PayPal has declared war on the password - and wants a better way for folks to perform open sesame on their own internet accounts. Speaking at the Interop security conference in Las Vegas yesterday, Michael Barrett, chief information security officer at PayPal, talked about his work to create an open standard that could remove …
the disavantage to having additional hardware to authenticate is that you have to remember to have the harware with you at the time when you wish to login. I don't have that problem with a password as its always with me in my head.
I guess if it can be authenticated using your phone then this is something that people usually have to hand so that may work but having to carry a USB stick or fingerprint reader everywhere would be a pain
All I need is some FIDO software for my laptop. To authenticate, all I have to do is run FIDO and type my password - assuming thieves haven't taken my eyes and fingers.
Fingerprints and Retina scans are fine.
I'll be worried if they go the simple device route.
i.e. What if you lose the USB stick on your way to work?
Will the stick itself always be password protected?
It's a solution looking for a problem
The actual solution for this problem already exists... it's called "two factor authentication". Simply use tokens and the whole password problem goes away, and it is much more cheaper than biometric devices.
" I don't have that problem with a password as its always with me in my head."
Most people don't have that problem with a password, either. But most people don't have "a password" - they have a large number of them - unless for example they use their bank account password for everything else, too. (My impression is, that most people don't do that, but I don't really know.) If people use strong passwords, i.e. those not subject to dictionary attacks, then remembering passwords becomes even more difficult if not impossible.
I don't think that carrying a security token should necessarily be more cumbersome than carrying an additional credit card.
Re: It's a solution looking for a problem
I think the actual solution you were looking for is Single Sign-On - as it provides a framework within which to use two factor authentication.
Re: It's a solution looking for a problem
Microsoft Passport, anyone?
Re: Fingerprints and Retina scans are fine.
Did you see the trouble that Tom Cruse had in Minority Report when he wanted to change is retina. If someone starts logging in using your retina you are going to need surgery to reset the security.
Re: It's a solution looking for a problem
Two factor, or anything that requires a device is a pain.
I set up 2-factor on Google, then went to log onto Google with my tablet, only to realise I couldn't, because my phone was miles away!
The "something you have" has to be something you *always* have!
That said, the talk about biometrics always brings up images of Simon Pheonix in Demolition Man.
Re: A Password.
By last count I am currently using about ten passwords/passphrases, and I do not have any particular problem remembering them all, even though I change some of them regularly (the important ones).
If you can remember how to speak a whole language, or a few of them, how difficult can it be to "learn" a few new words that you associate with a particular noun?
Besides, it is not clear in the article whether the system they propose would support true multiple identities. Sure as fuck I do not want my identity on this website to be the same I use for my banking, etc.
Re: It's a solution looking for a problem
I'm currently carrying not one, not two, but *four* token/keyfobs. I have to say, VASCO and RSA know how to make 'em strong. Except for the Challenge/Response calculator-style token, which does need to have some extra care. Other than that, I can carry 'em everywhere.
Tokens done right should be easy to carry, and they're usually part of your keyring. There it is, sitting near your Nirvana keyring. Ready to use if you need it, and easy to spot if you've lost it; that's when you have to report it stolen & replace it.
Granted, all these tokens are for e-banking solutions, but that's kind of PayPal's point, isn't it? Stronger authentication for stuff that deals with money.
I can change my password ...
I can't change my fingerprints ...
If the security of the system gets compromised they are screwed - I mean what are they going to do?
"We've emailed all users to warn them of a breach in our security and have asked them all to change their hands and eyes?"
Re: I can change my password ...
Agreed. And you should use a different code for each website. So I'm good for ten websites, then what?
Re: I can change my password ...
Use your toes? Bingo, ten more sites!
Re: I can change my password ...
I know quite little about finger print recognition but I always assume it'd be some hashing of the actual fingerprint. Adding 256bit salt to the fingerprint would solve the case.
My main gripe are injuries, cutting (or esp burning) your fingers leaves out handing dry.
