for example. Not using a password is certainly more convenient than using one. If you don't want one don't use one. No problem! ...but why pretend that an ID is a password? That would be an almost criminally malicious deception. You may not know any better but Samsung should certainly know better... especially if there's any truth to the rumours regarding them Blackberry and a move into more... secure devices.

        Oh... and you'll need to be be extra careful of your eyes. Obviously! --------->

        1. Robert Helpmann??
          Joke

          Re: I see...

          Oh... and you'll need to be be extra careful of your eyes.

          Ah, I need to get some work done check my email while I'm at home, watching my favorite program with the family. It's a bit dark... and the system can't read my eyeball without a bit more light. No problem! It will work with the camera on the reverse using the flash. Just hold it up and... ARRGH! F***! My eye! That's too damn bright!

          Just saying, because the devil is in the details. Still, it might be a fun prank app to write, though...

  2. Anonymous Coward
    Anonymous Coward

    So where is the iris processing done, and who gets copies?

    Unless it all can be done locally on the device; with no data leakage anywhere I'm certainly not interested.

  3. Anonymous Coward
    Anonymous Coward

    1000x more secure my ass

    Its a simple 2D image, so it should be no more difficult to fool than a fingerprint scanner. In fact the fingerprint scanner has the option (not implemented in all of them obviously, but they could) of checking temperature and pulse to detect fakery. I'm sure if you put a suitable high res image of your iris in front of the camera it'll unlock for you, because there's no way it can tell the difference between that and your actual iris so long as you print it on something with the right amount of reflectivity.

    Not hard to get that suitable image either, all you have to do is get the victim to take a selfie with you :)

    1. Anonymous Coward
      Meh

      Re: 1000x more secure my ass

      It's been done:

      http://thehackernews.com/2015/03/iris-biometric-security-bypass.html

    2. Jimmy2Cows Silver badge

      Re: 1000x more secure my ass

      Perhaps it's a 3d image or each eye, or at least stereoscopic. I looked on their site but it was unsurprisingly light on detail.

      With 3d images the system could perhaps detect the curvature of the eyeballs, making it harder to fake. Or perhaps the imaging system is looking for details or features that would be difficult to print, say things only visible in IR.

      Totally agree with earlier sentiments that biometrics should only serve as a user ID. Never a password.

      Confirm identity, not clearance.

      1. tony2heads

        Re: 1000x more secure my ass

        with stereoscopic 3D images you could also check eye separation.

    3. Calleb III

      Re: 1000x more secure my ass

      "Not hard to get that suitable image either, all you have to do is get the victim to take a selfie with you :)"

      Yeah, because you can get an image with high enough resolution of the iris.

      As for which one is more secure a 4 digit pin, that anyone standing in the bus/tube/train near you can see, or your fingerprint/iris, i think we all know the answer.

      1. Antonymous Coward
        Facepalm

        Re: 1000x more secure my ass

        " Yeah, because you can get an image with high enough resolution of the iris. "

        Well done! You read the link I gave you. Good lad!

        " As for which one is more secure a 4 digit pin, that anyone standing in the bus/tube/train near you can see, or your fingerprint/iris, i think we all know the answer. "

        Oh.

        All but one of us. Still. Sadly.

      2. Anonymous Coward
        Anonymous Coward

        @Calleb III

        Unless the iris unlock requires your eye to be extremely close to your phone (making it very inconvenient) or has a totally separate sensor that is much higher resolution than your phone's camera, yes, you can get a selfie with high enough resolution.

  4. David Lawton

    For the phone i think the fingerprint is better, i don't even know I'm doing it with my iPhone its that natural now, i just press the home button with my thumb and just leave it on for 1 second and the phone unlocks, i doubt iris scanning will be quicker or more convenient than that, because if it isn't people will get annoyed with it and turn it off and be less secure.

  5. Anonymous Coward
    Pirate

    Eye I

    I understand that some digital cameras can scan the eye and detect stuff like eye micomovements and blood flow in the back of the eye which should be good for detecting whether its a live eye - I dont see why that cant be implemented?

    Still almost any biometric is better than a 4 digit pin for stuff that doesn't need high-security like banking. Cause you cant forget your eye or fingerprint now can you? Unless you are Captain Hook, avast behind jim lad, aaarghh.

    1. The_Idiot

      Re: Eye I

      But - and I know this has been said many times before - you can't change it either.

      So the next time you get an email from your bank/ service provider about the recent security breach that resulted in the access details of 999999999999999999999999999999 people being copied, of whom you were one, and telling you to change your thumbprint/ retina print because the verification copy was kept at their end in a not-sufficiently encrypted form, oh and to do the same on all the other sites where you used the same access token - you're going to do, um, what?

      Yes. I know there shouldn't be any form of remote copy. The word here is 'shouldn't'.

      Any access element that cannot be changed in the event of a breach is a risk. Or at least, that's my view. Of course, I'm an Idiot...

  6. phil dude
    Boffin

    funny thing...

    the first thing I thought of when I read the article was "I wonder if this can diagnose cataracts?"

    It might be useful to get a 10 million sample of time stamped eye exams....

    P.

    P.S. Oh sorry, yes it is creepy, insecure etc....

  7. Jin

    Password-dependent Password-killer?

    Whether fingerprits or iris patters, it would bring down security so long as it is operated together with a fallback password.

    Threats that can be thwarted by biometric products operated together with backup passwords (rescue/fallback/ alternative passwords) can be thwarted more securely by a password-only authentication.

    We could be certain that biometrics would help for security ONLY WHEN it is operated together with another factor by AND/Conjunction (we need to go through both of the two), NOT WHEN operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience while bringing down the security.

    Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it could be stolen and leaked.)

    Such a terrible nonsense as the “password-dependent password-killer” should be killed dead lest the good reputation of biometrics as excellent identification tools for physical security should be damaged. Biometric solutions in cyber space could be recommended to the people who want better convenience, not to the people who need better security so long as they are dependent on the backup/fallback passwords.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022