Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday September 30 2016, @09:39AM   Printer-friendly
from the bimoetrics!=password dept.

PaymentEye and EWeek report on the partnership of Lenovo, Intel, Synaptics and PayPal. Lenovo Yoga 910 laptop computers are fitted with Intel processors and Synaptics fingerprint readers. PayPal will allow sign-ins using the FIDO (fast identity online) protocols. With the so-called "biometric" system, people can be identified without the use of passwords and without sending their fingerprint data over the Internet.

Further information:


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday September 30 2016, @06:56PM

    by Anonymous Coward on Friday September 30 2016, @06:56PM (#408500)

    In most cases a bigger more important problem is users can't use their own accounts. They forget their usernames, passwords, email addresses, lose their phones, phone numbers, etc.

    That's why companies keep coming up with more and more easy and cheap ways for users to break into their own accounts ;). "Security Answer", "Mothers Maiden Name", "Helpful Out-Sourced Support Team Who Will Hand Over An Account If You Ask Convincingly Enough"[1]

    That it makes it easier for others to break into the accounts is a problem, but so far I think the big name companies believe that it's worse for a million users to not be able to get into their own accounts than a hacker getting a million users accounts. Perhaps the latter is paid for by insurance and the users themselves.

    From what I understand it's public key crypto and the biometric is used to convince the local physical device to unlock the relevant private key. The private key is then used to convince the remote party.

    So that means the hacker will call Support, using an appropriately forged caller ID, playing a recording of a crying baby in the background and say that Madam Hacker really needs to buy stuff ASAP but Madam Hacker's fingerprint doesn't seem to be working today and isn't this Fancy Fingerprint stuff supposed to work like magic? Support finds out that "the lovely husband recently bought a new laptop and phone for Madam Hacker and took the old ones", so Support will register Madam Hacker's new devices. Voila...

    Yeah in theory Support shouldn't do that. But which case is Support more likely to encounter? How many one star ratings or failed SLAs does Support get for giving a hacker access vs not helping a user break into his own account?

    [1] http://www.techinsider.io/hacker-social-engineer-2016-2 [techinsider.io] which is why in many cases I have given up bothering with strong passwords. Why bother if Support will just hand it over, or it's far more likely that the organization will get hacked first.