Tag Archive for Biometrics

| March 3, 2015
Comments Off on New Authentication ‘Fingerprints’ How You Move

New Authentication ‘Fingerprints’ How You Move

New Authentication 'Fingerprints' How You MoveWe all know that passwords are hideous things. They take up to much time and are not that effective. In fact, Gartner (IT) says that password resets represent 30% of help desk calls. Readers of Bach Seat know that the most common hacked passwords change very little from year to year.

remembering effective passwords is difficultGenerating and remembering effective passwords is difficult and unnatural. A lot of us are awful at it and there’s almost no improvement in the list of most common passwords from year to year (as I most recently covered here). Meanwhile, computers improve their ability to crack passwords by brute force and cunning every year.

So where there is chaos this is profit. A new area of research is to replace passwords with a users’ behavior. Mark Stockley at Sophos’ Naked Security blog, reports that researchers at West Point are working to get rid of passwords. The Cadets are working to produce a new identity verification system based on users’ behavior, described as a next-generation biometric capability. The research is being developed as part the active authentication program run by DARPA.

Thnext generation biometric capabilitye article explains that authentication has traditionally relied on users producing one or more of the following: something you know (such as a password or PIN), something you have (such as a number from an RSA key) or something you are (such as your fingerprints or face.) The technology that West Point is working on called, behavior-based biometrics, adds another factor to the mix: something you do.

According to DARPA the first phase of the active authentication program will focus on biometrics that can be captured through existing technology, such as analyzing how the user handles a mouse or how they craft the language in an email. The contract document, reported by Yahoo Finance, describes the technology as a “cognitive fingerprint.”

cognitive fingerprint…when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a ‘cognitive fingerprint’

Cognitive fingerprints will offer significant advantages over existing forms of authentication. According to Sophos, the new technology has several advantages over passwords because they do not:

  • Require specialized hardware required by biometrics and
  • Rely on users remembering strong passwords, something humans are naturally bad at.

authenticate usersCognitive fingerprints should also give systems the ability to authenticate users continuously, keeping people logged in so long as they’re present and then logging them out as soon as they leave.

Nancy Gohring at FierceITSecurity recently wrote about a similar approach to user behavior authentication. Alohar Mobile, now owned by Alibaba, has figured out a way to use the sensors in mobile phones to create a profile of the unique way that you walk, using that “fingerprint” for authentication. Sam Liang, Alohar’s founder, and CEO has claimed, “We have a system that allows the payment system to use the location tracking and the motion sensor to authenticate and detect fraud.”

Alohar logoAccording to Ms. Gohring, Alohar’s patent describes a host of unique biometric pattern patterns the firm can collect from the phone’s accelerometer and gyroscope to identify the person using the phone. They include:

  • The speed/cadence/pace at which the mobile user normally walks
  • The ‘bounce’ of the mobile device in a person’s pocket, bag or purse as they walk or run
  • The motion pattern when a person reaches for their mobile device in a pocket
  • How the user moves the device to their ear
  • Even the angle they hold the mobile device.

collecting data about a user's movementsAfter collecting data about a user’s movements, the system would create a profile of the user. When the person tries to use the phone to buy something in a store, the system would compare the user’s profile against the recent movements of the person using the phone, making sure they match. If they don’t, the retailer can ask the user for other forms of identification. The system could work similarly for e-commerce transactions.

The patent describes other uses for the profiling system beyond authentication. The article claims the inventor describes a scenario where if a user often goes to an elementary school or a daycare center, the service could send targeted advertising or information about kid-related events to the user.

collect even more dataIn the future, Mr. Liang hopes to be able to collect even more data from more kinds of devices, like fitness trackers and health monitors. He told FierceITSecurity, “In the future, the phone will be able to tell, are you happy or depressed based on the way you walk, the speed you move around, the way you swing the phone,” he predicted.

rb-

Biometrics has been waiting in the wings as the Next Big Thing in authentication for years. Transparent, behavior-based biometrics like those being developed by Alohar and West Point could give the nudge that’s needed to push biometrics into the mainstream, but Sophos’ Stokely argues there are two major obstacles to the widespread adoption of biometrics.

