SoylentNews is people
SoylentNews
PaymentEye and EWeek report on the partnership of Lenovo, Intel, Synaptics and PayPal. Lenovo Yoga 910 laptop computers are fitted with Intel processors and Synaptics fingerprint readers. PayPal will allow sign-ins using the FIDO (fast identity online) protocols. With the so-called "biometric" system, people can be identified without the use of passwords and without sending their fingerprint data over the Internet.
Further information:
This discussion has been archived.
No new comments can be posted.
Lenovo, Intel, PayPal and Synaptics Team up on Password-Free Authentication
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 4, Insightful) by ledow on Friday September 30 2016, @10:04AM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid. Please stop." and then explain the situation to them.
Password-less login is like a door without a lock. Just finding the door lets you open it, whoever you are, whatever purpose you have, whatever time of day it is.
The whole point of biometrics is STUPENDOUSLY MISUNDERSTOOD and you'd expect companies with finger-print readers on their laptops, or dealing with credit-cad data to understand that. Apparently not.
Biometrics are an identifier. They say "This guy looks like User 1". At no point do they confirm that. At no point can you CHANGE that association. At any point they can be fooled by bits of printed paper, Gummi bears or just plain hacking of their interfaces.
Biometrics are literally things you leave ON EVERY SURFACE YOU TOUCH. It's like stamping your password on your thumb with ink that transfers to every surface.
If you wouldn't walk around town making impressions of your primary password on the walls, handrails, car doors, etc. throughout your life, why would you trust a fingerprint scanner to authorise a transaction?
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:08AM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid. Please stop." and then explain the situation to them.
We fired that guy. He moved back into his mother's basement where he shitposts on forums all day.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:20AM
I guarantee you they do.
Problem is, that guy is too smart to be a manager.
(Score: 5, Insightful) by Justin Case on Friday September 30 2016, @12:18PM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid."
I have yet to find any boss who will pay me for pointing out stupidity. If I could, I'd be richer than Trump and I'm sure most of us could say the same.
Face it. Nobody wants to hear the truth, just like nobody wants to do what should be done. They want to look good, and be told they look good. Hence we have a world full of crap.
(Score: 2) by KilroySmith on Friday September 30 2016, @05:30PM
Sigh.
You have a stupendously poor understanding of modern secure fingerprint sensors. You do realize that each one has a unique RSA-2048 key, sets up a TLS 1.2 session with the host using AES-256 and SHA-256? And that creating fingerprint spoofs which fool one of them is far harder than it was when Matumoto showed the Gummi Bear attack?
Don't confuse jelly-bean fingerprint sensors with secure fingerprint sensors.
(Score: 3, Insightful) by termigator on Friday September 30 2016, @07:55PM
I fail to see how all the cryptography you mentioned is relevant to the task of the biometric reader. All that you mention is what goes on after you read the biometric input data, which is before cryptography is involved.
With biometrics alone, it will make it easier for me to break in someone's device. Wait for them to fall asleep (or drug them), use their finger to unlock/login into device, and enjoy. I can see law enforcement doing this with suspects to access their devices without a warrant.
As been said, biometrics alone should not be used for authentication. You need a revocation mechanism, and that is very difficult to do with biometrics.
(Score: 2) by KilroySmith on Friday September 30 2016, @10:41PM
The cryptography references were about ledow's comment of " just plain hacking of their interfaces." That ain't gonna happen on a secure fingerprint sensor.
As far as authentication, your example of "Wait for them to fall asleep (or drug them), use their finger to unlock/login into device" isn't an authentication failure - the system correctly identified and authenticated the user. The matter of the user's desire to be authenticated is a completely separate issue.
Revocation is properly done at the relying system. For example, if I am fired from my job, my employer will revoke my access (whether provided by a fingerprint or a password or a smart card, or a combination of all three) at the enterprise level, and push it down to the laptop in my possession the next time it connects. If I wish, I can request to revoke my previous credentials by changing my password - but recognize that's only a request; if the relying system is designed badly, or designed to access your data without your participation (any employer's systems, most internet services, etc), there is a patina of user-directed revocation which is partially meaningless - you can prevent an attacker who picked up the post-it note that you wrote your password on from accessing your data by changing your password, but you can't stop the systems and people who control access to your data from accessing it.
The kinds of attackers that you describe, people who are willing to drug me and use my fingerprint, are more than willing to apply the XKCD538 decryption algorithm ( https://xkcd.com/538/ [xkcd.com] ). Your super-secret password, fingerprint, smart card, iris scanner, etc aren't going to help you much there.
The authentication provided by a properly implemented fingerprint system isn't absolute. It is pretty danged good, though. It guarantees that a human is in possession of, and interacting with, "something you have" - i.e. the phone or laptop that the fingerprint sensor is installed in. Your fingerprint is only registered at that device (except in enterprise-level systems like Disneyworld), and only that device can authenticate you. A random bit of malware on your system can't buy something from Amazon, or log into your corporate VPN, using your fingerprint credentials without your (perhaps improvidentially provided) cooperation. This "something you have" guarantee prevents scalable attacks that can break every networked Windows or Linux system, or every security camera - the attack can only be against the specific device you have.
The fingerprint system also provides a moderately strong guarantee of "something you are" - it is possible to build a spoof of your fingerprint, but it's far harder on a modern fingerprint sensor than most of the YouTube videos suggest. Attacks at this level require physical access to the device - your laptop or cellphone, the "something you have" - as well as both a good image of your fingerprint, and a good spoof made from it. A spoof attack on the fingerprint sensor might allow someone access to your device or account without your knowledge - but if a policeman or the FBI doesn't care that you know your device or account are being accessed, the XKCD538 decryption is just as easy. A good fingerprint system would, firstly, reject almost all spoof attempts (modern systems reject 95%+ of good spoof attempts), and secondly, stop accepting fingerprint attempts after a small number of failures (5 in the case of the Samsung Galaxy S7).
