{"id":84799,"date":"2017-10-25T18:49:06","date_gmt":"2017-10-25T22:49:06","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-13T21:12:58","modified_gmt":"2021-08-14T01:12:58","slug":"biometrics-hype","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/biometrics-hype\/","title":{"rendered":"Biometrics Hype"},"content":{"rendered":"

\"Biometrics<\/a>Followers of the Bach Seat<\/a><\/em> know biometrics<\/strong> have a limited value<\/strong> in replacing passwords. Despite the technical flaws another round of biometric <\/a>hype is rolling across the Intertubes. The latest round of biometric hype is coming from Samsung<\/a><\/strong> (005930<\/a>). In the hope to revive their brand, Samsung has released the Galaxy S8. The Samsung Galaxy S8<\/a><\/strong> includes the ability to use facial recognition software<\/strong><\/a> to unlock your brand new phone<\/a>. CNet<\/em><\/a> says<\/a> that this idea \u201csounds awesome.\u201d<\/p>\n

\"\"However, this awesome idea appears to lower the bar for your security. CNet<\/em> reports that the video blogger MarcianoTech demonstrated<\/a> a pre-release version of the Galaxy S8 being unlocked using just a photo<\/strong> (at the 1:09 mark). To their credit, Samsung has acknowledged that the Face Unlock<\/strong> feature is more for convenience than for security. <\/strong>The biometric feature cannot be used for mobile payments. While weak facial recognition software may be a convenience for the user, it could also be very convent for others, too.<\/p>\n

The troubles with Face Unlock<\/a> date back to 2011.\u00a0 <\/strong>In 2011 SlashGear<\/em><\/a> reported<\/a> that Google<\/a>\u00a0(GOOG<\/a>) admitted the security system could be fooled by a picture<\/a> of you and not the real thing. CNet<\/em> reports<\/a> that the technology was developed by PittPatt<\/a>, a startup originating from Carnegie Mellon University<\/a>, which was later acquired by Google.<\/p>\n

FBI\u2019s facial recognition database<\/h3>\n

\"Next<\/a>The Guardian<\/em><\/a> reports<\/a> during testimony before congress the FBI admitted that about half of adult Americans\u2019 photographs are stored in facial recognition databases<\/a><\/strong> that can be accessed by the FBI<\/a>. About 80% of photos in the FBI\u2019s network are non-criminal entries, including pictures from driver\u2019s licenses and passports from 18 states including Michigan<\/a>.<\/p>\n

The FBI first launched its advanced biometric<\/a> database, Next Generation Identification<\/a> (NGI), in 2010. NGI augmented the old fingerprint database with further capabilities including facial recognition<\/a>. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.<\/p>\n

Unlike with the gathering of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively<\/strong>. The FBI made arrangements with 18 different states to gain access to their databases of driver\u2019s license photos.<\/p>\n

 <\/p>\n

\u201cI\u2019m frankly appalled,<\/em>\u201d said Paul Mitchell<\/a>, a congressman for Michigan. \u201cI wasn\u2019t informed when my driver\u2019s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.<\/em>\u201d<\/p>\n

rb-<\/em><\/strong><\/p>\n

So anyone with a photo of you, or maybe even just access to your Facebook<\/a>\u00a0(FB<\/a>) photos<\/strong>, could potentially access your phone. There are two important reasons why biometrics won’t work, and why the old-fashioned password is still a better option: a person’s biometrics<\/a> can’t be kept secret and they can’t be revoked.<\/strong><\/em><\/p>\n

 <\/p>\n

\"no<\/a>People expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s n<\/strong>o real way to hide this data from the world<\/strong>. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team gummy bears<\/a> to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints<\/a> in 2016.<\/em><\/p>\n

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised<\/strong>. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.<\/em><\/p>\n

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life<\/strong>.<\/em><\/p>\n

<\/a>With the release of Windows 10<\/strong>, Microsoft stepped up its biometrics game. CNet reports<\/a> that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello<\/a> also supports other biometric factors to secure your PC. Some of the factors are fingerprints and iris recognition. For facial recognition though, Microsoft<\/a>\u00a0(MSFT<\/a>) has partnered with chipmaker Intel<\/a>\u00a0(INTC<\/a>) for its RealSense 3D camera tech to get the job done. RealSense<\/strong> uses depth-sensing infrared cameras to track the location and positions of objects. Microsoft uses RealSense to scan a person’s face or iris before unlocking the device in question.<\/em><\/p>\n

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO<\/a><\/strong> (Fast Identity Online<\/a>) Alliance. FIDO was founded in 2013 to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.<\/em><\/p>\n

Related article<\/strong><\/p>\n