Stories
Slash Boxes
Comments

SoylentNews is people

Lenovo, Intel, PayPal and Synaptics Team up on Password-Free Authentication

posted by martyb on Friday September 30 2016, @09:39AM   Printer-friendly
from the bimoetrics!=password dept.

butthurt writes:

PaymentEye and EWeek report on the partnership of Lenovo, Intel, Synaptics and PayPal. Lenovo Yoga 910 laptop computers are fitted with Intel processors and Synaptics fingerprint readers. PayPal will allow sign-ins using the FIDO (fast identity online) protocols. With the so-called "biometric" system, people can be identified without the use of passwords and without sending their fingerprint data over the Internet.

Further information:

Original Submission

 
This discussion has been archived. No new comments can be posted.
Lenovo, Intel, PayPal and Synaptics Team up on Password-Free Authentication | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by kurenai.tsubasa on Friday September 30 2016, @01:44PM

    by kurenai.tsubasa (5227) on Friday September 30 2016, @01:44PM (#408366) Journal

    For that matter, I've never met a fingerprint reader that can consistently read mine. Plus I'm not certain how to revoke my fingerprint more than 9 times. Standard complaints, etc. And don't get the idea you're going to scan my eyeballs! I can only revoke that once!

    Why can't we just get some standard feature to read a private key from a thumb drive I can carry around on my keychain and go from there? Seriously guise, this is a solved problem. I don't need a password when I log on to my cloud! At least from my desktop (don't trust any of my other devices with my private key).

    I've been too lazy to get around to actually screw around with PAM and cryptoloop mounting to make my crazy idea work end-to-end. I want to plug in my thumb drive, which has my private key. Then I can type in my username (or click on it from LXDM), and PAM will go off and read the thing. (May need to also hack around with getty or LXDM so it knows it doesn't need to prompt for a password.) From there, the login process should use my private key to cryptoloop mount my home directory. A failure with decryption would indicate that I'm not who I claim to be and fail out the login attempt. To make things seamless, it should then copy my private key or else use an fs overlay of some kind to place it in $HOME/.ssh. Then I want some kind of auth daemon not unlike gnupg pinentry to cache it. The browser can talk to that daemon to mediate key exchange with MyTwitFace, which has my public key. Wa-lah! Passwordless! The things I'd do if I weren't a lazy alcoholic!

    (I'm sure the devil's in the implementation details. Plus need an easy facility for key revocation and regeneration.)

    Not enough sci-fi woo I guess. People get too caught up in the idea that their body is their identity, and we wind up with crap like this. Yes, I know who you are when I see you. Probably. Am I sure you're not a pod person??? Good thing lizard people grow their own skins instead of skinning humans!

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   2  

  • (Score: 3, Insightful) by Immerman on Friday September 30 2016, @06:44PM

    by Immerman (3985) on Friday September 30 2016, @06:44PM (#408490)

    Your USB key solution is vulnerable to having the key stolen, though you can improve that dramatically by storing the encryption key in a password-protected data vault to provide at least a degree of 2-factor authentication: something you have (key file) and something you know (encrypting password). As you point out though, that key file is still vulnerable while being used, especially on an untrusted system.

    For serious security, I'd picture replacing your USB key with a micro computer dongle that generates a public/private key pair and uploads the public key to an identity database under conditions that physically confirm your identity. The private key never leaves the dongle (ideally, physically *can't* do so) - it simply receives a challenge: "confirm you have the private key matching this public key" (say, by successfully decrypting a block of random "noise" data encrypted with your public key). The important part though is that the dongle itself must be secure - having the software on your phone would be convenient, but then you have to trust that none of the other software on your phone has compromised it.

    With just that much, validation pretty much 100% confirms that you have the physical dongle in your possession. The next step is to confirm that you're really *you*. Presumably that could be provided by entering a password, or something similar, on the dongle between challenge and response. Biometrics could be used instead, but are liable to increases the cost considerably, and really only protects against "accidental" dongle theft - anyone intentionally stealing your dongle can probably spoof your biometrics as well

    Really, it seems to me the only role biometrics should serve is to replace things like drivers licenses, library cards, etc. They can provide fast, convenient identification in low-risk scenarios, but offer only minimal authentication value. At best good for a quick second layer of security to discourage causal thieves - a bio-metrically validated thumbprint rather than a signature when making a credit card purchase?