Samsung forgets fingerprints, focuses its eye on YOURS When Samsung shoved the Galaxy S5 out the door last year, one of the things it put front and centre was the new ability to log on with one's fingerprint. Fast forward twelve months and Sammy looks to be giving that idea a finger of a different sort, by signing a deal with the Stanford Research Institute (SRI) to put iris- …
So, what's your point? The standard method of authentication is to provide 2 things that you "know" - user name and password, with bio-metrics you provide 1 (or more) thing that you "have".
Neither method is 100% secure, one of them is far more convenient (and probably more secure) for the 80% of the people, can you guess which one?
Bio-metrics are not "something you have."
Bio-metrics are "something you are."
Iris scanners though? Really? I'll have to look into it more, for the differences from retina scanning... but retina scanning has the whole "personal invasion" aspect due to being able to detect things like, if a woman is pregnant.
"Neither method is 100% secure, one of them is far more convenient (and probably more secure) for the 80% of the people, can you guess which one?"
No need to guess (thanks) but you clearly need to read on...
One of your "methods" is 0% secure. One of your "methods" is your identity and not a password. These two things are different - one of them is not secret. "can you guess which one?" Is your hair colour a password? If I don an appropriate wig do I become you? Hair colour is (a factor of) your identity not your password. It is not secret.
If you insist on considering your physical attributes, such as iris pattern, to be your password, then just remember you should: Use a different iris for every device/account (in case one is insecure/malicious/etc), change it regularly (every few months should suffice), never get photographed - or you'll have to go 'round changing all your irises (what a chore that'd be), and so on...
Sorry if the beginning of my splaff seemed somewhat cryptic, it's the title of a nice little deconstruction of your misconception: http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2573/original/congress2014.pdf. I'd meant to find an English translation to link to but got bored looking for one and gave up. Don't worry if your German isn't up to much - it's a slide presentation so should be easy enough to follow.
These days some people actually seem to be using their phones for stuff they actually might want to keep actually secure. Online banking, payments and other fappenings, for example. Not using a password is certainly more convenient than using one. If you don't want one don't use one. No problem! ...but why pretend that an ID is a password? That would be an almost criminally malicious deception. You may not know any better but Samsung should certainly know better... especially if there's any truth to the rumours regarding them Blackberry and a move into more... secure devices.
Oh... and you'll need to be be extra careful of your eyes. Obviously! --------->
Oh... and you'll need to be be extra careful of your eyes.
Ah, I need to get some work done check my email while I'm at home, watching my favorite program with the family. It's a bit dark... and the system can't read my eyeball without a bit more light. No problem! It will work with the camera on the reverse using the flash. Just hold it up and... ARRGH! F***! My eye! That's too damn bright!
Just saying, because the devil is in the details. Still, it might be a fun prank app to write, though...
Its a simple 2D image, so it should be no more difficult to fool than a fingerprint scanner. In fact the fingerprint scanner has the option (not implemented in all of them obviously, but they could) of checking temperature and pulse to detect fakery. I'm sure if you put a suitable high res image of your iris in front of the camera it'll unlock for you, because there's no way it can tell the difference between that and your actual iris so long as you print it on something with the right amount of reflectivity.
Not hard to get that suitable image either, all you have to do is get the victim to take a selfie with you :)
Perhaps it's a 3d image or each eye, or at least stereoscopic. I looked on their site but it was unsurprisingly light on detail.
With 3d images the system could perhaps detect the curvature of the eyeballs, making it harder to fake. Or perhaps the imaging system is looking for details or features that would be difficult to print, say things only visible in IR.
Totally agree with earlier sentiments that biometrics should only serve as a user ID. Never a password.
Confirm identity, not clearance.
"Not hard to get that suitable image either, all you have to do is get the victim to take a selfie with you :)"
Yeah, because you can get an image with high enough resolution of the iris.
As for which one is more secure a 4 digit pin, that anyone standing in the bus/tube/train near you can see, or your fingerprint/iris, i think we all know the answer.
" Yeah, because you can get an image with high enough resolution of the iris. "
Well done! You read the link I gave you. Good lad!
" As for which one is more secure a 4 digit pin, that anyone standing in the bus/tube/train near you can see, or your fingerprint/iris, i think we all know the answer. "
Oh.
All but one of us. Still. Sadly.
For the phone i think the fingerprint is better, i don't even know I'm doing it with my iPhone its that natural now, i just press the home button with my thumb and just leave it on for 1 second and the phone unlocks, i doubt iris scanning will be quicker or more convenient than that, because if it isn't people will get annoyed with it and turn it off and be less secure.
I understand that some digital cameras can scan the eye and detect stuff like eye micomovements and blood flow in the back of the eye which should be good for detecting whether its a live eye - I dont see why that cant be implemented?
Still almost any biometric is better than a 4 digit pin for stuff that doesn't need high-security like banking. Cause you cant forget your eye or fingerprint now can you? Unless you are Captain Hook, avast behind jim lad, aaarghh.
But - and I know this has been said many times before - you can't change it either.
So the next time you get an email from your bank/ service provider about the recent security breach that resulted in the access details of 999999999999999999999999999999 people being copied, of whom you were one, and telling you to change your thumbprint/ retina print because the verification copy was kept at their end in a not-sufficiently encrypted form, oh and to do the same on all the other sites where you used the same access token - you're going to do, um, what?
Yes. I know there shouldn't be any form of remote copy. The word here is 'shouldn't'.
Any access element that cannot be changed in the event of a breach is a risk. Or at least, that's my view. Of course, I'm an Idiot...
Whether fingerprits or iris patters, it would bring down security so long as it is operated together with a fallback password.
Threats that can be thwarted by biometric products operated together with backup passwords (rescue/fallback/ alternative passwords) can be thwarted more securely by a password-only authentication.
We could be certain that biometrics would help for security ONLY WHEN it is operated together with another factor by AND/Conjunction (we need to go through both of the two), NOT WHEN operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience while bringing down the security.
Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it could be stolen and leaked.)
Such a terrible nonsense as the “password-dependent password-killer” should be killed dead lest the good reputation of biometrics as excellent identification tools for physical security should be damaged. Biometric solutions in cyber space could be recommended to the people who want better convenience, not to the people who need better security so long as they are dependent on the backup/fallback passwords.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
