Windows 10 to give passwords the finger and dangle dongles Microsoft will add biometric authentication support to Windows 10. Redmond revealed its intention to do so at the White House Cybersecurity and Consumer Protection, where group program manager for Windows security and identity Dustin Ingalls announced the company has “contributed design inputs to the Fast IDentity Online (FIDO …
Are they saying it's ok to transfer $10K with a fingerprint that's been broken down to perhaps 5 key points?
Look, there's nothing inherently wrong with the uniquness of your actual fingerprint - as far as anyone knows, it's entirely properly unique. However, readers break it down to only a few key indicators to presumably save bit space, now it's not so unique.
And there's the minor point that you leave traces of all your fingerprints all day, every day, over your entire life, all over the place. Traces that have been verified to be duplicatable and usable on readers.
Here, as an example, guess which finger I'm holding up.
The fingerprint is your username, not the password.
You can tell everyone on the Internet your username if you like (most forums do), but that does not provide them access. The fingerprint is "this is who I am", and the password is "this is the secret to prove it". Anyone selling anything else DOES NOT UNDERSTAND biometrics. You cannot have a secret fingerprint any more than you can have a public password.
And fingerprints aren't unique*, because they aren't static, because they can be modified by simple actions, because they can actually be virtually identical from the start, and because of the reader sampling problem you describe, and thus can produce "flux" enough between two individuals that they are impossible to tell apart by fingerprint alone. Court cases rest not on "you are unique" but "you fit the pattern that only 1 in so-many people would have and you were also confirmed to be nearby".
[[ (*) Fingerprint uniqueness rests in the "every snowflake is different" area. Because there are a number of random variations, almost every fingerprint will differ from another. But because there are such a huge number of variations, uniqueness isn't guaranteed, merely suggested. And your own fingerprints are different on different fingers. It's this "pattern" that gives the random chance of someone leaving the same fingerprints - in the same order - at the crime scene billions-to-one odds. But there's no guarantee of uniqueness, and in terms of authentication they suck because you don't know if you're sampling the unique bits or not. ]]
The other problem is how easy it is to fake - there's no point them being "unique" if I can make a copy in ten seconds. The last fingerprint reader I used was a tiny 100dpi scanner with a rubberised surface. The surface was supposed to "splay out" your fingerprint, and the scanner merely scanned as any ordinary scanner does (they are mostly webcams etc. now). I got some Linux software and proved it by scanning in a document with it in 1 inch strips. Literally, printing the output of scanning my thumb and then putting it in front of the reader was enough to validate me forever after with a piece of paper. Similar tricks have been used on almost any amount of security measures since put in place in your average fingerprint reader. This is why banks, for example, DO NOT USE fingerprints on your credit cards, etc. They may be daft, but they're not stupid.
Something you have (fingers!), something you know. Otherwise it's not security, it's just convenience of not having to type in your username.
I dont want to use fingerprints due to the well documented copying and using of "fake" fingers to access systems protected by fingerprint reader and the simple fact you leave copies of your fingerprints everywhere so there are many sources of getting the image to fake.
FIDO does allow for alternative forms of biometric authentication or for one time keys generated by a dongle.
The dongle method could be stolen and eventually im sure they will become cloneable.
I Am looking at http://www.eyelock.com/ where video of your eye is used to allow authentication. i dont like the large round design of the current model but hope the unit will come smaller and less conspicuous as they have already made demonstration models that fit in the frame of a laptop screen. so hope monitors will start to ship with this technology pre installed.
Its rather Obvious to the real user if their EYE has been removed to use by a nefarious person to use for authentication unlike fingerprints!
"The dongle method could be stolen" - certainly.
Note that the dongle (U2F) method requires you to login with a username *and* password, as well as touch the dongle. This actually makes logging into websites somewhat less convenient because it doesn't free you from remembering a password, and I suspect it may fail in the marketplace for this reason alone.
"and eventually im sure they will become cloneable" - very difficult, but possible if you have the right electron microscopes etc.
However, your housekeys can also be stolen and cloned.
What are you proposing as a better approach? How is the eyelock method better, exactly? Either it uses the eye pattern to enable use of a locally-stored key (which is what UAF does), or it is sending your eye image to the far side (which has all the problems cited earlier from people who don't understand how UAF works)
I've been using a YubiKey Neo for a while now.
I use it on my Android smartphone (NFC) to open my password safe - I need my password or PIN as well, but if the phone is stolen, nobody can get at my passwords; if I lose the YubiKey, I have a OTP at home to get back into my LastPass account.
It works over USB on my PC. I wouldn't be without it, and I can also set it up to be 2nd factor with my Windows logon, although I haven't yet.
A fingerprint would be broken down into a biometric description which would then be hashed. Assuming there was enough uniqueness in this description the hash would no more or less secure than a strong password. Both would depend on the database properly salting the hash though to make it difficult to reverse lookup.
Of course the one disadvantage of a print is you can't change it. So if thieves did grab your print they could happily unlock all your devices and accounts that used it. Biometrics that capture more than the print, e.g. blood vessels are probably more secure. It would also be desirable to use 2-factor authentication so that to log on you must supply your print (something you have) and type a pin (something you know).
@DrXym you could argue that it is the 2nd factor, but in reality, it is closer to a username than a password, whether the hash is salted or not.
Even the iPhone or the Galaxy S5 readers can be fooled by a photo of a fingerprint printed with laser, then pouring wood glue into the ridges and using that to fool the reader. The technology hasn't really improved in the last decade - this hack was first demonstrated back on 2002 or so, the resolution of the scanners has improved, so the camera needs a higher resolution image of the fingerprint and a little more care is needed, but the fact is that the technology today is still open to a decade old exploit.