A secure fingerprint system would allow you to require a third factor - such as a super-duper password - before allowing access. If you're carrying state secrets (or child porn) on a laptop through national borders, you might wish to do this. It won't help you in backwards countries such as the United Kingdom (https://en.wikipedia.org/wiki/Key_disclosure_law) which applies XKCD538 by throwing you in jail for not decrypting such secrets, but it might help in certain countries where either of your mind or your fingerprints might be viewed as something law enforcement isn't allowed to use without your permission.
So, a well-designed fingerprint-authentication system protects you against just about all attacks, except personally targeted attacks where either the system (if no password is required), or the system and the targeted person, are in the custody of the attacker. And in that case, you are F****d anyway you look at it.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @06:56PM
In most cases a bigger more important problem is users can't use their own accounts. They forget their usernames, passwords, email addresses, lose their phones, phone numbers, etc.
That's why companies keep coming up with more and more easy and cheap ways for users to break into their own accounts ;). "Security Answer", "Mothers Maiden Name", "Helpful Out-Sourced Support Team Who Will Hand Over An Account If You Ask Convincingly Enough"[1]
That it makes it easier for others to break into the accounts is a problem, but so far I think the big name companies believe that it's worse for a million users to not be able to get into their own accounts than a hacker getting a million users accounts. Perhaps the latter is paid for by insurance and the users themselves.
From what I understand it's public key crypto and the biometric is used to convince the local physical device to unlock the relevant private key. The private key is then used to convince the remote party.
So that means the hacker will call Support, using an appropriately forged caller ID, playing a recording of a crying baby in the background and say that Madam Hacker really needs to buy stuff ASAP but Madam Hacker's fingerprint doesn't seem to be working today and isn't this Fancy Fingerprint stuff supposed to work like magic? Support finds out that "the lovely husband recently bought a new laptop and phone for Madam Hacker and took the old ones", so Support will register Madam Hacker's new devices. Voila...
Yeah in theory Support shouldn't do that. But which case is Support more likely to encounter? How many one star ratings or failed SLAs does Support get for giving a hacker access vs not helping a user break into his own account?
[1] http://www.techinsider.io/hacker-social-engineer-2016-2 [techinsider.io] which is why in many cases I have given up bothering with strong passwords. Why bother if Support will just hand it over, or it's far more likely that the organization will get hacked first.
(Score: 2) by Hyperturtle on Saturday October 01 2016, @11:45PM
I want to know who is coming up with these ideas and why do people just accept it. I guess I don't know how to refuse the changes, aside from not participating... but this crap is getting stupid, and its all in pursuit of our money.
The other day I read about a new standard, that even Tim Berners-Lee was involved with, to make "1-click" purchasing a standard experience across e-commerce sites.
Apparently, this is in great demand, because people put stuff in their shopping cart... and don't check out. This greatly frustrates online stores, because damn you, you put item names in your cart are you so stupid you didn't buy it?
If you are like me, you add them to the cart so that you get the total added up, the tax added in, the shipping calculated, and you get the final price... and decide not to buy. (I dont add things to wish lists, because that just invites ads, based on what I've seen happen to friends and family memebrs. I only seem to get ads on stuff I already purchased, but it may be because my paranoid online behaviors)
This is not something they admit is a concern--people actually wanting to do math without making a permanent list, or having to carefully tally up the values outside of the same browser window they already have open.
f you leave the window open on Amazon and have some marketplace items in it, or ebay or newegg, you will see the costs may change for the worse, to encourage you to BUY NOW SUPPLY RUNNING OUT, sometimes dramatically--yet if you go back to the site in a different browser... the price may be cheaper than what your 'cart' got updated to. I have seen this happen numerous times. To the extent that I will research in one browser and buy in another; I've saved hundreds of dollars this way on amazon, and to a lesser extent on the other ecommerce sites that play that game... )
Seeing this, waiting, pondering about costs... all bad. Instead, the concern is based on the presumed reality that revealing these details is too difficult, typing in a credit card is too hard, so many digits, fumbling for the wallet -- by the time you get going the mood has left you and you'd rather do something else. Better to make it easier to automatically link impulsive buying directly to your credit or checking account... like via a simple biometric check, as this article discusses.
Most of these advances don't seem to be very consumer friendly, but sure make it easy to lose money and fast, all for your benefit! DON'T THINK JUST SWIPE. I guess that is why in the US, consumer behavior powers 2/3rds of the economy... if people act to save money, other people lose jobs... (sounds to me like we should be less consumer focused, but then since we outsourced so much, and that purchased can't be, there isn't much else to focus on rightsizing and still having a consumer populace left to rely on to spend...)
And remember -- its not their fault you stupidly let your permanent biomarker get digitally reproduced on some vulnerable phone OS. They'll still get their money. If wells fargo could open bank accounts for people without even needing the people involved, I am sure copied biometrics can be used for similar purposes down the road as a means of validity, too. Dishonest people won't have a problem doing fraudulent things with your biometric data... your unique identifier, once digitally copied, is going to be valid at any place that needs it, and unfortunately it cannot be changed or expired like a password. As a result I think I will try to stick to using a complex passphrase, even if my brain hurts trying to keep myself secure. that or I just wont use their stupid new system until its the only system allowed.