back to article Intel, Lenovo officially gone to the dogs – with FIDO fingerprint logins

Lenovo, Intel and others are aiming to make online payments more secure by bringing the Fast Identity Online (FIDO) biometric authentication standard to PCs. The fingerprint scanning technology is implemented in Lenovo’s latest Yoga 910 laptop, which is one of those consumer 2-in-1 convertible gizmos with a fold-back screen …

  1. Anonymous Coward
    Anonymous Coward

    FFS

    Biometrics are *identity* not *authentication*.

    Principally because (1) they are not actually all that secure and (2) if they do get swiped from someones insecure backend systems you are totally and utterly fucked because you can't replace your fingerprints.

    Anyone suggesting biometrics can replace passwords needs to be taken outside and given a good shoeing.

    1. Brian Miller

      Re: FFS

      And if your processor metrics get swiped, then that means that you'll have to replace the processor. And on a laptop, that means you'd have to replace the whole computer!

      Oh, wait, so that's Intel's route to forcing upgrades...

      1. Steve Davies 3 Silver badge

        Re: FFS

        It is Lenovo's route as well. Given that some models of Yoga that won't boot anything but windows 10 due to the BIOS/UEFI not allowing the RAID config to be changed.

        Quite why they need a RAID config on a single drive is beyond me.(could be mistaken though).

        1. Anonymous Coward
          Anonymous Coward

          Re: FFS

          They won't boot Linux because of missing drivers. Same sort of issues you always run into when trying to install Linux on brand new hardware (though generally not with the storage, usually it is something like the NIC or audio isn't supported)

          You don't run into those problems on Windows because you almost never do a clean install of Windows. If you do - surprise surprise you run into similar issues. I tried to install Windows 7 on my Skylake PC off a USB stick and it wouldn't work. Turns out that Intel removed the old USB hardware support and only XHCI was supported - but Windows 7 does not support that out of the box. I was able to work around it, but it was a pain.

          1. joed

            Re: FFS

            "They won't boot Linux because of missing drivers." - But isn't it the case that Lenovos laptop would only expose the software RAID device with known compatibility issues outside Windows (10), while keeping AHCI option (available to Windows OS) hidden?

          2. Alan Brown Silver badge

            Re: FFS

            "I was able to work around it, but it was a pain."

            On linux in a lot of cases the simplest solution is to install with the drive in older hardware, then transplant afterwards

            Windows usually won't let you do that.

        2. Anonymous Coward
          Anonymous Coward

          Re: FFS

          It is Lenovo's route as well. Given that some models of Yoga that won't boot anything but windows 10 due to the BIOS/UEFI not allowing the RAID config to be changed.

          Hang on, so it has biometric logon and runs Windows, and they claim this is secure? That's a cockup on both counts. I bet the case is shiny, so finding the right fingerprints won't be hard (new keyboards are harder to pick up prints from)na d Windows 10, well, I hardly need to go into detail there.

          Unbelievable.

    2. JeffyPoooh
      Pint

      Re: FFS

      Agreed, but...

      Username$ = identity

      Password$ = authentication

      Just two strings.

      So how about two fingers?

      Finger1 = identity

      Finger2 = authentication

      We need a philosopher to figure out why this symmetry is invalid.

      It obviously is nonsense. I'm just not sure why. Based on the symmetry, fingers should be as good as strings.

      1. Flocke Kroes Silver badge

        @JeffyPoooh

        Leave the house, close the door - oops, I just left my password on the door handle. Get on the bus, pay the fair - oops, I just wrote my password on a coin that I gave to the driver. Go shopping, touch the 'I brought my own bags' icon - oops...

        Now that I have left my password everywhere, I had better change it. There is only one place biometrics should be used: people should only be allowed into the house of commons if they have the hand or eye of an MP.

      2. Anonymous Coward
        Anonymous Coward

        Re: FFS

        Finger1 = identity

        Finger2 = authentication

        Both readily found on the case. Oops. Now try and change them - you only have 10 different passwords to go through (and my many years in biometrics show that it depends on where the reader is if you should even incorporate the thumbs - most of the time you're looking at index and middle fingers).

        A password you can memorise and change at will. With a fingerprint reader you'll need to carry a cleaning cloth with you or it's like walking around with a rubber stamp and putting your password on everything you touch. That's also why in certain circumstances fingerprints are not a valid argument to set weaker passwords.

        1. Alan Brown Silver badge

          Fingerprint readers

          Worst of all worlds.

          Tech based on subdermal vein patterns (which are different even in identical twins) has been around for ages. It doesn't work on a dead hand AND you don't leave convenient copyable versions everywhere you go.

          http://www.slashgear.com/lg-hitachi-vein-id-scanner-recognises-sub-dermal-patterns-0112342/

          1. Anonymous Coward
            Anonymous Coward

            Vein ID

            Making a decoy finger to fool a scanner might be a little harder than fooling a fingerprint reader or retinal scanner, but a 3D printer could be programmed create something out of suitable material with the proper vein pattern and a fluid inlet to pump its 'blood'. Lifting the vein pattern would be easy - if it ever gets cheap enough to put in a smartphone, it would be cheap enough to put in a decoy replacement door knob or handle to lift your target's vein pattern.

            This just raises the bar slightly over fingerprint or retinal scanners. It is still a username, not a password, because you still have only ten choices and then you are SOL.

            1. Anonymous Coward
              Anonymous Coward

              Re: Vein ID

              Lifting the vein pattern would be easy - if it ever gets cheap enough to put in a smartphone, it would be cheap enough to put in a decoy replacement door knob or handle to lift your target's vein pattern.

              I disagree. You leave fingerprints all over the place, so if <random thief> wanders into your hotel room, there will always be a nice helpful copy to start from, whereas you have to get your target walking into a controlled situation to get a vein map - it's not something you can obtain as a spur-of-the-moment idea.

              If you're prepared to go that far I suspect you would be better off feeding your intended target some drugs (assuming they don't bring their own drinks glasses) and do whatever you need to do while they're out..

    3. a_yank_lurker

      Re: FFS

      "Anyone suggesting biometrics can replace passwords needs to be taken outside and given a good shoeing." - summary execution for stupidity unbecoming a sentient being.

  2. John Doe 6

    Fido ?

    BlackBox got Fido too... "Fido did what". Anybody remember ? No ?

  3. Anonymous Coward
    Anonymous Coward

    FIDO is not mean't for....

    Idenity, it is meant for tracking. This is clear from who is in the alliance. Once the spooks can find you, they can arrest/execute/lockup you for anything they want. And fake the evidence.

    They can probably do that now, but it is harder.

  4. conscience
    WTF?

    Sounds insane to me. Obviously I will NEVER use this 'feature' and would avoid buying any product with it included.

  5. Pen-y-gors

    Missing the point

    Passwords (on a good day) identify someone who is authorised to access a facility. Bit like a door key. I can give a friend a door key and tell them to let themselves in if I'm not at home. I can give a (trusted) friend or relative my card and pin and ask them to get some cash out for me or to buy something for me. No need to identify who is actually doing this, the fact that they have the 'key' is sufficient.

    Biometrics, in theory, identify individuals. I can't give my finger to a friend to let themselves in. (Well, I CAN, but I wouldn't really want to) - Biometrics are fundamentally effective for tracking the location and actions of individuals, even when completely unnecesaary. Very, very dangerous.

  6. Barry Rueger

    Scary stuff

    In the first place, I have to assume that someone will manage to beat the FIDO system within a year.

    In the second place, right now you can refuse to give police or customs your passcode or encryption key, and about all they can do is jail you.

    If your finger is your pass key it only takes a couple of burley cops to unlock your device.

    Finally, what this really looks like is a fantastic tool for tracking individuals with no chance for anonymity.

  7. Jin

    Alas! Criminals would be delighted.

    This video explains how biomerics ruins the security of password protection..

    https://youtu.be/5e2oHZccMe4

  8. Android Hater

    Losing your middle finger...

    Mercedes introduced fingerprint start on some of their top of the range S-Class cars. One day, car jackers cut off some poor bloke's index finger and stole his car....

    http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

  9. Will Godfrey Silver badge
    Thumb Down

    A distant memory

    I seem to remember reading somewhere that fingerprints were not actually unique, close to it yes, but not enough that you couldn't get two people with ones than matched within the normal range of any person's medium term variation.

    Related to that, does the reader account for such variations and self-modify to correct for trends?

    1. Alan Brown Silver badge

      Re: A distant memory

      "I seem to remember reading somewhere that fingerprints were not actually unique, "

      They ARE, but the number of points used by police, etc for ID are insufficient to establish uniqueness.

      It wasn't a problem when only known criminals were in the system but once you have all and sundry in there there are too many false positives.

      The same applies to DNA sampling, which is why the number of data points needed to be expanded (the original set were chosen to avoid racial profiling and the number of early cases where "matching DNA" has later been shown not to be is rather startling). It's worth noting that the earliest use of DNA sampling was to eliminate suspects, not to match them.

    2. John Brown (no body) Silver badge

      Re: A distant memory

      "Related to that, does the reader account for such variations and self-modify to correct for trends?"

      Or, for that matter, will it cope with those times I've got a bandage on my finger, or the period afterwards when the cut through the pattern is still there.

  10. D@v3

    finger prints as passwords

    Just as a counter point (which may or may not attract a whole bunch of downvotes).

    While I understand the argument of, but you leave your prints everywhere, and you can't change them. I could, with reasonable certainty write down (one of my) password(s) on post it notes, and wander around sticking them in various places. Anybody who took the time to find one, would have a piece of paper, with a random string of characters on it. They would not know who I am, what service the password was for, or the log in / username for that service. The password on it's own, is not much use to them, neither is a fingerprint.

    If you are concerned about people following you around and stealing your fingerprints off light switches, on the off chance that they also have physical access to the device(s) that they are registered on, I think you have bigger problems.

    Yes, I use the print reader on my phone, I find it quite convenient. The concern that someone is going to lift my finger prints from somewhere and make a copy, is less of a concern than the idea that someone is going to steal my phone, which coincidentally is also pretty slim. When was the last time anyone here had their cash card stolen from them, and the PIN beaten out of them? Not saying it doesn't happen, far from it, just that that is, and always will be, a lot easier than trying to lift / copy a finger print, from a surface that probably has dozens of overlapping prints, and being able to match it to a person / service.

    I'm not saying finger prints are the best 'I have a hard time remembering my passwords' solution, just that the fear of having them stolen from you is a little dramatic, especially when you consider how many people, when they get the nice friendly box that pops up saying, 'would you like me to remember your password' just instinctively click, 'yes', at which point anyone who has access to the device no longer needs even the username, as they can just browse to a site and be auto-logged in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon