Biometrics all sounds great
Until someone compromises it
Changing your eye colour is a lot harder than adding 1 to the end of the password
The proliferation of password protection has become an assault on the senses. The rise of biometric authentication is helping to create some balance, enabling verification with a simple interaction, which, for many, is the fingerprint reader on a mobile phone. And once you start using the fingerprint/phone combo for NFC payments …
And that's why Biometrics should NEVER be used as a password, Which can easily be changed once it's been compromised...
Not to mention all the privacy concerns when there has been a breach, and you have multiple accounts that use Biometrics for authentication...
Having been shown how to read an ECG, but not to a terribly advance level, I can think of many many things that would throw this off the scent, and for those with irregularly irregular pulses you might as well give up as, by definition, there is as much pattern as you'll find in Brownian motion.
Also for those considering things like eye scans, the blood vessels in the eye change over time (and that's leaving out issues like subconjunctival haemorrhage) so unless you're something that allow for incremental changes each day, and for significant changes in anything not used for a period of time, then you've got to accept a pretty broad margin of error.
I can, however, think of a few people on whom dramatic revocation procedures could be tested.
... and there goes all credibility, off out the window to join the pigs.
To be fair, I know nothing of the products, but electronic home security products don't have a great record.
The real knife in the heart is "deep learning" but I suspect the victim was already dead.
The absolute most you want from biometrics is "Hello Mr X, please enter your passcode now."
Or you could just put the key in the lock and turn the key without any of that junk.
Quite frankly, paywave doesn't require any authentication up to $100 and a pin after that, so why bother? Anything more is going to be a hassle the customer doesn't want (along with "please swipe your reward card now or press.,,")
Might work - for a given phone if always in same pose,, but if I use different software keyboard, use landscape instead of portrait, level of distraction alters, using mobile on foot instead of sitting down, how cold it is / moisture on phone screen etc. then likely to change significantly.
There would be some degree of pattern, but would have quite large margin for error, enough to allow false positives (or otherwise it would keep false negative flagging me).
I'm of wrong age to have been texting as a young kid so my phone press usage is decidedly non fluent & inconsistent (especially as I do not type much on the phone as I have computers for that with proper size keyboards & screens!)
As others have pointed out; biometrics are the equivalent to your username, not your password. And they're a pretty poor substitute for a username seeing as your fingerprint will be the same across every system you use. It may be slightly harder to fraudulently replicate than a username, but not enough that it's unbreakable and every one of the technologies mentioned in the article has its flaws and weaknesses.
Which tells me the banks and "security" outfits are investing a lot of time, money and research into completely missing the point. And that doesn't exactly fill me with confidence that they'll be good enough to encrypt the, essentially irreplacable, biometric data they hold to verify access attempts. A password dump is one thing, a biometric data dump would be on an entirely different level. and that's even if the biometrics were being used as a username analogue. If they're being used as a password, which is identical and immutable across multiple systems... ...and it's being held by the likes of fucking TalkTalk... ...with all their vast and well-respected investment in security...
Your bank may be fucking excellent at securing the (hopefully) hashed version of your biometric data. And it may even be really good at spotting verification attempts that almost-but-not-exactly match your biometrics. But you don't hack a huge bank. You hack the data from the weakest link in the chain and then use the target's actual biometrics to get into the bank's secure vault. And then you do it again a week later when the bank have refunded what you stole. Because the poor fucker can't change his password...
So, let's see:
Audio: Yes, I love to have people speak loudly around me in order to get a clean sample on their computer/phone/whatever. And there's no such thing as an audio-recording device, so this should be safe, right?
Video: An image of your face. Right. I wear glasses, and most facial-recognition software I played with (freeware and commercial) have problem with *any* reflection on the lenses. And I sometimes wear contacts. What if I'm cosplaying (I have a few costume which involve helmets, full- or half-face): does this mean I have to constantly remove the helmet every time I want to check my phone?
Typing: Let's get this over with - sometimes I type at my normal speed, sometimes I hunt-and-peck with one hand, sometimes my typing sucks because I haven't had my first cup of coffee (oooh, that reminds me - must make coffee).
Fingerprints: Really? Have you read the news over the last decade? The German branch of 4200 showed how easily you can bypass this "safety" (https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands).
Heartbeat: Better not have exercised just before trying to log in. Or how about the 2 people I *know* suffer for arythmia (their heartbeats goes funky every so often)? They're stuffed. And good luck unlocking your phone to call for help if you're having a cardiac problem.