  • You can’t change your biometrics – How do you change yourself if your biometric password is compromised?
  • For all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control.

Behavior-based biometrics will happen invisibly, while convenient but it will require us to be comfortable ceding that feeling of control too, says Mr. Stockley.

Behavior-based biometrics will draw the ire of privacy advocates for its invisible, seamless identification and roots in the military, as it may allow for wider monitoring of society.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| August 19, 2014
Comments Off on Password Free Future

Password Free Future

Password Free FutureLet’s just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. This new normal is forcing firms to find new ways of verifying their users and securing their data. Now, security firm Trustwave says traditional password policies are useless.

According to an articleLonger passwords are more secure at Infosecurity Magazine the Chicago-based firm says mixing upper and lower case letters, numbers and special characters don’t make passwords any harder for hackers to crack, only increasing the number of characters makes passwords more secure. Will we end up with 1,024 character secure passwords. I say let’s ditch passwords altogether.

Business Insider - The Worst Company Data Breaches Ever

What else can we use to secure our IDs? John Hawes at Sophos Naked Security Blog recently bemoaned the state of the clunky, fiddly, and mostly rather insecure passwords we use for almost all of our authentication needs. He says we may not be stuck with passwords forever. He offers some future options.

You are the proof

Password dogFacial Recognition – The author cites Australian researchers who have been promoting facial recognition as a means of authentication. This idea seems obvious, faces are the main way people identify each other in the real world, so it makes sense to have computers recognize our faces, or at least bits of our faces. The Sophos article says the approach has become common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. There is even a Finnish company that plans to use faces in place of credit cards.

The anti-malware firm says facial recognition systems have proven less than perfect, either easily fooled by photos, similar-looking people, or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.

Passwords are like pantsMr. Hawes says University of Queensland researchers are trying to improve the accuracy and security of facial recognition. The Aussies are working to be able to get facial recognition to work from a single initial still image and from different angles and different lighting conditions, which sounds like a must for any decent recognition system.

The good thing about face recognition, the author says is that it’s relatively low-tech, using a standard part (the rear-facing camera) of most of the devices we use. The software looks for patterns on the human face, such as distance between eyes, to identify people. But the researchers expect it will take more time to have a fool-proof working prototype.

Facial recognitionCNN points out that security is great for consumers, but it’s not the primary goal of most facial recognition tools. Law enforcement and spies are building databases (PDF) to take advantage of recent advancements in facial recognition. Identifying one person using their trail of selfies left online and in surveillance footage from stores could be a huge business. Some stores already use facial recognition to build profiles on repeat customers and collect data about how they shop.

Facebook (FB) recently bragged that its own facial recognition project named DeepFace was almost as accurate at detecting people as the human brain. More recently, it also claimed to be able to recognize faces from the side as well as the front.

Ears as a passwordEars – CNN reports that with the right software, a phone can detect the shape of a human ear and use it to log in. That’s the idea behind the Ergo Android app by Descartes Biometrics. When an ear is pressed against the screen, the points where it makes contact with the glass are mapped out and compared to a stored ear print. If it matches, the user is authenticated. The app is adjustable and can require multiple scans for the highest levels of security.

For now, it’s limited to unlocking a phone. But CNN claims ear prints could be used to identify people for any number of uses on the phone, such as making purchases in app stores or signing into services.

WalkingCNN says that if you’ve ever identified someone by how listening to how they walk down the hall, you’ve already seen the power of gait recognition. For 30 years, researchers have tinkered with gait-recognition technology but the recent boom in inexpensive motion sensors like accelerometers and gyros have given new life to the field. CNN reports that with the right software and sensors, they should be able to analyze a person’s walk. A wearable fitness device or smartphone can act as a password to authorize users.