"The great $45m bank cyber-heist: Seven New Yorkers cuffed"
PayPal has a pretty shaky record with security... Not sure I trust those guys! How fool-proof are his suggestions if someone compromises a middle layer of security where PayPal gets sent spoofed credentials? I'm sure these guys above are already working on an attack vector from their prison cells as we speak...
Bad idea and overkill
Paasswords have weaknesses, obviously, although a sensible password strategy removes most of the problems. But this is overkill, as it means that there is a total loss of anonymity - instead of using a userid and password known to me (e.g. firstname.lastname@example.org and p/w n0T_reallY) I'd have to use biometrics to access every website? Every on-line activity linked back to a known, certified individual? A Home Secretary's (and Zuck's) wet dream!
For important accounts (online banking, email etc) some sort of enhanced validation is needed, but two-factor is pretty darn effective, and still doesn't require access to be linked to a specific individual.
Count me out
Re: Bad idea and overkill
Even better, I strongly suspect that the FIDO stack will allow you to be tracked amongst all these different sites, even if you're not Facebook or the Govt.
"There is a FIDO client or a FIDO stack that has to be on the device concerned,"
Not required. Yubikey plugs into USB port, types non-reusable one-time passwords into your password entry field. $25 one-off, $15 in small quantities.
I would much prefer they behaved as an honourable financial institution should, upholding the UK consumer credit act, having a headquarters based in the UK, not Luxembourg & perhaps paying a smidgen more tax.
In "Mostly Harmless", DNA had the idea that, as biometrics became ever more detailed in block fraud, they became ever more time consuming and invasive, so somebody has the brilliant idea to store all the biometric data on a card that could be scanned instead.
Ford Prefect steals a top-tier Guide executive's card, and is then able to pass himself off as that executive by presenting the card to all the "secure" systems.
So, Paypal gets its wish, and we all get a device to authenticate ourselves. Great - so if that device is stolen, whoever has it can masquerade as us. So we need a way to authenticate that is really is the device's proper owner using it. Hmm, I wonder what that would be. Something easy, that won't fail like a fingerprint scanner after you've been working on that engine block all Saturday. Something that doesn't require a bunch of extra, costly hardware. Something that works with existing hardware, like a keyboard. Something like, I don't know, maybe a string of characters known only to the user and the device. Brilliant! I just wonder what we should call it....
Authentication Tokens are dumb unless it's just one part of a n-factor authentication scheme. If my access is dependent entirely on a single piece of gear then if it's stolen/lost A) I'm screwed and B) Someone else gets to access all my accounts without being challenged. (Same reason I don't let my browser save passwords.)
While I truly detest having to create separate logins for every f-ing site on the planet, I don't think we'll be excising passwords/PINs any time soon. Biometrics might manage to do it, but inexpensive USB fingerprint scanners have been available for at least 13 years that I'm aware of and it hasn't happened yet.
USB fingerprint scanners
They're not popular because they are pointless. For one thing, an attacker just plug in a fake USB fingerprint scanner which returns someone else's fingerprint, cloned from previous scan data. For another thing, a rootkit could do the same entirely in software, with little more sophistication than a keylogger.
To get round this, you would need some central trusted third party with a fingerprint database, *and* the communication between the fingerprint reader and the TTP would have to be encrypted end-to-end and immune to replay attacks. That is, the encryption would have to take place within the fingerprint reader, not on the PC. The TTP would then return some time-limited token that you could use to authenticate yourself to a website. Furthermore, the fingerprint reader would have to be robust against physical attacks too.
Any device which you plug in and allows you to unlock your PC locally clearly doesn't use that model.
On top of all that, even if the FP reading system were secure, you can clone a fingerprint just using a gummy bear.
Hmmm, 'phones maybe...
I can see the point of most commentards here that hardware has its issues, but I would still like to have something more secure on my smartphone. I am nerdy enough that I don't store passwords in the applications (websites etc.), but there are so many different things i needs secure access to that I do have the log-in names and passwords on my PC. These are semi hidden and my PC is only accessibly via password or fingerprint reader (which I love by the way - much the quickest way to boot up).
