PaymentEye and EWeek report on the partnership of Lenovo, Intel, Synaptics and PayPal. Lenovo Yoga 910 laptop computers are fitted with Intel processors and Synaptics fingerprint readers. PayPal will allow sign-ins using the FIDO (fast identity online) protocols. With the so-called "biometric" system, people can be identified without the use of passwords and without sending their fingerprint data over the Internet.
Further information:
This discussion has been archived.
No new comments can be posted.
Lenovo, Intel, PayPal and Synaptics Team up on Password-Free Authentication
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Informative) by letssee on Friday September 30 2016, @09:46AM
Ah, wonderful. The old 'fingerprint is password' idea. Which is a horrible idea. Fingerprint as username is ok-ish. But as password, not so much. Fingerprint readers are easily fooled. And an unchangeable password is a bad idea to begin with.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @09:56AM
Well, they didn't say that it's biometrics as a password, they sad it's password-free authentication. So basically, it's logging in with just your username (which happens to include your fingerprint). Also note that it speaks about identifying people. You don't identify with your password, you identify with your user name. You confirm your identity with your password. Password-free authentication means that you don't need to confirm your identity; the identity data you provide is taken as unconditionally trustworthy.
So just from taking the words as written, you can determine it's a bad idea, even if you know nothing at all about biometrics.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:03AM
Voiceprint authentication is a great idea!
Computer, recognise Picard, Jean-Luc. Alpha Two clearance.
(Score: 2) by Gaaark on Friday September 30 2016, @01:00PM
"Tea, Earl Grey, hot, half car, machiatto, latte, vente grande, double double, 6 packMad Tom IPA, NSA,"
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Gaaark on Friday September 30 2016, @01:01PM
Half-caf..... damn auto correct.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by KilroySmith on Friday September 30 2016, @05:19PM
Do you have any experience with current fingerprint sensors? Have you actually tried to fool one?
I have, and I have. Things have changed drastically since Mythbusters did their thing.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:02AM
Since they say the fingerprint data never leaves the client, I wonder if you could write a FIDO client that is indistinguishable from standard clients by the server, but actually uses a password for authentication.
(Score: 2) by ledow on Friday September 30 2016, @10:06AM
The fingerprint data never does.
But data generated from it does.
All that means is that it's still as secure as your fingerprint (i.e. as secure as a password you scrawl on every surface you've ever touched), but can be faked without your fingerprint needing to be present if you machine is ever hacked.
Well done!
(Score: 2) by KilroySmith on Friday September 30 2016, @05:25PM
No, data from the fingerprint never leaves the secure environment within the local machine. In fact, in the Lenovo solution, it's likely that no information from the fingerprint ever even leaves the fingerprint sensor.
FIDO implementations are normally a challenge-response directly to a secure environment - within the fingerprint sensor, or within a TEE or similar environment in the PC. The PC says "Joe just authenticated", the remote host sends back a cookie and says "Prove it!", and the secure environment encrypts the result and the cookie with a key known only to the host and the secure environment and sends it back.
No features of the fingerprint go anywhere.
(Score: 4, Insightful) by ledow on Friday September 30 2016, @10:04AM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid. Please stop." and then explain the situation to them.
Password-less login is like a door without a lock. Just finding the door lets you open it, whoever you are, whatever purpose you have, whatever time of day it is.
The whole point of biometrics is STUPENDOUSLY MISUNDERSTOOD and you'd expect companies with finger-print readers on their laptops, or dealing with credit-cad data to understand that. Apparently not.
Biometrics are an identifier. They say "This guy looks like User 1". At no point do they confirm that. At no point can you CHANGE that association. At any point they can be fooled by bits of printed paper, Gummi bears or just plain hacking of their interfaces.
Biometrics are literally things you leave ON EVERY SURFACE YOU TOUCH. It's like stamping your password on your thumb with ink that transfers to every surface.
If you wouldn't walk around town making impressions of your primary password on the walls, handrails, car doors, etc. throughout your life, why would you trust a fingerprint scanner to authorise a transaction?
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:08AM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid. Please stop." and then explain the situation to them.
We fired that guy. He moved back into his mother's basement where he shitposts on forums all day.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:20AM
I guarantee you they do.
Problem is, that guy is too smart to be a manager.
(Score: 5, Insightful) by Justin Case on Friday September 30 2016, @12:18PM
You'd think that big-name companies like that would have at least one guy somewhere who says "You're all being stupid."
I have yet to find any boss who will pay me for pointing out stupidity. If I could, I'd be richer than Trump and I'm sure most of us could say the same.
Face it. Nobody wants to hear the truth, just like nobody wants to do what should be done. They want to look good, and be told they look good. Hence we have a world full of crap.
(Score: 2) by KilroySmith on Friday September 30 2016, @05:30PM
Sigh.
You have a stupendously poor understanding of modern secure fingerprint sensors. You do realize that each one has a unique RSA-2048 key, sets up a TLS 1.2 session with the host using AES-256 and SHA-256? And that creating fingerprint spoofs which fool one of them is far harder than it was when Matumoto showed the Gummi Bear attack?
Don't confuse jelly-bean fingerprint sensors with secure fingerprint sensors.
(Score: 3, Insightful) by termigator on Friday September 30 2016, @07:55PM
I fail to see how all the cryptography you mentioned is relevant to the task of the biometric reader. All that you mention is what goes on after you read the biometric input data, which is before cryptography is involved.
With biometrics alone, it will make it easier for me to break in someone's device. Wait for them to fall asleep (or drug them), use their finger to unlock/login into device, and enjoy. I can see law enforcement doing this with suspects to access their devices without a warrant.
As been said, biometrics alone should not be used for authentication. You need a revocation mechanism, and that is very difficult to do with biometrics.
(Score: 2) by KilroySmith on Friday September 30 2016, @10:41PM
The cryptography references were about ledow's comment of " just plain hacking of their interfaces." That ain't gonna happen on a secure fingerprint sensor.
As far as authentication, your example of "Wait for them to fall asleep (or drug them), use their finger to unlock/login into device" isn't an authentication failure - the system correctly identified and authenticated the user. The matter of the user's desire to be authenticated is a completely separate issue.
Revocation is properly done at the relying system. For example, if I am fired from my job, my employer will revoke my access (whether provided by a fingerprint or a password or a smart card, or a combination of all three) at the enterprise level, and push it down to the laptop in my possession the next time it connects. If I wish, I can request to revoke my previous credentials by changing my password - but recognize that's only a request; if the relying system is designed badly, or designed to access your data without your participation (any employer's systems, most internet services, etc), there is a patina of user-directed revocation which is partially meaningless - you can prevent an attacker who picked up the post-it note that you wrote your password on from accessing your data by changing your password, but you can't stop the systems and people who control access to your data from accessing it.
The kinds of attackers that you describe, people who are willing to drug me and use my fingerprint, are more than willing to apply the XKCD538 decryption algorithm ( https://xkcd.com/538/ [xkcd.com] ). Your super-secret password, fingerprint, smart card, iris scanner, etc aren't going to help you much there.
The authentication provided by a properly implemented fingerprint system isn't absolute. It is pretty danged good, though. It guarantees that a human is in possession of, and interacting with, "something you have" - i.e. the phone or laptop that the fingerprint sensor is installed in. Your fingerprint is only registered at that device (except in enterprise-level systems like Disneyworld), and only that device can authenticate you. A random bit of malware on your system can't buy something from Amazon, or log into your corporate VPN, using your fingerprint credentials without your (perhaps improvidentially provided) cooperation. This "something you have" guarantee prevents scalable attacks that can break every networked Windows or Linux system, or every security camera - the attack can only be against the specific device you have.
The fingerprint system also provides a moderately strong guarantee of "something you are" - it is possible to build a spoof of your fingerprint, but it's far harder on a modern fingerprint sensor than most of the YouTube videos suggest. Attacks at this level require physical access to the device - your laptop or cellphone, the "something you have" - as well as both a good image of your fingerprint, and a good spoof made from it. A spoof attack on the fingerprint sensor might allow someone access to your device or account without your knowledge - but if a policeman or the FBI doesn't care that you know your device or account are being accessed, the XKCD538 decryption is just as easy. A good fingerprint system would, firstly, reject almost all spoof attempts (modern systems reject 95%+ of good spoof attempts), and secondly, stop accepting fingerprint attempts after a small number of failures (5 in the case of the Samsung Galaxy S7).
A secure fingerprint system would allow you to require a third factor - such as a super-duper password - before allowing access. If you're carrying state secrets (or child porn) on a laptop through national borders, you might wish to do this. It won't help you in backwards countries such as the United Kingdom (https://en.wikipedia.org/wiki/Key_disclosure_law) which applies XKCD538 by throwing you in jail for not decrypting such secrets, but it might help in certain countries where either of your mind or your fingerprints might be viewed as something law enforcement isn't allowed to use without your permission.
So, a well-designed fingerprint-authentication system protects you against just about all attacks, except personally targeted attacks where either the system (if no password is required), or the system and the targeted person, are in the custody of the attacker. And in that case, you are F****d anyway you look at it.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @06:56PM
In most cases a bigger more important problem is users can't use their own accounts. They forget their usernames, passwords, email addresses, lose their phones, phone numbers, etc.
That's why companies keep coming up with more and more easy and cheap ways for users to break into their own accounts ;). "Security Answer", "Mothers Maiden Name", "Helpful Out-Sourced Support Team Who Will Hand Over An Account If You Ask Convincingly Enough"[1]
That it makes it easier for others to break into the accounts is a problem, but so far I think the big name companies believe that it's worse for a million users to not be able to get into their own accounts than a hacker getting a million users accounts. Perhaps the latter is paid for by insurance and the users themselves.
From what I understand it's public key crypto and the biometric is used to convince the local physical device to unlock the relevant private key. The private key is then used to convince the remote party.
So that means the hacker will call Support, using an appropriately forged caller ID, playing a recording of a crying baby in the background and say that Madam Hacker really needs to buy stuff ASAP but Madam Hacker's fingerprint doesn't seem to be working today and isn't this Fancy Fingerprint stuff supposed to work like magic? Support finds out that "the lovely husband recently bought a new laptop and phone for Madam Hacker and took the old ones", so Support will register Madam Hacker's new devices. Voila...
Yeah in theory Support shouldn't do that. But which case is Support more likely to encounter? How many one star ratings or failed SLAs does Support get for giving a hacker access vs not helping a user break into his own account?
[1] http://www.techinsider.io/hacker-social-engineer-2016-2 [techinsider.io] which is why in many cases I have given up bothering with strong passwords. Why bother if Support will just hand it over, or it's far more likely that the organization will get hacked first.
(Score: 2) by Hyperturtle on Saturday October 01 2016, @11:45PM
I want to know who is coming up with these ideas and why do people just accept it. I guess I don't know how to refuse the changes, aside from not participating... but this crap is getting stupid, and its all in pursuit of our money.
The other day I read about a new standard, that even Tim Berners-Lee was involved with, to make "1-click" purchasing a standard experience across e-commerce sites.
Apparently, this is in great demand, because people put stuff in their shopping cart... and don't check out. This greatly frustrates online stores, because damn you, you put item names in your cart are you so stupid you didn't buy it?
If you are like me, you add them to the cart so that you get the total added up, the tax added in, the shipping calculated, and you get the final price... and decide not to buy. (I dont add things to wish lists, because that just invites ads, based on what I've seen happen to friends and family memebrs. I only seem to get ads on stuff I already purchased, but it may be because my paranoid online behaviors)
This is not something they admit is a concern--people actually wanting to do math without making a permanent list, or having to carefully tally up the values outside of the same browser window they already have open.
f you leave the window open on Amazon and have some marketplace items in it, or ebay or newegg, you will see the costs may change for the worse, to encourage you to BUY NOW SUPPLY RUNNING OUT, sometimes dramatically--yet if you go back to the site in a different browser... the price may be cheaper than what your 'cart' got updated to. I have seen this happen numerous times. To the extent that I will research in one browser and buy in another; I've saved hundreds of dollars this way on amazon, and to a lesser extent on the other ecommerce sites that play that game... )
Seeing this, waiting, pondering about costs... all bad. Instead, the concern is based on the presumed reality that revealing these details is too difficult, typing in a credit card is too hard, so many digits, fumbling for the wallet -- by the time you get going the mood has left you and you'd rather do something else. Better to make it easier to automatically link impulsive buying directly to your credit or checking account... like via a simple biometric check, as this article discusses.
Most of these advances don't seem to be very consumer friendly, but sure make it easy to lose money and fast, all for your benefit! DON'T THINK JUST SWIPE. I guess that is why in the US, consumer behavior powers 2/3rds of the economy... if people act to save money, other people lose jobs... (sounds to me like we should be less consumer focused, but then since we outsourced so much, and that purchased can't be, there isn't much else to focus on rightsizing and still having a consumer populace left to rely on to spend...)
And remember -- its not their fault you stupidly let your permanent biomarker get digitally reproduced on some vulnerable phone OS. They'll still get their money. If wells fargo could open bank accounts for people without even needing the people involved, I am sure copied biometrics can be used for similar purposes down the road as a means of validity, too. Dishonest people won't have a problem doing fraudulent things with your biometric data... your unique identifier, once digitally copied, is going to be valid at any place that needs it, and unfortunately it cannot be changed or expired like a password. As a result I think I will try to stick to using a complex passphrase, even if my brain hurts trying to keep myself secure. that or I just wont use their stupid new system until its the only system allowed.
(Score: 0) by Anonymous Coward on Friday September 30 2016, @10:07AM
A machete is very effective for stealing biometric passwords.
Some people think that a fingerprint reader that checks for a pulse will defend against that. Ok, if you are a BOFH, it will. However, if you are the person formerly having ten fingers, you do not want the person with the machete to be told that he has the wrong finger".
It's going to take exactly ten tries to convince him that he really didn't just cut off the wrong finger.
(Score: 2) by q.kontinuum on Friday September 30 2016, @11:11AM
Eleven, if he has a dirty imagination.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 0) by Anonymous Coward on Friday September 30 2016, @01:28PM
Diabetic with bio readers in office. They fail 9 out of 10 times. Finally they were thrown out and no need to buy. $10 RFID badges Laptop with bio reader - disabled, complains daily about turning it on.
Fingers swell and dyhidate constantly changing the shape and spacing of finger prints and other bio tricks
(Score: 2, Interesting) by kurenai.tsubasa on Friday September 30 2016, @01:44PM
For that matter, I've never met a fingerprint reader that can consistently read mine. Plus I'm not certain how to revoke my fingerprint more than 9 times. Standard complaints, etc. And don't get the idea you're going to scan my eyeballs! I can only revoke that once!
Why can't we just get some standard feature to read a private key from a thumb drive I can carry around on my keychain and go from there? Seriously guise, this is a solved problem. I don't need a password when I log on to my cloud! At least from my desktop (don't trust any of my other devices with my private key).
I've been too lazy to get around to actually screw around with PAM and cryptoloop mounting to make my crazy idea work end-to-end. I want to plug in my thumb drive, which has my private key. Then I can type in my username (or click on it from LXDM), and PAM will go off and read the thing. (May need to also hack around with getty or LXDM so it knows it doesn't need to prompt for a password.) From there, the login process should use my private key to cryptoloop mount my home directory. A failure with decryption would indicate that I'm not who I claim to be and fail out the login attempt. To make things seamless, it should then copy my private key or else use an fs overlay of some kind to place it in $HOME/.ssh. Then I want some kind of auth daemon not unlike gnupg pinentry to cache it. The browser can talk to that daemon to mediate key exchange with MyTwitFace, which has my public key. Wa-lah! Passwordless! The things I'd do if I weren't a lazy alcoholic!
(I'm sure the devil's in the implementation details. Plus need an easy facility for key revocation and regeneration.)
Not enough sci-fi woo I guess. People get too caught up in the idea that their body is their identity, and we wind up with crap like this. Yes, I know who you are when I see you. Probably. Am I sure you're not a pod person??? Good thing lizard people grow their own skins instead of skinning humans!
(Score: 3, Insightful) by Immerman on Friday September 30 2016, @06:44PM
Your USB key solution is vulnerable to having the key stolen, though you can improve that dramatically by storing the encryption key in a password-protected data vault to provide at least a degree of 2-factor authentication: something you have (key file) and something you know (encrypting password). As you point out though, that key file is still vulnerable while being used, especially on an untrusted system.
For serious security, I'd picture replacing your USB key with a micro computer dongle that generates a public/private key pair and uploads the public key to an identity database under conditions that physically confirm your identity. The private key never leaves the dongle (ideally, physically *can't* do so) - it simply receives a challenge: "confirm you have the private key matching this public key" (say, by successfully decrypting a block of random "noise" data encrypted with your public key). The important part though is that the dongle itself must be secure - having the software on your phone would be convenient, but then you have to trust that none of the other software on your phone has compromised it.
With just that much, validation pretty much 100% confirms that you have the physical dongle in your possession. The next step is to confirm that you're really *you*. Presumably that could be provided by entering a password, or something similar, on the dongle between challenge and response. Biometrics could be used instead, but are liable to increases the cost considerably, and really only protects against "accidental" dongle theft - anyone intentionally stealing your dongle can probably spoof your biometrics as well
Really, it seems to me the only role biometrics should serve is to replace things like drivers licenses, library cards, etc. They can provide fast, convenient identification in low-risk scenarios, but offer only minimal authentication value. At best good for a quick second layer of security to discourage causal thieves - a bio-metrically validated thumbprint rather than a signature when making a credit card purchase?
(Score: 1, Insightful) by Anonymous Coward on Friday September 30 2016, @03:02PM
why are "we" giving free links to lenovo, intel and paypal? none of them deserve it. lenovo is shilling(or actively working for) for microsoft with this yoga raid driver bullshit and still uses other outrageous tactics to like bios/uefi whitelists for wwan modems. Intel should have made a driver for Gnu+linux for this fake raid lenovo is using on it's yoga laptop from the beginning. Paypal spams clients and tries to steal them from you while data mining for the degenerates at the IRS. They are vile scum. Everyone has to decide where to draw the line on their own but i don't think we should be actively shilling for them! and who gives a shit about new insecure auth methods to make it easier for idiots to log in anyways?
(Score: 4, Insightful) by opinionated_science on Friday September 30 2016, @04:13PM
So the police/govt can compel your fingerprint but not your password.
I think that killed biometrics quite effectively (for me!) ...
(Score: 1) by Chrontius on Saturday October 01 2016, @03:51AM
The main specification document, for your perusal and edification [fidoalliance.org]
The ovierview in case TL;DR happens [fidoalliance.org]
I’ve read all the comments, and it’s clear that nobody’s familiar with the cryptosystem in question, or the architecture surrounding it. I haven’t either, but I did familiarize myself with FIDO U2F to this level before trusting my Yubikey for anything. Fido UAF is the second generation version, designed to provide strong authentication without the need for passwords. Some of you may say that’s fundamentally impossible, but … look at how easy it is to crack accounts by running down the most common 50,000 list.