The benefit of gait recognition is that it can gather the necessary information in the background while people go about their normal routines. There’s no need for the subject to touch their device or look into a camera.

Things you do are proof

Keystroke biometricsTyping – Like walking, typing varies from person to person according to CNN. Keystroke biometrics record how a person types and calculates their unique pattern, speed, and rhythm. It determines how long they hold down each key and the space of time between different letters. Keystrokes could be used to authenticate anyone working on a computer. This system could appeal to companies that are watching out for unauthorized users on their internal systems.

Gestures – Gesture-based authentication is another potential password replacement emerging from the world of smartphones and tablets. Mr. Hawes says hand movements repeated often enough can lead to muscle memory, so quite complex patterns can become quite easy to reliably and accurately reproduce. This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as, unlike signatures,  swipes leave few traces to be copied.

Answipe-patterndroid phones have long had swipe-pattern unlock features, and Microsoft (MSFT) Windows 8 includes a system based on a few swipes around a picture. Research has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.

Besides monitoring your body to authenticate you, there are hybrid authentication technologies. Hybrid authentication combines biometric factors with other techs.

Brain waves – I covered the Interaxon Muse headband sensor device a while ago. It is designed to allow users to create a specific brain wave signature for a password that will never have to be said or typed to log in.

Biostamps –  The biostamp idea proposed a hybrid of body and technology. The biostamps are flexible electronic circuits attached to the skin, which theoretically can communicate your password wirelessly with any device which needs to check who you are.

heart rhythmsBracelets – Another hybrid approach uses a bracelet device that measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation. I covered Nymi here.

The actual authentication takes place only when the bracelet is first put on. It requires a quick touch of some sensors, and from then on it will confirm you’re you until it’s removed. It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.

Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but today’s indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example, two-factor authentication schemes using dongles or smartphones combined with our computers.

All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.

rb-

Biometrics are not bullet-proof. They have a number of problems still.

  1. Biometric data cannot be changed once it is compromised.
  2. Will stress, fitness, or aging, have on the physiological elements of biometrics.
  3. Cost, most of these techniques require new equipment.
  4. They all need connectivity, Bluetooth connectivity.
  5. Biometric data still needs to be stored somewhere. And that would be an attractive target for attackers.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| May 6, 2014
Comments Off on Security From the Heart

Security From the Heart

Security From the HeartWe have all heard the horror stories of password management. Users choose the same weak passwords, trade them for chocolate bars. They keep track of them on post-it notes. Firms are negligent in managing weak passwords. Help Net Security wrote about the latest innovation in passwords from Canadian security start-up Bionym.

Bionym logoBionym created Nymi, a bracelet/wristband containing an ECG (electrocardiogram) sensor that “reads” the unique heartbeat pattern of the wearer. The bracelet will use the ECG to authenticate into electronic devices; cars, computers, smartphones, TVs, etc.

“It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym CEO Karl Martin pointed out to Tech Hive. “What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”

When you clasp the Nymi around your wrist it powers on. By placing a finger on the topside sensor while your wrist is in contact with the bottom sensor, you complete an electrical circuit. After you feel a vibration and see the LEDs illuminate, your Nymi knows you are you and your devices will too. You will stay authenticated until your Nymi is taken off,” it’s explained on the firm’s website.

3-factor security

Nymi knows you are youThe Nymi functions on a 3-factor security system. To take control of your identity you must have your Nymi, your unique heartbeat, and an Authorized Authentication Device (AAD). The AAD could be a smartphone or device registered with their app.

No details about the bracelet’s security have been share on the site. Ars Technica’s Dan Goodin has pumped Martin for information and, so far, the news is good. Elliptic curve cryptography is used to ensure data traveling between the bracelet and the device is not monitored or intercepted by attackers. ECC also encrypts the handshake performed between the bracelet and the devices being unlocked.

perform remote, gesture-specific commandsThe Nymi also has motion sensing and proximity detection that allows users to perform remote, gesture-specific commands, creating a dynamic and interactive environment,” it is explained. “A simple twist of the wrist can unlock your car door.”