However, I am still way too paranoid to have any of these files on my smartphone, which is so much simpler to steal. I really want a fingerprint scanner on my phone so that I can store some of this sensitive information on there and actually use it as an alternative. Since the swipe scanners work so well on my PC (and can't be fooled by the sticky-tape approach) I really can't see why we can't use that together with NFC for much of what these people here are talking about. I am pretty good about taking my phone with me everywhere after all....
Additional hardware means loose it and your locked out....
And even with the RSA type keys you STILL need a password/pin or a simple theft can compromise your accounts...
As for Fingerprint/Eye scanning, are they mad? right now if a thief wants your money just give them your pin & card... if its iris scan, they will scoop out your eyeball!!! hasn't he ever watched Demolition man???
I don't mind iris/fingerprint for authentication areas that are manned, but bank accounts & online, no thanks!
2 Factor auth
Using a password or PIN with tokens is part of the solution. Even if you know the password, you would still have to get the keyfob, thus the added security.
I actually like that biometrics bring up Demolition Man, the trend has been even touched upon in the Avengers movie as well. I fear for biometrics on anything, as it would obviously backfire with maimings and mutilations. I like my eyeballs too much for that.
Didn't someone already lose their fingers or hand when he got carjacked? It was a Mercedes with fingerprint security IIRC...
Biometrics have been proven time and time again by some very well respected boffins to be unreliable in the everyday world in every sense of the word.
Mostly by locking the authorized user out of their own stuff.
Perhaps Paypal should go talk to the folks at Facebook who are all a titter over their open-switch project.
Paypal hardware being used to authenticate admins to a Facebook switch? Sounds like a match made in heaven.
Let's see, I feel about as comfortable sending biometrics to Paypal, as I do about letting them hang onto large sums of my money.
So, not very much at all. Paypal is not an honorable or trustworthy institution.
biometric authentication is a bad idea; pass-words/pass-phrases are better
Biometric authentication is a poor substitute for pass-phrases for at least three reasons.
1. Problem of Scope: One would not want to use the same authentication factor in many places because then all those places could have the credentials of the other locations.
2. Problem of Longevity: Biometrics are persistent. You many no longer want to do business with someplace you provided your biometric data but who is to say that will continue to protect or destroy this valuable personal information.
3. Problem of Compromise: If an authentication factor such as a pass-phrase becomes stolen or otherwise compromised, one need simply change it. If a biometric authentication factor becomes compromised, say somebody captures your fingerprint, then you screwed.
This is explained in better detail here: http://growingliberty.com/thumbs-down-for-fingerprint-identification
"Get used to fingerprint, eyeball scanners . . ."
May I, oh Lord Of All You Survey, get used to not using Paypal instead?
I mean, it's not as if I've ever used it since I found out it makes a practice of ripping off it's members.
The fatal flaw
"The FIDO solution works by using an authentication device that connects to websites to verify a person's identity."
Anything that connects to the Internet (or any other network) to verify identity is subject to the network route (including the USB host) being compromised.
That's why the free-standing devices (e.g. the card readers that some banks issue to their customers), which can sign transactions completely independently of any host device or network, are the only way to make a step change in security on the Internet.
this is an effort to get rid of anoniminity
not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online
there is nothing wrong with passwords -- when properly implemented
and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants
Biometrics is just another user name & password. Only shorter!
As pointed out by many already, identifying a user and granting that person privileges based on a biometric response, has several problems, most of which have been covered, but I suspect one that has so far been overlooked is the authenticating character string.
My user name and password for The Reg is some 40+ characters long, which would be sufficient to code the biometrics of my fingers, eyes and breath, well maybe not my breath at the moment, it is Saturday morning.
(Think of a 40 digit number in base 256, yes it's huge!)