Please read the UAF specs before commenting.
https://fidoalliance.org/specifications
* Your fingerprint does not authenticate you to the remote service. Nor is it sent to the remote service.
* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)
* There is a different private key generated for each remote service, at the time you register for that service
If your device is stolen, it may be possible somehow to unlock the key without the fingerprint (depending on how the device is designed); but in practice few attackers will have physical access to the device.
The primary weakness of this scheme appears to be in the registration. The protocol allows you to register multiple devices on the same account, but in order to register you have to identify yourself by some other means - i.e. your existing weak username and password.
Google intentionally designed the protocols so that colluding sites cannot identify that the same user is logging into them, and there's no "device ID" which could be universal cookie. However this means you can't login on device A and authorise device B.
* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)
That is even worse!
For the private key to be stored securely, it must be encrypted with a key. This key needs to be provided identically each time the system decrypts the private key.
Unlike a password, each presentation of biometric data is slightly different each time the fingerprint (or whatever) is scanned. Confirmation of the print is based on a 'near enough' match of the stored biometric data (which is why you have the risk of false positives and flase negatives). Therefore the key to decrypt the private key cannot be reasonably derived from the biometric data provided at the point of 'aithentication'.
The only way I can see it working is that the key needed to decrypt the private key is actually stored on the system (presumably in some sort of obfuscated fashion) and that the software only chooses to use it to gain access to the private key after a successful biometric authentication event. It may as well be stored in the clear and hope for the best.
http://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-overview-v1.0-ps-20141208.html#fido-uaf-authenticator
"A FIDO UAF Authenticator is a secure entity, connected to or housed within FIDO user devices, that can create key material associated to a Relying Party. The key can then be used to participate in FIDO UAF strong authentication protocols."
As others have said: a fingerprint pattern is useless as a *key* to encrypt anything, because of its variability, its limited entropy, and its inability to be changed.
What FIDO requires is a secure module which stores the keys and which performs crypto operations with those keys. Furthermore, it will only do so if you can convince it that the correct user's finger has been applied to the sensor. Note that the keys themselves can never leave the module.
Arguably the fingerprint is no better than protecting the keys with, say, a 4-digit PIN - and indeed the standard allows that too. However to break the system, the attacker has to possess the physical module *and* has to be able to persuade it that the right finger (or PIN) has been presented, before it will perform a crypto operation which would authenticate as that device's owner.
Is typing a long passphrase into a PC more secure? A PC which is potentially infected with a keylogger?
I would hope this is a local account and not a Hotmail/Live/Passport/Outlook/whatever it's called today account so it would just be the same as fingerprint readers for the Windows 7 login screen only following this standard.
If it's for a MS account that's all kinds of scary.
Everyone knows, in the USA at least, a person may not be legally compelled to produce a password because it's intellectual property (or something).
However, it is trivial for the government to compel production of biometric data such as fingerprints, iris scans and yes, DNA. Also, biometrics can be forcibly and painfully extracted by perpetrators. And now MS is in a very big hurry to make it easier for the government and perps (government/perps?) to get our stuff. Why is that? Why do I fear I don't want to know?
I wonder if password security will be abandoned if not prohibited altogether?
I would have liked MS to come up with a user friendly end to end encryption system. As for passwords or prints....find a different way altogether. A rock solid password keeper would be nice.
I have one question about this. Where is the authenticated image of you fingerprint stored? Some "secure" database that will never, ever be hacked? What happens if (when) your unique fingerprint is stolen. How do you then verify your identity? It's a bit hard to change your fingerprints.
(Ok, So that's a couple more than 1 question...)
"I have one question about this."
Only one?
"Where is the authenticated image of you fingerprint stored?"
Where ever the system stores it. Probably on the server of the website, account you are trying to get into. Linked to your customer records in plain text.
"Some "secure" database that will never, ever be hacked?"
Yep. And it's powered with Davinci's perpetual motion machine.. And the UPS is a potato with two strips of metal stuck in it.
"What happens if (when) your unique fingerprint is stolen."
Use another one. You usually have ten to start out with.
"How do you then verify your identity?"
Who says you can. You become the nameless one, and wander from town to town fighting crime, dispatching the bad guys with a Samurai sword disguised as a walking stick.
"It's a bit hard to change your fingerprints."
Oh that isn't the half of it.
Pick pineapples. No fingerprints.
Work on a building site. No finger prints.
Lose hands in an accident. No fingerprints.
Burn fingers. No finger prints.
Millions of people have no, faint, obscured or unreadable fingerprints. And that is without even trying to mask their identity.
Even if it's true for more people than you think? If people are constantly looking for alternatives to passwords, there must be a reason behind it. The most likely one: information overload, as in we have to memorize so many passwords that not even the xkcd method can save us from the limits of our brains. Let's face it. Some people just have bad memories, so how can they go about a society like ours where one needs to be able to recall a complicated (something more than a single dictionary word is too complicated for them) password at will without access to any other device or mnemonic?
Wont dont you add some 3 factor authentication MS,fps fingerprint alone isnt enough.
I can see it now ,lets add retina scan and voice to it ,then send to data centre for the gov
for a small packet $.
WTB happens when the data centre is breached ?,your fingerprints ,retina data and voice are stolen...
The existing internet isnt the place for this .
Read RSA.
This post has been deleted by its author
It appears there are a couple of misconceptions at FIDO.
It makes no sense to expect a PIN to displace a password because the PIN, a numbers-only short password, belongs to the password. A’ which belongs to A cannot be an alternative to A. It also makes no sense to expect a biometric product operated with a backup/fallback password to displace a password. A+B cannot be an alternative to A.
Biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.
Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
