The persistence of passwords

Biometrics has growing, but not sole, role in authentification security (Information Management)

“Many IT professionals aren’t convinced biometrics can serve as a secure and reliable replacement for the standard username and password combo,” said Peter Tsai, senior technology analyst at Spiceworks. “Unless technology vendors can address the security issues and privacy concerns associated with biometrics, the technology will likely be used side-by-side in the workplace with traditional passwords or as a secondary authentication factor for the foreseeable future.”

It looks like this 2013 post and the paper that informed it are holding up quite well.

In the paper, A Research Agenda Acknowledging the Persistence of Passwords, Cormac Herley and Paul C. van Oorschot write:

“Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats. “

All this is still true. Biometrics, however, can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

 

All posts

MasterCard announces two biometrics pilots

MasterCard puts faces and fingers under microscope (Mobile World Live)

MasterCard and First Tech Federal Credit Union, a US financial institution, will pilot the authentication of payments using facial and fingerprint recognition, in what they claim is a first for the country.

Separately, MasterCard is running another biometrics trial with International Card Services (ICS), the leading credit card provider in the Netherlands.

That explains things a bit

It’s Apple’s fault that the Nexus 6 doesn’t have a fingerprint sensor (The Verge)

Former Motorola CEO Dennis Woodside has confessed that the dimple at the back of the Nexus 6 was originally intended to play host to a fingerprint sensor. Back in 2011, Motorola was a pioneer in bringing fingerprint recognition to its Atrix 4G smartphone, however the company it used then, Authentec, was purchased by Apple a year later for a price of $356 million. Authentec were, in Woodside’s judgment, the best supplier around and “the second best supplier was the only one available to everyone else in the industry and they weren’t there yet.”

Voice biometrics and “the right to remain silent”

Passcode vs. Touch ID: A Legal Analysis (9TO5MAC)

With the suspect in handcuffs, the agent swipes the student’s finger across the phone to access his call history and messages. Once the FBI swipes the suspect’s finger and bypasses the biometric security, the phone asks for the student’s passcode. The FBI agent asks for his password but the student refuses to speak. How can the FBI agent access the phone? Whereas a fictional Federal Agent like Jack Bauer would simply pull out his gun, jam it in the suspect’s mouth and scream, “WHERE IS THE BOMB?”, in our example, the FBI agent would hit the proverbial brick wall.

This is where a gray area might still exist for hardware protected with voice biometrics.

I’m no criminal or constitutional lawyer, but it seems plausible that while a criminal suspect can be legally compelled to give over their fingerprint, the “right to remain silent” remains.

Commonwealth v. Baust probably isn’t the last word on all biometric modalities that could prove useful in criminal investigations.

The summer of finger veins continues

Barclays and Hitachi unveil biometric security vein scanner (V3 co uk)

Barclays and Hitachi have announced a biometric reader, which scans the unique vein patterns in a finger as part of an effort to fight fraud with a more secure take on fingerprint scanning.

The Barclays Biometric Reader consists of a SIM card that holds the unique vein structure information of a single user, and a small infra-red scanner. By using Hitachi’s VeinID technology the reader captures the image of the vein pattern in a user’s finger, which, like a fingerprint, is unique to individuals.

Biometric voter verification in Brazil

Biometric voting machine to be used by 21.6 million Brazilians (Agência Brasil)

Over 20 million voters—15% of the population to take part in the 2014 elections—are estimated to cast their ballot by means of a voting machine with biometric identification, announced the Superior Electoral Court (“TSE”) on Wednesday (Aug 20). The technology can be found in 762 municipalities, among which 15 state capitals. The machines use the electors’ fingerprints to recognize their identity.

The summer of finger veins continues

Biometric ATM technology proves to be a hit in Eastern Europe (Companies and Markets)

Polish bank BPS was the first in Europe to install biometric ATM technology. The technology, developed by Hitachi, allows a user to gain access to their account without a card or pin number. It is an example of so-called “finger vein” biometrics, which involves recognising a unique pattern of micro-veins beneath the surface that is then referenced with a pre-registered profile.

Finger veins sure have been a hot topic in biometrics this summer.

From Hitachi:
Finger vein authentication uses leading-edge light transmission technology developed by Hitachi to undergo pattern-matching and authentication. Near-infrared light is transmitted through the finger and partially absorbed by hemoglobin in the veins to capture a unique finger vein pattern profile, which is then matched with a pre-registered profile to verify individual identity.

Image source: Hitachi

Fujisoft and mofiria team up to deploy pattern-recognition based on finger veins

Partnership Focuses On Vein-Recognition Biometrics (Business Solutions)

In an interview with Find Biometrics, mofiria CEO Satoshi Amagai and Jintaro Nozawa, Fujisoft explained that, because of its accuracy and reliability, FVA technology is particularly valuable for industries that require high-security standards such as government, finance, critical infrastructure, medical, cloud computing, and education. Mofira’s patented device layout can be easily incorporated into a broad range of products and services including: gateway security systems, financial transaction devices, or mobile devices. For example, mofiria’s FVA solution has been embedded in ATM terminals in China for Banks that wish to differentiate themselves with more secure customer services. The growing demand for transaction safety and security will lead to increased adoption of biometric authentication technology in the banking industry.

Biometrics for government accoutability

Fingerprinting to end honeymoon for govt staff (Arab News)

Government employees may soon have to mark their attendance through biometrics, which may rob them of the luxury of coming late or even bunking work.

The proposal to have biometric attendance marking in all public departments was mooted by several monitoring agencies including the National Anti-Corruption Commission (Nazaha). The move is aimed at ensuring strict and timely attendance of government employees in various sectors.

Recent M&A a sign of biometrics’ importance to electronics industry

Recent Synaptics (SYNA) Biometrics Acquisition Boosts Sector (Investor Ideas)

Alan Goode, Managing Director of GoodeIntelligence.com said of the acquisition – “The acquisition of Validity Sensors, by Synaptics., is another sign of how important biometrics is becoming to consumer technologies. I believe this is a good match between Synaptics, who has a strong track record of developing touch-based consumer solutions, and one of the remaining independent mobile biometric sensor manufacturers. This is about giving consumer electronics products better, more convenient, security and opens up fingerprint-based biometrics to other consumer devices. We expect that additional biometric modalities, including voice, facial, eye and behavioral will be quickly integrated into other electronic devices and cloud-based services.”

Mississippi: Fingerprint verification for subsidized services, finally

Mississippi implements finger scan system for daycare (The Commercial Appeal – Memphis, TN)

Under the system being implemented by the state Department of Human Services, parents must use a finger scanner to sign their children in and out. Proponents say it will save money and cause parents to visit preschools more often, but opponents argue the system is intrusive and creates technical headaches.

About 18,000 children will be affected by the move.

You have to read between the lines, but this is at least partly a ghost-busting mission within government-subsidized child care.

We first commented on this deployment in September of last year in Biometric deployment winners and losers. Follow the links for great examples of arguments made in opposition to tightening up ID management.

More here.

Not only does a fingerprint biometric raise the burden of proof that subsidized services are actually being provided, it makes it harder for unauthorized individuals to remove a child from a child care facility.