And let's not forget that with *ALL* of the above options, once they've been hacked you are screwed. What are you going to do, change your fingerprints? Force yourself to start typing differently?
This is not a solution looking for a problem - this is a solution looking to *become* a problem.
All good arguments I don't think that a single biometric access method can be the answer.
The secret sauce could be the trust model. Something along the lines of:
User is attempting to access an account from a previously used device, user is at GPS co-ordinates in the area of their home address, audio match - 90% certain, video match - 80% certain, heartbeat - no reading possible pulse too high. Good enough, let them in.
User is attempting to access an account from a new device, GPS not found, audio match - 99%, video - not found, heartbeat - not found. Hmm, could be an audio recording, ask them for a password.
... (for me at least) with such compound approaches is that they both imply and, I would suggest, require my pre-approval of a level of data gathering that otherwise might be expected to require a warrant, and spread that approval over every organisation/ group/ authority operating the 'trust' model. For instance:
1: User is attempting to access an account from a previously used device
The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to gather and or hold information on the devices she or he uses.
2: User is at GPS co-ordinates in the area of their home address.
The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to both know the user's home address, _and_ to see the results of some manner of local GPS tracking at any time a validation request is made.
3: Audio match
The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to hold one, or more likely a higher number, of 'audio fingerprint' samples. Which, of course, will be held totally securely and never leaked/ stolen/ misused. Well, probably not. Or possibly not...
4: Video match
See audio match, but add 'video sample/s.
So to 'validate' myself to any or all of a number of services, I have to agree in advance that they can gather and/ or hold all the above data on me, and presumably 'pass it on to others as required by local law'. And I have to decide this is a Good Idea(tm).
Not in this lifetime.
And yes - I know that 'certain authorities' may have all the above already. But at least I don't have to agree in advance that _anyone_ can have it, use it, and possibly leak it, misuse it, sell it or give it to someone else. And if the aforementioned 'certain authorities' try to use it, there is a small chance (even if not measurable by current technology) they get slapped on the wrist for doing it.
Of course, I'm probably talking nonsense. After all, I'm an Idiot... :-).
'certain authorities' may have all the above already
It's not just GCHQ who have all that info. Your bank knows all of that.
Previous devices - Cookies
Home address - obviously they know that
Audio match - if you've ever used phone banking
Video match - if you've ever used an ATM
And realistically, your bank are the only people who need this level of login security. You may be equally interested in securing your email but that's your problem not the email provider's so the provider can leave it to you to select good passwords and keep them secret. The bank can't rely on that because it's them who are on the hook for fraud.
I think there has always got to be a password as a backup. Otherwise the one time you desperately need a bank transfer after a car accident on holiday in another country, the biometrics will all say no and you'll be really stuffed.
Perhaps the hope is that, because it doesn't need to be typed so often, it can be longer. Maybe the only really good use for biometrics is to replace PIN numbers. Your PIN can therefore be replaced by a long password because you very rarely have to type it.
Well, how do I do any of this biometrics on my old dumb not smart phone without a camera and I have lost my voice due to tonsillitis ?
Also I personally will not put add my credit card to my pay as you go smart phone ( I get credit via cash), I also went to my Barclays branch after they sent me a new Bank Card which I had cut in half and said why did my new card now have contactless payments added to it with me asking for it ?
They apologized (Which was BS) and said that this was standard practice well I said I never want this on any future replacement cards and send me out a new card as I have cut this one in half !
If more people were a PAIN IN THE ASS like me then maybe Banks would think twice before adding shit to customers without asking first !
They had my email and mobile phone number, but they would rather send out a new card assuming in their own wisdom that a customer would want an added service which would mean someone can deduct money with you entering a pin number at a range of upto 20 ft !
Yeah, NFC can actually be read upto 20ft away if you have the right equipment - scarey, just check your statements for any NFC payments, BTW try and argue that you didn't use your card for that !
As you can guess I am not in favour this new stuff, yes I am technical and used to be in IT, but for every lock there is always a way to crack it and I prefer a pin/password to prove it was me and I used Linux and not Win 10 !
Something you ARE (similar to biometrics)
Something you KNOW (similar to passwords)
Something you HAVE (similar to a token)
You really need all three to be complete. One or two just doesn't cut it if you want to be through. Unfortunately it is quite difficult to get all three conveniently and with little hassle. Changing things if something is compromised isn't easy either.
Life goes on.
Biting the hand that feeds IT © 1998–2020