SoylentNews is people
SoylentNews
PaymentEye and EWeek report on the partnership of Lenovo, Intel, Synaptics and PayPal. Lenovo Yoga 910 laptop computers are fitted with Intel processors and Synaptics fingerprint readers. PayPal will allow sign-ins using the FIDO (fast identity online) protocols. With the so-called "biometric" system, people can be identified without the use of passwords and without sending their fingerprint data over the Internet.
Further information:
This discussion has been archived.
No new comments can be posted.
Lenovo, Intel, PayPal and Synaptics Team up on Password-Free Authentication
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
New crypt. See /usr/news/crypt.
(Score: 2) by KilroySmith on Friday September 30 2016, @05:30PM
Sigh.
You have a stupendously poor understanding of modern secure fingerprint sensors. You do realize that each one has a unique RSA-2048 key, sets up a TLS 1.2 session with the host using AES-256 and SHA-256? And that creating fingerprint spoofs which fool one of them is far harder than it was when Matumoto showed the Gummi Bear attack?
Don't confuse jelly-bean fingerprint sensors with secure fingerprint sensors.
(Score: 3, Insightful) by termigator on Friday September 30 2016, @07:55PM
I fail to see how all the cryptography you mentioned is relevant to the task of the biometric reader. All that you mention is what goes on after you read the biometric input data, which is before cryptography is involved.
With biometrics alone, it will make it easier for me to break in someone's device. Wait for them to fall asleep (or drug them), use their finger to unlock/login into device, and enjoy. I can see law enforcement doing this with suspects to access their devices without a warrant.
As been said, biometrics alone should not be used for authentication. You need a revocation mechanism, and that is very difficult to do with biometrics.
(Score: 2) by KilroySmith on Friday September 30 2016, @10:41PM
The cryptography references were about ledow's comment of " just plain hacking of their interfaces." That ain't gonna happen on a secure fingerprint sensor.
As far as authentication, your example of "Wait for them to fall asleep (or drug them), use their finger to unlock/login into device" isn't an authentication failure - the system correctly identified and authenticated the user. The matter of the user's desire to be authenticated is a completely separate issue.
Revocation is properly done at the relying system. For example, if I am fired from my job, my employer will revoke my access (whether provided by a fingerprint or a password or a smart card, or a combination of all three) at the enterprise level, and push it down to the laptop in my possession the next time it connects. If I wish, I can request to revoke my previous credentials by changing my password - but recognize that's only a request; if the relying system is designed badly, or designed to access your data without your participation (any employer's systems, most internet services, etc), there is a patina of user-directed revocation which is partially meaningless - you can prevent an attacker who picked up the post-it note that you wrote your password on from accessing your data by changing your password, but you can't stop the systems and people who control access to your data from accessing it.
The kinds of attackers that you describe, people who are willing to drug me and use my fingerprint, are more than willing to apply the XKCD538 decryption algorithm ( https://xkcd.com/538/ [xkcd.com] ). Your super-secret password, fingerprint, smart card, iris scanner, etc aren't going to help you much there.
The authentication provided by a properly implemented fingerprint system isn't absolute. It is pretty danged good, though. It guarantees that a human is in possession of, and interacting with, "something you have" - i.e. the phone or laptop that the fingerprint sensor is installed in. Your fingerprint is only registered at that device (except in enterprise-level systems like Disneyworld), and only that device can authenticate you. A random bit of malware on your system can't buy something from Amazon, or log into your corporate VPN, using your fingerprint credentials without your (perhaps improvidentially provided) cooperation. This "something you have" guarantee prevents scalable attacks that can break every networked Windows or Linux system, or every security camera - the attack can only be against the specific device you have.
The fingerprint system also provides a moderately strong guarantee of "something you are" - it is possible to build a spoof of your fingerprint, but it's far harder on a modern fingerprint sensor than most of the YouTube videos suggest. Attacks at this level require physical access to the device - your laptop or cellphone, the "something you have" - as well as both a good image of your fingerprint, and a good spoof made from it. A spoof attack on the fingerprint sensor might allow someone access to your device or account without your knowledge - but if a policeman or the FBI doesn't care that you know your device or account are being accessed, the XKCD538 decryption is just as easy. A good fingerprint system would, firstly, reject almost all spoof attempts (modern systems reject 95%+ of good spoof attempts), and secondly, stop accepting fingerprint attempts after a small number of failures (5 in the case of the Samsung Galaxy S7).
A secure fingerprint system would allow you to require a third factor - such as a super-duper password - before allowing access. If you're carrying state secrets (or child porn) on a laptop through national borders, you might wish to do this. It won't help you in backwards countries such as the United Kingdom (https://en.wikipedia.org/wiki/Key_disclosure_law) which applies XKCD538 by throwing you in jail for not decrypting such secrets, but it might help in certain countries where either of your mind or your fingerprints might be viewed as something law enforcement isn't allowed to use without your permission.
So, a well-designed fingerprint-authentication system protects you against just about all attacks, except personally targeted attacks where either the system (if no password is required), or the system and the targeted person, are in the custody of the attacker. And in that case, you are F****d anyway you look at it.