Tag Archive for Facial recognition

| April 15, 2017
Comments Off on Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a PixFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

Samsung Galaxy S8However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed  that Face Unlock which was later acquired by Google (GOOG).

photographs are stored in facial recognition databasesJust to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.States allowing FBI to search driver license pictures

 

I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.” So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

There's no real way to conceal your eyes, face or fingerprints from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face, or fingerprints from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| March 25, 2015
Comments Off on Password Pain Continues

Password Pain Continues

Password Pain ContinuesDespite claims to the contrary, the password isn’t dead yet. Help Net Security points out new research from SecureAuth that documents how dependent many firms are on passwords. In fact, the research found that 40% of IT decision-makers admit that passwords are their only IT security measure. The IT leaders also believe it will take 5 years to see a significant shift in organizations’ reliance on passwords. The author says this is a worrying revelation, considering how many security breaches are the result of compromised credentials.

The researchers found that the entertainment, hospitality, and leisure industry is taking the most risks with its data as 65% of respondents from this sector admit their organizations only use passwords as a security method. (rb- No wonder they keep getting hacked!)

The author claims that SeaureAuth found that 45% of public sector organizations only use passwords. (rb- Another reason to limit how much data they collect on citizens)

Despite companies relying on passwords alone, the survey revealed that 63% of respondents believe their current authentication methods are effectively protecting valuable assets. The survey also revealed that firms worry about protecting different resources:

  • 29% say protecting the company’s VPN is critical
  • 28% believe protecting on-premise applications is a top priority
  • 20% stated protecting Cloud and SaaS is the most important, and
  • 18% said mobile takes precedence.

Nick Mansour, Executive Vice President of Worldwide Sales at SecureAuth explained,

As the skills of hackers continue to evolve, organizations are going to have to wise up to new methods of information access security, such as adaptive authentication which can leverage real-time threat intelligence, biometrics and even behavioral analysis.

Windows 10 logoFrighteningly only 44% of SecureAuth respondents have plans to change or enhance their security model in the next two years. The forthcoming Microsoft Windows 10 can help firms evolve their authentication processes. Help Net Security reports that Windows 10, includes a new feature called Windows Hello. Windows Hello will allow users to authenticate themselves using biometrics. The SecureAuth study reports that only 28% of IT decision makers believe that businesses will biometrics in 5 years’ time.

The article reports that Microsoft (MSFT) considers Windows Hello authentication more secure than using passwords – so secure, in fact, that it can be used in government organizations, the defense, financial, and health care industry. Microsoft’s  Joe Belfiore wrote

Our system enables you to authenticate applications, enterprise content, and even certain online experiences without a password being stored on your device or in a network server at all

Facial recognitionMr. Belifore says Windows Hello will work with existing fingerprint readers. Windows Hello will also work with facial or iris detection by combining special hardware and software; “The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.”

Mr. Belfiore also introduced Windows Passport, a programming system that can be used to provide a more secure way of letting you sign in to sites or apps. The article explains that unlike with passwords, with which you authenticate yourself to apps, sites, and networks, Passport allows Windows 10 to do that in your stead: again, without sending up a password to their servers. Mr. Belfiore says:

Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with ‘Passport’, you will be able to instantly access a growing set of websites and services across a range of industries

rb-

Couldn’t Redmond pick a name other than Passport? Reminds me of the Hotmail days.

There is of course the age-old problem of what to do if your biometric signature is stolen. You can easily change your iris with a sharp stick, but that does not seem very efficient.

What do you think?

Will Windows 10 biometrics take off?

View Results

Loading ... Loading ...

 

Related articles
  • Second factor authentication can help prevent security breaches (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

 

Category: Uncategorized | Tags: , , , , , , , , , ,
| August 19, 2014
Comments Off on Password Free Future

Password Free Future

Password Free FutureLet’s just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. This new normal is forcing firms to find new ways of verifying their users and securing their data. Now, security firm Trustwave says traditional password policies are useless.

According to an articleLonger passwords are more secure at Infosecurity Magazine the Chicago-based firm says mixing upper and lower case letters, numbers and special characters don’t make passwords any harder for hackers to crack, only increasing the number of characters makes passwords more secure. Will we end up with 1,024 character secure passwords. I say let’s ditch passwords altogether.

Business Insider - The Worst Company Data Breaches Ever

What else can we use to secure our IDs? John Hawes at Sophos Naked Security Blog recently bemoaned the state of the clunky, fiddly, and mostly rather insecure passwords we use for almost all of our authentication needs. He says we may not be stuck with passwords forever. He offers some future options.

You are the proof

Password dogFacial Recognition – The author cites Australian researchers who have been promoting facial recognition as a means of authentication. This idea seems obvious, faces are the main way people identify each other in the real world, so it makes sense to have computers recognize our faces, or at least bits of our faces. The Sophos article says the approach has become common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. There is even a Finnish company that plans to use faces in place of credit cards.

The anti-malware firm says facial recognition systems have proven less than perfect, either easily fooled by photos, similar-looking people, or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.

Passwords are like pantsMr. Hawes says University of Queensland researchers are trying to improve the accuracy and security of facial recognition. The Aussies are working to be able to get facial recognition to work from a single initial still image and from different angles and different lighting conditions, which sounds like a must for any decent recognition system.

The good thing about face recognition, the author says is that it’s relatively low-tech, using a standard part (the rear-facing camera) of most of the devices we use. The software looks for patterns on the human face, such as distance between eyes, to identify people. But the researchers expect it will take more time to have a fool-proof working prototype.

Facial recognitionCNN points out that security is great for consumers, but it’s not the primary goal of most facial recognition tools. Law enforcement and spies are building databases (PDF) to take advantage of recent advancements in facial recognition. Identifying one person using their trail of selfies left online and in surveillance footage from stores could be a huge business. Some stores already use facial recognition to build profiles on repeat customers and collect data about how they shop.

Facebook (FB) recently bragged that its own facial recognition project named DeepFace was almost as accurate at detecting people as the human brain. More recently, it also claimed to be able to recognize faces from the side as well as the front.

Ears as a passwordEars – CNN reports that with the right software, a phone can detect the shape of a human ear and use it to log in. That’s the idea behind the Ergo Android app by Descartes Biometrics. When an ear is pressed against the screen, the points where it makes contact with the glass are mapped out and compared to a stored ear print. If it matches, the user is authenticated. The app is adjustable and can require multiple scans for the highest levels of security.

For now, it’s limited to unlocking a phone. But CNN claims ear prints could be used to identify people for any number of uses on the phone, such as making purchases in app stores or signing into services.

WalkingCNN says that if you’ve ever identified someone by how listening to how they walk down the hall, you’ve already seen the power of gait recognition. For 30 years, researchers have tinkered with gait-recognition technology but the recent boom in inexpensive motion sensors like accelerometers and gyros have given new life to the field. CNN reports that with the right software and sensors, they should be able to analyze a person’s walk. A wearable fitness device or smartphone can act as a password to authorize users.

The benefit of gait recognition is that it can gather the necessary information in the background while people go about their normal routines. There’s no need for the subject to touch their device or look into a camera.

Things you do are proof

Keystroke biometricsTyping – Like walking, typing varies from person to person according to CNN. Keystroke biometrics record how a person types and calculates their unique pattern, speed, and rhythm. It determines how long they hold down each key and the space of time between different letters. Keystrokes could be used to authenticate anyone working on a computer. This system could appeal to companies that are watching out for unauthorized users on their internal systems.

Gestures – Gesture-based authentication is another potential password replacement emerging from the world of smartphones and tablets. Mr. Hawes says hand movements repeated often enough can lead to muscle memory, so quite complex patterns can become quite easy to reliably and accurately reproduce. This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as, unlike signatures,  swipes leave few traces to be copied.

Answipe-patterndroid phones have long had swipe-pattern unlock features, and Microsoft (MSFT) Windows 8 includes a system based on a few swipes around a picture. Research has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.

Besides monitoring your body to authenticate you, there are hybrid authentication technologies. Hybrid authentication combines biometric factors with other techs.

Brain waves – I covered the Interaxon Muse headband sensor device a while ago. It is designed to allow users to create a specific brain wave signature for a password that will never have to be said or typed to log in.

Biostamps –  The biostamp idea proposed a hybrid of body and technology. The biostamps are flexible electronic circuits attached to the skin, which theoretically can communicate your password wirelessly with any device which needs to check who you are.

heart rhythmsBracelets – Another hybrid approach uses a bracelet device that measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation. I covered Nymi here.

The actual authentication takes place only when the bracelet is first put on. It requires a quick touch of some sensors, and from then on it will confirm you’re you until it’s removed. It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.

Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but today’s indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example, two-factor authentication schemes using dongles or smartphones combined with our computers.

All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.

rb-

Biometrics are not bullet-proof. They have a number of problems still.

  1. Biometric data cannot be changed once it is compromised.
  2. Will stress, fitness, or aging, have on the physiological elements of biometrics.
  3. Cost, most of these techniques require new equipment.
  4. They all need connectivity, Bluetooth connectivity.
  5. Biometric data still needs to be stored somewhere. And that would be an attractive target for attackers.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
  Recent Entries »