When it arrives, Nymi will offer three-factor authentication. The wristband itself, your unique cardiac rhythm, and a mobile device, like a smartphone or tablet. The Nymi hardware acts as a secure token that ties into the biometric. The wristband will need to check in with your smartphone or tablet at the beginning of the day.

rb-

The thing that excites me most about Nymi is its potential to get rid of passwords. I think the password has a limited shelf-life. Once wearable computing takes off, payment processing will be integrated with biometrics on the wearable devices, there will be no need for passwords.

Nymi will be compatible with the FIDO AllianceBionym’s Martin stated,   “[Killing the password] is one of our goals,” noting that the Nymi will be compatible with the FIDO Alliance.

FIDO, which stands for Fast IDentity Online, was created by PayPal and Lenovo (LNVGY) and now counts Google (GOOG) and Microsoft (MSFT) among its members. The alliance has set out to create the next-generation standard for identity verification. 

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| December 15, 2012
Comments Off on Scan Your Sclera for Security

Scan Your Sclera for Security

Scan Your Sclera for SecurityTyping a password into your smartphone might be a reasonable way to access the sensitive information it holds, but a startup called EyeVerify thinks it would be easier—and more secure—to just look into the smartphones’ camera lens and move your eyes to the side scan your sclera for security.

EyeVerify logoMIT Technology Review says that Kansas City, KS-based EyeVerify software claims that it can identify you by your “eye-prints,” the pattern of veins in the whites of your eyes. The firm claims the method is as accurate as a fingerprint or iris scan, without requiring any special hardware.

The company plans to roll out its security software next year. CEO and founder Toby Rush envisions a range of uses for it, including authenticating access to online medical records or bank accounts via smartphones. Mr. Rush told TR that phone manufacturers are interested in embedding the software into handsets so that many applications can use it for authenticating people, though he declined to name any prospective partners. The security software allows people to bypass the security on their mobile devices just by looking at it.

The article explains that the technology behind EyeVerify comes from Reza Derakhshani, associate professor of computer science and electrical engineering at the University of Missouri, Kansas City. Dr. Derakhshani, the company’s chief scientist, was a co-recipient of a patent for the eye-vein biometrics behind EyeVerify in 2008.

Retina scanTo the users, EyeVerify seems pretty simple (though somewhat awkward in its prototype stage according to the article). To access data on a smartphone that’s locked with EyeVerify, the blog says you would look to the right or the left, enabling EyeVerify to capture eyeprints from each of your eyes with the camera on the back of the smartphone. (Eventually, EyeVerify expects to take advantage of a smartphone’s front-facing camera, but for now, the resolution is not high enough on most of these cameras, Rush says.) EyeVerify’s software processes the images maps the veins in your eye and matches that against an eye-print stored on the phone.

EyeVerify CEO Rush says the software can tell the difference between a real person and an image of a person. It randomly challenges the smartphone’s camera to adjust settings such as focus, exposure, and white balance and checks whether it receives an appropriate response from the object it’s focused on.

Biometrics

The look of the veins in your eyes changes over time, and you might burst a blood vessel one day the article speculates. But Mr. Rush says long-term changes would be slow enough that EyeVerify could “age” its template to adjust. And the software only needs one proper eye-print to authenticate you, so unless you bloody up both eyes, you should be able to use EyeVerify after a bar fight.

EyeVerify still needs to do more to prove that. Mr. Rush says that in tests of 96 people, the eye-print system was 99.97 percent accurate. The company is working with Purdue University researchers to judge the accuracy of its software on 250 subjects—or another 500 eyes.

Mr. Rush’s favorite application is for voters on Election Day. “Being able to vote from the convenience of my house, I can already send in a mail-in ballot, why not verify biometrically here and simply vote?” he told Fox News.

rb-

The end-user will be the fundamental roadblock to any eye-based biometrics.   Traditionally, anything related to eye recognition has received strong resistance, because it is just human nature to be squeamish about having our eyes scanned.

