Positive review for Microsoft facial authentication on new hardware

Windows Hello facial logins on the new Surfaces are rather impressive (RAs Technica)

With Hello enabled, logging in to the machine is as simple as sitting down in front of it. The lock screen shows the Windows Hello “eye” looking around, and the detection is near-instantaneous. It takes longer for Windows to dismiss the lock screen and show the desktop than it does for it to recognize you in the first place. In fact, it’s so quick that a kind of delay had to be built in. If there were no delay, locking your PC with Windows+L (or the Start menu option) would be nigh impossible.

US: Visa systems issues related to hardware failure

Hardware glitch in Washington freezes US visa issuance worldwide (Times of India)

The State Department said the June 9 failure was preventing it from processing and transmitting the mandatory security-related biometric data checks routinely carried out at embassies and consulates worldwide, and it could take up to a week to fix it.

This Wednesday release from the State Department doesn’t contain much detail that isn’t included in the Times of India article linked above.

Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

BYOD driving demand for mobile biometric hardware

In 2011, we observed that:

Mobile hardware is a tricky business. There is a tension between the market signals coming from the “make ’em cheaper” vs the “make ’em more secure” crowds.

It looks like that is set to change in a big way…

BYOD Security to Improve With Mobile Device Biometrics

IHS technology supports that claim and reports that mobile companies will drive that growth through the use of fingerprint sensors, a market that could be valued at $1.7 billion by 2020. “Fingerprint sensors have arrived in force and we are forecasting that shipments of fingerprint enabled handsets and tablets will reach 1.4 billion units by 2020,” Marwan Boustany, senior analyst at IHS Technology, told the publication.

As with many things in the technology world — domestic air travel, vehicle air bags, mobile phones, etc. — mobile biometric hardware started out with high cost and limited appeal. If International Data Corporation (IDC) is correct in its assessment, mobile biometrics could take a similar path to ubiquity.

Mobile device manufacturers begin taking security more seriously

A little over two years ago, when Motorola yanked the fingerprint sensor from its Atrix line, we noted that there is a tension between the market signals from the “make ’em cheaper” vs the “make ’em more secure” crowd.

It appears that the rise of mobile commerce since then is forcing manufacturers to give more weight to security now than they did then.

Security continues to be a major issue for mobile commerce (Mobile Commerce Press)

Mobile identity is becoming more important to businesses, especially as more consumers around the world begin to rely on smartphones, tablets, and other devices in their daily lives. Market research firm ResearchMOZ has released a new report concerning the growing importance of mobile identity and how businesses are beginning to invest more heavily in biometrics and other such technologies. The report cites the growth of mobile interactions and mobile commerce as the influence behind higher investments in mobile identity.

…and there’s this.

ARM is developing a 128-bit mobile chip for use in Samsung hardware (tech2)

If 64-bits just aren’t enough for you, the ARM official has also revealed that it is aiming for 128-bit mobile chips that will be developed over the next couple of years. As ridiculous as it may sound, demand for the chip will supposedly be driven by the drastic performance upgrades needed for biometric sensors and face recognition.

128 seems a bit big. Facial recognition recognition systems in government applications with very large databases work well on 32- and 64-bit systems. Those who may disagree will likely base their disagreement on factors other than number of bits of data the chip can handle at one time.

Nevertheless, it’s good to see hardware manufacturers providing more options to security-conscious mobile device user.

It’s Official: New iPhone really does have a fingerprint reader

Well, the rumors were true. Apple has included a fingerprint sensor in its newest iPhones. It’s hard to escape the conclusion that his is a big deal for mobile biometrics even though the biometric capability in the iPhone is limited to unlocking the device. Still, that’s not nothing and I expect that eventually, app developers will be given access to the reader. 
Even if they aren’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there; Samsung certainly won’t be left behind as mobile ID surges forward; Microsoft/Nokia + Windows 8 will almost certainly join the fray; moreover, we’d expect all of those companies to have a more laissez faire attitude than Apple toward turning future fingerprint hardware over to third party developers.*

*The preceding paragraph was revised on 24 Sept. 2013 it originally read, “Even if they don’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there and Samsung certainly won’t be left behind as mobile ID surges forward. “

New military multi-modal biometric hardware

New Biometrics Device Helps Marines Determine Friend or Foe (Forensic Magazine)

The BESD system is an ultra lightweight, ruggedized, handheld portable device that collects and stores biometrics information. It compares and matches fingerprints, iris images and facial photos against an internal biometric database to identify individuals encountered on the battlefield. It is an enabler in the areas of detainee management and questioning, base access, counterintelligence screening, border control and law enforcement.

Interesting approach, having the database on the device. On the plus side, storing the data locally takes connectivity issues out of the equation. There are, however costs. To stay current, the device has to be synched with a central data repository from time to time. There are limits to the amount of data that can be stored on a handheld device. Also, since the data is on the device, there needs to be really good data security in the device itself.

The case for mobile fingerprint hardware

Why would Apple add a fingerprint sensor to the iPhone? (Macworld)

Much of the theorizing has revolved around the possibility that Apple will add a fingerprint scanner to the iPhone, either incorporating it directly in the Home button, or, as indicated in a patent granted to the company in 2012, situating it in a dedicated area of the handset’s front screen. Such technology is far from science fiction—and it could actually provide real, tangible benefits to iOS device owners.

Frost & Sullivan on Mobile payments and biometrics

Biometrics Can Revolutionise Mobile Payment Security, says Frost & Sullivan (Press Release via KIII TV)

With the explosion in smartphones usage, the number of payments done via mobile devices has significantly increased over recent years. As eCommerce becomes mCommerce, the industry has to focus on payment security. During a ‘card not present’ process, a personal account number (PAN), expiration date, and card validation code (CVC) are not enough to completely secure a transaction. Biometrics that provide high levels of security and an intuitive customer experience might be the solution for secure mobile payments.

“Protecting the mobile device itself is a first step, necessary to secure mobile payments. Although a personal identification number (PIN) can do the job, in 2011 more than 60 percent of smartphone users were not using a PIN to protect their mobile access,” noted Frost & Sullivan Global Program Director, ICT in Financial Services, Jean-Noel Georges.

If you build it…

Pantech reveals fingerprint-scanning smartphone (MSN – Malaysia)

The biometric reader is built into the phone’s rear panel, as is a small touchpad for unlocking the device. An interesting idea in theory but how it will work in practice is anyone’s guess.

Mobile application developers need to know that the hardware they rely upon will be there. It’s looking more and more likely that, following a false start in 2011, there will be a fingerprint capability in the Android environment. Hopefully it’s here to stay this time.

See:
Mobile Handset Review: Motorola Atrix 4G (The One with a Fingerprint Reader) – Monday, October 31, 2011

Disappointment followed two days later…

Motorola Atrix 2 Has No Fingerprint Reader – Wednesday, November 2, 2011

The sensor-screen: Two giant leaps

Two things struck me about the news that Christian Holz and Patrick Baudisch of the Hasso Plattner Institute in Potsdam, Germany have developed a type of digital display that can sense fingerprints. World-first: Biometric screen recognises fingerprints (Techworld)

The first is the engineering of the screen itself:

The key that allows Fiberio to display an image and sense fingerprints at the same time is its screen material: a fibre optic plate,” said Holz.

The fibre optic plate is comprised entirely of millions of 3mm-long optical fibres bundled together vertically.

Each fibre emits rays of visible light from an image projector placed below the glass. At the same time, infrared light from a source adjacent to the projector bounces off the fingerprints and back down to an infrared camera below.

That sounds like each pixel is controlled with its own fiber and, theoretically at least, should allow for two-way communication of all sorts of information through the screen. At that point the screen might eventually become the camera, too.

Then there’s the approach to authentication the screen technology facilitates.

Security is one of the main issues around deploying public computers and the researchers addressed this by implementing an additional security layer, which authenticates users every time they try and do something to verify if the respective user has the authority to perform the task they are trying to complete.

The other really big idea this screen-sensor allows is authentication on a per-input-event level, or constant ID verification. Because the screen can “see,” it could always “know,” to some degree, who is using it. With that, the whole log-in/log-out regime could get an overdue overhaul.

Nothing is fool proof

Google’s Patent on Facial Passwords Published; Analysts Not Impressed (Mobile Bloom) — “Fool proof biometrics are yet to be designed and according to experts, this technology won’t come close to achieving it either.”

Nothing is fool proof. If easy-to-use facial recognition leads to more people protecting their mobile handset with some sort of access control technology, that’s probably a good thing. The process described at the link is actually pretty sophisticated and would probably suffice for 99.99% of mobile device users.

No good work whatever can be perfect, and the demand for perfection is always a sign of a misunderstanding of the ends of art.

—John Ruskin

Substitute “technology” for “art” and it’s still true.

If it’s a camera, it can be used for facial recognition

Google outlaws facial recognition apps on Glass for now (CSO)

Google announced late Friday that it will outlaw facial recognition and other biometric identification apps on Glass, its networked eyewear still in prototype phase that’s expected to be commercially released later this year.

“As Google has said for several years, we won’t add facial recognition features to our products without having strong privacy protections in place,” Google’s Project Glass team said in on its Google Plus page.

Google may have publicly said this, however until now its developer policy did not explicitly rule out apps that can do facial recognition.

If it’s a camera, it can be used for facial recognition. Facial recognition is really just a specific type of image analysis. It doesn’t matter where the image comes from. It could be a 19th Century daguerreotype or a picture taken from space. The software doesn’t care. Presumably running the open source Android operating system, as a head-mounted sensor array with a camera, there is little or nothing preventing application developers from passing images collected via the headset through facial recognition applications not developed by Google.

Google’s announcement should be taken to mean that Google isn’t going to integrate facial recognition into Google Glass. Facial recognition apps won’t be on the Google Play store. And, at least for now, they won’t be facilitating face rec. in other Google services such as YouTube, search, Gmail, and Google+.