My point is, if to access my account using biometrics, only requires sufficient data to describe several locations in my iris, then I suggest that data string would be considerably shorter than my usual access method of 40+ chars and hence be more readily compromised.
This whole technology is designed to help the poor muppets who can't remember their mums telephone number and tag on the name of the site they're visiting, in a suitably cap on, cap off, sequence.
Re: Biometrics is just another user name & password. Only shorter!
and by the way, my passwords are a sight more devilish than I have suggested.
Re: Biometrics is just another user name & password. Only shorter!
40 digits in base 256 = 2.135987036×10⁹⁶ base 10
Wow, and how many atoms are in the universe?
Combining Biometrics - bad.
Those of us with long memories of El Reg articles passum will recall that combining different biometric measurements does not make a more reliable system. That's what killed off the biometric ID card scheme in the UK.
It took a mathematician to point out that they had got their probability calculations hopelessly wrong. They had overlooked that the different false alarms rates of each measurement type don't combine in a manner that satisfies the requirement to accurately identify a person, and only that person, as matching a set of measurements
If PayPal think they can do better then I suggest they consult a proper mathematician first before ploughing a ton of cash into the idea. I'll be closing my account if they ever launch it...
"[a] device that connects to a website"
Great idea, Paypal. That way, the miscreants will have just one site to hack to steal personal data on everyone and gain access to absolutely all banking data there is. If ever that site came to exist, it would require ironclad security of the likes we have not yet seen and would probably not be able to implement properly. Hopefully they would at least salt their hashes ?
Uh, Paypal, between your arbitrary account locking based on "suspicions" that you never justify, your inexistant customer support and now this idea, I'm starting to wonder whose side you're on - ours, or the criminals ?
Re: "[a] device that connects to a website"
Great idea, Paypal. That way, the miscreants will have just one site to hack to steal personal data on everyone and gain access to absolutely all banking data there is.
Much as I dislike and distrust PayPal, I don't think the scheme they are suggesting is quite as bonkers as that!
What they seem to be proposing is a system in which every user would carry some kind of device that would enable them to authenticate to a system. The user would activate the gadget by some biometric pathway (such as a fingerprint reader on the gadget itself) and that would enable the gadget to authenticate the user to a computer system through some sort of secure protocol -- a cryptographic challenge/response exchange, perhaps. I guess the gadget would contain the user's ID as a digital certificate and would also have the ability to use the corresponding private key to effect the challenge/response calculation.
Users would register with services using the certificates from their devices as ID, and would authenticate by enabling the device to complete the cryptographic exchange that demonstrates knowledge of the private key. If a user registered with more than one bank using the same device neither bank would know the private key, so either could impersonate the user to the other.
Note that it is important that the biometric measurement and verification are performed by the device itself, and don't rely on (say) a fingerprint reader attached to the computer. If the device were to rely on the external hardware then an attacker could record capture the biometric data and activate the device automatically without the user's knowledge (possibly after it had been stolen).
The important points here are:
1. The device would be useless if stolen because it won't function without performing a biometric identification of the user.
2. The certificate on the device could be revoked if the device were lost or stolen, making it useless.
3. The private key would only be used on-board, and would never leave the device. That means that the device could never be spoofed or copied.
4. A user could have multiple devices, so wouldn't have to present the same identity for all services. All the devices could be activated by the same biometric mechanism, but the biometric data would be checked by the device, on the device, and would never need to be transmitted to the computer system asking for authentication. When you lose a device you only need to get a new device (with a new keyset and certificate) -- you don't need new fingerprints!
5. If the same device is used to access multiple service accounts, and one is closed, it is not a problem that the device can still be used to identify the user. If the user (or an attacker) attempts to access the service on which the account has been closed the system will be able to verify the user's identity, but not associate that identity with a live account.
Of course, to implement a system that did all this would be to place a lot of faith in the technology. If an attacker could obtain a user's device and spoof their fingerprints (before the device was reported missing and the certificate revoked) he could gain access. An attacker who could devise a way to extract the key data from the device would be able to spoof the device. An attacker who could break the cryptosystem used by the device would laugh all the way to ... wherever you go when there aren't any banks any more.
