back to article Body of evidence: Biometrics and YOU

The proliferation of password protection has become an assault on the senses. The rise of biometric authentication is helping to create some balance, enabling verification with a simple interaction, which, for many, is the fingerprint reader on a mobile phone. And once you start using the fingerprint/phone combo for NFC payments …

  1. Locky
    Mushroom

    Biometrics all sounds great

    Until someone compromises it

    Changing your eye colour is a lot harder than adding 1 to the end of the password

    1. Anonymous Coward
      Facepalm

      Re: Biometrics all sounds great

      And that's why Biometrics should NEVER be used as a password, Which can easily be changed once it's been compromised...

      Not to mention all the privacy concerns when there has been a breach, and you have multiple accounts that use Biometrics for authentication...

      1. This post has been deleted by its author

      2. roytrubshaw
        Big Brother

        Re: Biometrics all sounds great

        "And that's why Biometrics should NEVER be used as a password, Which can easily be changed once it's been compromised.."

        This can't be emphasised enough: Biometric identification is a username not a password!

  2. Joe Harrison

    I liked the way you slipped that one in

    "getting a satisfying facial at home" haha

  3. M7S

    Heartbeat

    Having been shown how to read an ECG, but not to a terribly advance level, I can think of many many things that would throw this off the scent, and for those with irregularly irregular pulses you might as well give up as, by definition, there is as much pattern as you'll find in Brownian motion.

    Also for those considering things like eye scans, the blood vessels in the eye change over time (and that's leaving out issues like subconjunctival haemorrhage) so unless you're something that allow for incremental changes each day, and for significant changes in anything not used for a period of time, then you've got to accept a pretty broad margin of error.

    I can, however, think of a few people on whom dramatic revocation procedures could be tested.

    1. joed

      Re: Heartbeat

      Not only bank may reject such hartbeat login but one's credit score would drop and health insurance rates increase. Same for other biometric methods. We'll surely benefit from this connected world. Not.

  4. P. Lee

    >It’s a spin-off from its Welcome home security product that also relies on deep learning.

    ... and there goes all credibility, off out the window to join the pigs.

    To be fair, I know nothing of the products, but electronic home security products don't have a great record.

    The real knife in the heart is "deep learning" but I suspect the victim was already dead.

    The absolute most you want from biometrics is "Hello Mr X, please enter your passcode now."

    Or you could just put the key in the lock and turn the key without any of that junk.

    Quite frankly, paywave doesn't require any authentication up to $100 and a pin after that, so why bother? Anything more is going to be a hassle the customer doesn't want (along with "please swipe your reward card now or press.,,")

  5. allthecoolshortnamesweretaken

    Interesting idea: Rubber fingertips to use with fingerprint-based authentication systems. You'd be able to "change" your fingerprints when they get compromised.

  6. Alister
    Paris Hilton

    Fred Potter explained for us the task of getting a satisfying facial at home without relying on a massive online image database to deliver the money shot.

    "getting a satisfying facial", "deliver the money shot."

    Either my mind is in the gutter, or the writer's was...

    1. Anonymous Coward
      Anonymous Coward

      Or both.

      Classic El Reg. "Bolivian marching powder" and a few others too. Good job :)

  7. tiggity Silver badge

    key press style recognition

    Might work - for a given phone if always in same pose,, but if I use different software keyboard, use landscape instead of portrait, level of distraction alters, using mobile on foot instead of sitting down, how cold it is / moisture on phone screen etc. then likely to change significantly.

    There would be some degree of pattern, but would have quite large margin for error, enough to allow false positives (or otherwise it would keep false negative flagging me).

    I'm of wrong age to have been texting as a young kid so my phone press usage is decidedly non fluent & inconsistent (especially as I do not type much on the phone as I have computers for that with proper size keyboards & screens!)

  8. Anonymous Coward
    Anonymous Coward

    > By using this near-realtime tool in risk assessment, the bank is free to make up its own rules.

    That's what I love about their existing fraud detection algorithms: never knowing if I'll be able to get my money when I need it.

  9. Luiz Abdala
    Joke

    So, if you use fingerprints...

    ... you can only change your password 10 times.

    Or 20, if you are willing to remove your shoes to scan your toes.

    That will teach them to stop asking me to change passwords.

    1. Herby
      Joke

      Re: So, if you use fingerprints...

      Or 21 if you drop your pants.

      Big joke alert!!

  10. Justicesays

    If it uses a neural network...

    they don't actually know how it works.

    Or if showing it a picture of the French Alps instead of your face will cause it to give a "passed" result, until they actually try it.

  11. israel_hands
    Facepalm

    Deficient Wetware

    As others have pointed out; biometrics are the equivalent to your username, not your password. And they're a pretty poor substitute for a username seeing as your fingerprint will be the same across every system you use. It may be slightly harder to fraudulently replicate than a username, but not enough that it's unbreakable and every one of the technologies mentioned in the article has its flaws and weaknesses.

    Which tells me the banks and "security" outfits are investing a lot of time, money and research into completely missing the point. And that doesn't exactly fill me with confidence that they'll be good enough to encrypt the, essentially irreplacable, biometric data they hold to verify access attempts. A password dump is one thing, a biometric data dump would be on an entirely different level. and that's even if the biometrics were being used as a username analogue. If they're being used as a password, which is identical and immutable across multiple systems... ...and it's being held by the likes of fucking TalkTalk... ...with all their vast and well-respected investment in security...

    Your bank may be fucking excellent at securing the (hopefully) hashed version of your biometric data. And it may even be really good at spotting verification attempts that almost-but-not-exactly match your biometrics. But you don't hack a huge bank. You hack the data from the weakest link in the chain and then use the target's actual biometrics to get into the bank's secure vault. And then you do it again a week later when the bank have refunded what you stole. Because the poor fucker can't change his password...

  12. channel extended
    Pint

    Beer O'clock

    I think we should use a breathalyzer. Then you have an excuse for a couple of pints before work. They would need to know how much you drank and how long you waited to sign in. Maybe even what brand!

    NOW, I want to be a pen tester, er, taster!

  13. Neoc
    Facepalm

    So, let's see:

    Audio: Yes, I love to have people speak loudly around me in order to get a clean sample on their computer/phone/whatever. And there's no such thing as an audio-recording device, so this should be safe, right?

    Video: An image of your face. Right. I wear glasses, and most facial-recognition software I played with (freeware and commercial) have problem with *any* reflection on the lenses. And I sometimes wear contacts. What if I'm cosplaying (I have a few costume which involve helmets, full- or half-face): does this mean I have to constantly remove the helmet every time I want to check my phone?

    Typing: Let's get this over with - sometimes I type at my normal speed, sometimes I hunt-and-peck with one hand, sometimes my typing sucks because I haven't had my first cup of coffee (oooh, that reminds me - must make coffee).

    Fingerprints: Really? Have you read the news over the last decade? The German branch of 4200 showed how easily you can bypass this "safety" (https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands).

    Heartbeat: Better not have exercised just before trying to log in. Or how about the 2 people I *know* suffer for arythmia (their heartbeats goes funky every so often)? They're stuffed. And good luck unlocking your phone to call for help if you're having a cardiac problem.

    And let's not forget that with *ALL* of the above options, once they've been hacked you are screwed. What are you going to do, change your fingerprints? Force yourself to start typing differently?

    This is not a solution looking for a problem - this is a solution looking to *become* a problem.

    1. Seajay#

      All good arguments I don't think that a single biometric access method can be the answer.

      The secret sauce could be the trust model. Something along the lines of:

      User is attempting to access an account from a previously used device, user is at GPS co-ordinates in the area of their home address, audio match - 90% certain, video match - 80% certain, heartbeat - no reading possible pulse too high. Good enough, let them in.

      User is attempting to access an account from a new device, GPS not found, audio match - 99%, video - not found, heartbeat - not found. Hmm, could be an audio recording, ask them for a password.

      1. The_Idiot

        The problem...

        ... (for me at least) with such compound approaches is that they both imply and, I would suggest, require my pre-approval of a level of data gathering that otherwise might be expected to require a warrant, and spread that approval over every organisation/ group/ authority operating the 'trust' model. For instance:

        1: User is attempting to access an account from a previously used device

        The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to gather and or hold information on the devices she or he uses.

        2: User is at GPS co-ordinates in the area of their home address.

        The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to both know the user's home address, _and_ to see the results of some manner of local GPS tracking at any time a validation request is made.

        3: Audio match

        The user surely must, therefore, have agreed and accepted all those with whom he is being 'validated' are permitted to hold one, or more likely a higher number, of 'audio fingerprint' samples. Which, of course, will be held totally securely and never leaked/ stolen/ misused. Well, probably not. Or possibly not...

        4: Video match

        See audio match, but add 'video sample/s.

        So to 'validate' myself to any or all of a number of services, I have to agree in advance that they can gather and/ or hold all the above data on me, and presumably 'pass it on to others as required by local law'. And I have to decide this is a Good Idea(tm).

        Not in this lifetime.

        And yes - I know that 'certain authorities' may have all the above already. But at least I don't have to agree in advance that _anyone_ can have it, use it, and possibly leak it, misuse it, sell it or give it to someone else. And if the aforementioned 'certain authorities' try to use it, there is a small chance (even if not measurable by current technology) they get slapped on the wrist for doing it.

        Of course, I'm probably talking nonsense. After all, I'm an Idiot... :-).

        1. Seajay#

          Re: The problem...

          'certain authorities' may have all the above already

          It's not just GCHQ who have all that info. Your bank knows all of that.

          Previous devices - Cookies

          Home address - obviously they know that

          Audio match - if you've ever used phone banking

          Video match - if you've ever used an ATM

          And realistically, your bank are the only people who need this level of login security. You may be equally interested in securing your email but that's your problem not the email provider's so the provider can leave it to you to select good passwords and keep them secret. The bank can't rely on that because it's them who are on the hook for fraud.

      2. Neoc

        @ Seajay#

        At which point, you might as well stick with the password as default since that's going to be the option for anyone trying to break in anyway.

        1. Seajay#

          I think there has always got to be a password as a backup. Otherwise the one time you desperately need a bank transfer after a car accident on holiday in another country, the biometrics will all say no and you'll be really stuffed.

          Perhaps the hope is that, because it doesn't need to be typed so often, it can be longer. Maybe the only really good use for biometrics is to replace PIN numbers. Your PIN can therefore be replaced by a long password because you very rarely have to type it.

  14. Jin

    How long can we remain indifferent to this ruinous misinformation?

    Eye-opening experience about biometrics, passwords and cybersecurity

    https://youtu.be/5e2oHZccMe4

  15. MrTuK

    Well, how do I do any of this biometrics on my old dumb not smart phone without a camera and I have lost my voice due to tonsillitis ?

    Also I personally will not put add my credit card to my pay as you go smart phone ( I get credit via cash), I also went to my Barclays branch after they sent me a new Bank Card which I had cut in half and said why did my new card now have contactless payments added to it with me asking for it ?

    They apologized (Which was BS) and said that this was standard practice well I said I never want this on any future replacement cards and send me out a new card as I have cut this one in half !

    If more people were a PAIN IN THE ASS like me then maybe Banks would think twice before adding shit to customers without asking first !

    They had my email and mobile phone number, but they would rather send out a new card assuming in their own wisdom that a customer would want an added service which would mean someone can deduct money with you entering a pin number at a range of upto 20 ft !

    Yeah, NFC can actually be read upto 20ft away if you have the right equipment - scarey, just check your statements for any NFC payments, BTW try and argue that you didn't use your card for that !

    As you can guess I am not in favour this new stuff, yes I am technical and used to be in IT, but for every lock there is always a way to crack it and I prefer a pin/password to prove it was me and I used Linux and not Win 10 !

  16. Herby

    Good security requires THREE!

    Something you ARE (similar to biometrics)

    Something you KNOW (similar to passwords)

    Something you HAVE (similar to a token)

    You really need all three to be complete. One or two just doesn't cut it if you want to be through. Unfortunately it is quite difficult to get all three conveniently and with little hassle. Changing things if something is compromised isn't easy either.

    Life goes on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like