I covered the challenges of biometrics here, as long as this technology is limited to smartphones, some but not all biometrics issues remain:

  1. What is the real-world sensitivity/specificity trade-off i.e. quantified False Positive and False Negative Error Rates?
  2. Revocability. What happens if the mobile device is lost? What is the strategy to cancel and reissue a pair of eyes?

Despite the concerns scanning your sclera for security is coming to an iPhone near you.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| December 1, 2012
Comments Off on I Think Therefore I Login

I Think Therefore I Login

I Think Therefore I LoginForgetting a password could become a thing of the past according to the ZDNet article Brainwaves as Passwords; Secure and Near-Reality. John Fontana at Identity Matters says the technology to do so could be here as early as June 2013. Interaxon, which develops thought-controlled computing, is releasing the Muse headband sensor device that is designed to use brainwaves to login.

Brainwave sensors

Muse headband sensor device that is designed to bring brainwaves into computingThe slim plastic Muse headband fits against a person’s forehead and slips over the ears. The band houses four brainwave sensors. There are not any authentication applications that work with Interaxon’s Muse headband yet. The article notes that the company has a software developer’s kit (SDK) for anyone who wants to do it. However, company CEO Ariel Garten says such an app is reasonable and possible.

“The user could create a specific brainwave signature or a password they would never have to say out loud or type into a computer,” said Ms. Garten, who spoke at the Blur Conference in Broomfield, CO. According to Mr. Fontana the CEO demonstrated thought-controlled applications and the Muse headband.

Brainwave login passwords

government can read their pin numberWhile brainwave passwords might conjuror up thoughts of being snatched off the street and having a brain drain, Ms. Garten said the technology isn’t mind reading. “People might think the government can read their pin number, but we can’t read your thoughts or images in your head.” Muse, which talks to devices via Bluetooth, is an electroencephalograph (EEG) that records brainwaves and reads the brain’s overall pattern of activity to detect certain states such as relaxed or alert explains the article.

The brainwaves are turned into binary data and the translated waves are used to control anything electric. Users can learn to manipulate brainwave patterns, like flexing muscles. “This builds your brain like doing bench press reps in the gym, Ms. Garten claims.

laptops can be controlled with the mindApplications that run on smartphones, tablets, or laptops can be controlled with the mind according to the article. Ms. Garten believes the technology is set to take off, she is quoted in the article, “In 25 years, interacting with technology using your mind will be as ubiquitous as a gesture is today.”

rb-

This seems like a cool idea, maybe Sony or Nintendo will take it over. This is not a panacea for passwords.

With the small real-world experience with biometrics in the enterprise (Thinkpad T61p laptop) it worked adequately for local machine access, but what about when you have to scale this to 10s of thousands of users? Just imagine the HR issues involved with obtaining employee’s fingerprints or as the article suggests brainwaves.

In my environment, where I think biometrics makes sense, there is all the political baggage that comes with biometrics and children and the anti-education, anti-efficiency, and religious groups. I wrote here about a Texas school distinct facing the wrath of these groups for RFID cards, not biometrics.

Then there are the technical issues with any password (character string or biometric) system. The hashed password or brainwave needs to be stored somewhere in binary form. If your AD is compromised you still have a problem.

swilson, one of the commenters at ZDNet wrote: “all biometrics are the same! It doesn’t matter what trait they come up with, the same core biometric challenges remain. The challenges he sees are:

  1. How to stop replay attacks?
  2. How to secure centrally stored templates that are needed to support ‘federated’ biometric access control from multiple points?
  3. What is the real-world sensitivity/specificity trade-off i.e. quantified False Positive and False Negative Error Rates? Knowing a bit about brain physiology, I am very skeptical that anyone can measure a highly distinctive brain wave with better than 90-95% accuracy.
  4. Most basic problem: revokeability. What’s to be done in the event of a compromise, when you cannot cancel and reissue a brain wave, or fingerprint, or iris, or genome?”
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »