Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
7/25/2014 | 8:47:54 AM
biometrics - a bad idea from the start
on occasion systems are compromised and we need to change our passwords.

biometrics is just a means of creating a digital pattern -- that acts as a password.   this, by digitizing your fingerprint, or iris scan -- voice -- what have you.

trouble is: you can't come up with a new one once yours is compromised.

this is fully evident to everyone, particularly security technicians.   so why the push for bio-metrics?   could be an effort to eliminate anonymity

there are some bad actors on the net. anonymity is important to everyone.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Strategist
7/25/2014 | 3:27:07 PM
Re: biometrics - a bad idea from the start
You can't change biometrics as *often* as some people change passwords, but that doesn't mean it can't be done. I'm certain I read another article either on InformationWeek or DarkReading that points out 1) Most people have ten fingers to choose from and 2) Who says it has to be only one fingerprint? What about a pattern of 5 fingerprints, that allows using the same finger more than once and both hands, or a system that allows you to scan more than one finger at a time? This week it's the middle and ring finger on your left hand scanned at the same time, and next week it's fore finger and thumb on your right hand in sequence...

It seems like a lot of the hatred for biometrics can be easily solved if you want it to be solved.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 4:03:34 PM
Re: biometrics - a bad idea from the start
The article you are referring to @JonNLakeland is by David Kearns in:

How The Math Of Biometric Authentication Adds Up . You pretty much got his point across. He also noted: "Most of us have ten fingers – or eight fingers and two thumbs -- which is (for biometric purposes) the same thing. Changing from one to another is no more difficult than changing from one password to another."}

 
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Strategist
7/25/2014 | 4:29:43 PM
Re: biometrics - a bad idea from the start
Thanks for the assist, Marilyn!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/25/2014 | 4:31:53 PM
Re: biometrics - a bad idea from the start
Happy to oblige!
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
7/26/2014 | 10:30:53 PM
What lies at the root of the problem?
2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy.  A truly reliable 2-factor solution requires the use of the most reliable password.

Biometrics, whether static or behavioral, cannot displace passwords UNLESS it stops relying on a password for self-rescue against the false rejection while retaining the near-zero false acceptance. A dog which depends on a man cannot be an alternative to the man.

At the root of the password problem is the cognitive phenomena called "interference of memory", by which we cannot firmly remember more than 5 text passwords on average.  What worries us is not the password, but the textual password.  The textual memory is only a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
ArshadNoor
50%
50%
ArshadNoor,
User Rank: Apprentice
7/28/2014 | 2:34:01 PM
Biometrics + Cryptographic Keys
What makes FIDO different is that it does NOT rely on biometrics to authenticate you to the web-site; the biometric authentication is (optionally) required to authenticate you to an authenticator that is local to you.  The local authentication unlocks an ECDSA private-key that digitally signs a challenge sent by a FIDO server.  So, the web-site actually sees only a signed challenge, with some meta-data that confirms this came from a certified FIDO authenticator.  This is analogous to using a smartcard with a digital certificate to do SSL-ClientAuth - a far more robust authentication protocol than just biometric authentication.  The biometric part of FIDO is purely for user-convenience when dealing with FIDO authenticators.


Take a look at this paper - Identity Protection Factor (http://middleware.internet2.edu/idtrust/2008/papers/01-noor-ipf.pdf); it describes the relative strengths of different types of authentication credentials; while biometrics by themselves might come in at level 3 or 4, FIDO would come in at level 6 or 7.


Arshad Noor
SttrongAuth, Inc.


Note: Full disclosure: We are a FIDO Alliance member and are planning to release an open-source FIDO server in the next few weeks.
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 8:37:12 AM
Re: biometrics - a bad idea from the start
Great point about not being able to recreate authentication for your Biometrics.  It's not like you can go out and get a new set of finger prints and like any other digitzed technology is can be compromised and repurposed.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 1:42:51 PM
Re: What lies at the root of the problem?
@HAnatomi,I'm not sure my visual memory is any better than my textual memory. I'd much prefer to rely on my thumbprint...  
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
8/6/2014 | 10:28:35 PM
Re: What lies at the root of the problem?
You do not have to remember UNKNOWN pictures afres, which is not easy for everyone, if not as difficult as difficult as remembering meaningless texts.  You will only have to find KNOWN picutres.  What you already remember is what you do not have to re-remember.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.