Mine's the one with cash in the pocket.
finger prints. i use my prints to start my car open doors and get this. to use it for my passwords
Biometrics are identity only
I want my authentication to include a secret.
Surely authentication needs to include identity + secret. Biometrics start being used to protect big amounts of money and you can bet a whole heap of ingenuity will be focused on forging/fooling biometric scanning devices.
The more flexible biometrics are made to cope with natural variations due to age, environment, injury and disease, the easier it'll become to fool the reading devices.
What, no XKCD reference?
You can change a password, you cannot change your fingerprint, so what happens if the data used to recognise your fingerprint leaks?
You leave your password everywhere, unless you are like Michael Jackson, and wear gloves all the time.
As soon as someone finds a way of lifting your fingerprints off the glass you drank your last pint from, and sorts out a method for creating a facsimile/feeding the correct hash from that into an authentication system, it will be busted wide open. And if there is a single hashing method, that will not take very long. Sounds soooooo secure to me!
If you are going to use biometrics, use something that is not generally available! But as soon as you do, the data from that biometric will leak (your iris or retina data is only safe now because you have never had a reason to have it scanned. As soon as you do, it will become generally available).
I'm also a little unhappy about putting my eye up to an optical device in a public place, because it would be possible for such a device to be hacked (like bank ATMs are now for card skimming) to do irreparable damage to my eyes (scenario, use a pulsed solid state laser to burn some small random patch of the eye. No immediate symptoms, so device may not be spotted immediately, but repeated use would degrade sight).
So, possession of a physical token, plus a changeable secret, with additional further authentication to resolve conflicts, which may include biometrics used at some trusted local identity broker (physical presence required) would be my preferred solution.
Re: Leaks? @Me
I MUST MUST MUST proofread my posts better. I meant to say "You leave your fingerprints everywhere...."
Heel, FIDO! Heel!
Sorry, couldn't resist.
Biometric will never work
Fingerprints is a crappy way for secure identity. It has always been, and will always be. So is DNA and any other biometric contraption that is automated. It does work if it is run by humans. There is a very simple reason for this, and I can see no way to overcome it. You leave your "password" everywhere. Bits of DNA falls off you all the time, and you do touch quite a large number of objects each day.
So basically all the security in these systems is based on how good the sensor is, and I will not thrust a single piece of sensor with my bank accounts, e-mail, game accounts, theregister account *shudder*, etc. Sooner or later somebody will make a good enough replica of a finger so that the sensor will believe it is indeed a finger. Then all they need is to be the next in line to use the fuel pump and they can swipe my fingerprint. Or they can pick a piece of hair that fell off me.
Iris is a bit more tricky, but I am quite confident that the technology will get there that they can be scanned from some distance. Or you always have the "Here, try my Google Glasses." The point is that along with all other biometric it is basically public data.
So thus, biometric is stupid, it is a braindead idea from the start. It does work in pass controls, credit cards in stores and all the other places where there is a physical person that checks you are not pulling out a fake finger. There is a reason most debit and credit cards still only use a four digit pin while the rest of the world requires eight character alphanumerical passwords. I have no idea on the motive of this guy, but he is probably smart enough to know this. Yet, he fronts this.
Re: Biometric will never work
Actually no good copy of a finger is needed, just a digital copy the data of a comparably sensitive sensor and pass it - sockets transfer data in digital format. If the raw (non hashed/salted) data is acquired, basically the entire system is entirely compromised.
"the USER is then TOLD what sort of input is needed to verify their identity"
Not exactly democracy in action. Just who the hll does PP think it is when it says: USER is then TOLD?
Stuff it PayPal, there are better funds transfer systems around, and they neither pinch customers funds or impose their political thoughts upon them.
I'm guessing this guy has never seen an episode of Red Dwarf or the film Demolition Man...
- iPad? More like iFAD: We reveal why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24