UK To Invest In FIDO-Based Passwordless Systems To Improve Security

Status
Not open for further replies.

Scrotus

Reputable
Dec 4, 2015
24
0
4,510
Fingerprints for some of us may also present a problem. I'm a senior citizen and my fingerprints as we normally see them are mostly gone. The last time I needed to submit fingerprints the system had a really difficult time reading them. I wonder if lack of fingerprints will be a pretty widespread problem.
 

anathema_forever

Honorable
Jan 12, 2013
98
0
10,660
Fingerprints seem like a bad way to go anyway for the digital age. Database breaches getting peoples cheesy passwords, who are just a pet name etc aren't a huge loss. Depending on fingerprints and those getting lost is catastrophic so it would be best if we just didn't use them like that anymore. Easy to make massive and random digital keys so why even do that to ourselves.
 

Abbe Normal

Commendable
Nov 7, 2016
1
0
1,510
If UK government supports some security technology for common use then you can bet it is already stuffed with government backdoors. Would you use the keylock that was recommended by a guy who broke into your house yesterday? :)
 

targetdrone

Distinguished
Mar 26, 2012
327
32
18,810
Biometric security is a stupid idea because once compromised, that it's, game over. You can't change your fingerprints, or retinas , like you can with a password and authentication key.

Don't think that information can't be hacked? Last Year over 5 million Federal employees and contractors has their fingerprints stolen during the Office of Personal Management data-breach.
 

rantoc

Distinguished
Dec 17, 2009
1,859
1
19,780
Yeah, once the biometric readings for a person is out then it would be an all out access to all sites who uses that said biometric (be it fingerprint, retina ect.). Its like having a single password on every site, once one is breached - Good luck!

Until that "once breached your totally screwed" issue can be resolved, good luck getting my fingerprint as password - I don't like to give a clever hacked all out access once one site is hacked. Speaking ab out collecting ALL EGGS IN ONE BASKET... guess what basket WILL BE HACKED?
 

drajitsh

Distinguished
Sep 3, 2016
131
20
18,695
What we need is support on financial sites for password mangers. most sites disable them, especially for financial transactions. Practically, given enough time and effort any system can be hacked. If not through a choice vulnerability then an inside job. Putting all your eggs in one basket forever is not a good idea.
 

Joker41NAM

Reputable
Jul 5, 2015
45
0
4,530
Anyone want to place bets on how long until the first major biometric authentication breach? (last gov one doesn't count, wasn't being used for authentication)
 

shiitaki

Distinguished
Aug 20, 2011
44
0
18,540
Replace passwords? Not likely! The government is pushing for biometrics? The government who lost millions of fingerprints in a data breach?

The NSA are a bunch of self important jackasses and have little to contribute to the security of the world, more like they may be one of the greatest threats to out security with their backdoors being installed everywhere! Notice the NSA isn't asking congress for a backdoor in to hard drive encryption? The NSA wants to get rid of passwords because then they can't force you to hand over your data since only pins and password are protected under the constitution.

The NSA getting rid of passwords is self serving!
 

pixelpusher220

Distinguished
Jun 4, 2008
177
63
18,660
biometrics are fine. The reason is that we don't actually store the 'fingerprint'. it's a digital representation of that...which itself can be hashed and salted with a user specific salt.

So you rehash/salt the input and now the value being tested is different so the hacker won't be able to authenticate.

High level concept anyway, but that's how many systems work.
 

kittle

Distinguished
Dec 8, 2005
898
0
19,160

Yes that can work.

But how does the average user know when to do this, and HOW to do this? For password, i just click the 'forgot password' link and away I go.
And whats to prevent the hacker from getting into the fingerprint reader and doing the same thing?

 

SillieAbbe

Commendable
Mar 31, 2016
8
0
1,510
However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?
https://youtu.be/-KEE2VdDnY0
 

SillieAbbe

Commendable
Mar 31, 2016
8
0
1,510
However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?
https://youtu.be/-KEE2VdDnY0
 

shiitaki

Distinguished
Aug 20, 2011
44
0
18,540
This is terrible actually. Firs it means the government can have access to your identity by simply physically forcing you to use your what everybody part, after all it is only something you know that is protected by the constitution, easier for the NSA. Second, you loose your phone and they have everything. People's biometrics can be faked, it's been done, and will only get better. Unlike a password, you can't change your biometrics, so once compromised it is for a long time.
 

ron baker

Distinguished
Mar 13, 2013
54
3
18,535
iTS JUST rubbing SALT into the wound ...
Simple ... make bad security punishable by prison then all these companys will spend 100's Million to solve the problem.And never buy anything from Alibaba as you are handing over your details to buy cheap tat/apple gear.
 
Good luck with that.
The more common the security measures used, the more interest from hackers to break them.
Government problems aside (Its the biggest threat as always, but its not gonna change so lets look at what we CAN change), there are 3 types of securities that work quite well:

1. Security thru obscurity: The system or method of encoding is complex enough that it cannot be done automatically and the hacker would need a lot of manual hacking time to get data. Example is creation of multiple fake files and folders that are corrupted files with no useful data but are heavily encoded, or using custom tools to create additional layers of security.

2. Offline. Best way, keep sensitive data offline.

3. Use OS/programs so unpopular that hackers do not have incentives to create hacking tools for them.
 

kevrain

Commendable
Nov 17, 2016
1
0
1,510
A common misperception about biometrics is they would be used alone. That is still just single-factor. By definition, strong authentication must have two out of three factors: 1) What you know (username/password), 2) What you have (token, one-time key), or 3) What you are (biometric).

If you have a biometric plus a PIN/password or a biometric plus a token, that is two factors. If the hackers get your fingerprint, they will not have the other factor.

The point of the article was that the UK is adopting the new FIDO security standard which has Universal 2 Factor (U2F) and makes it easy for mass consumers to add a second factor to their username/password resulting in What You Know plus What You Have (FIDO token) or What You Are (biometric).

We (SurePassID) have a FIDO-certified authentication server or cloud service that can quickly enable any website or mobile app to accept FIDO keys. That's the server side. On the user side, a user can get a FIDO key from Amazon or use the FIDO key they may already have. We offer additional choices to enable users to use what they already have (mobile phone with TouchID) plus a Virtual Mobile FIDO Key that can only be released if the fingerprint matches on the phone. In other words, no password would be required because the two factors are biometric (TouchID built into the phone) plus FIDO Key (registered to the user's phone, a one-time process).

There is a new biometric wristband called the Nymi Band, which uses your EKG (electro-cardiogram) as your biometric. Once you train it to your body, the biometric never leaves the band so it is not stored in any database. It is Bluetooth Low Energy (BLE) and Near-Field Communication (NFC) capable to support authentication or payments or device control (think secure IoT access) between any Bluetooth or NFC device. With an embedded FIDO Key, you have two-factor authentication in a single wristband and always present, always authenticated access. The user experience for logging into Windows is this: 1) Walk up to your computer within Bluetooth range, it recognizes you. 2) Touch your Nymi band to prove YOU (and only you) are wearing it (biometric first factor) and it will release the FIDO Key as a second factor to the login process and log you in to Windows. No entry of username or password required.

The important takeaway here is that FIDO supports strong authentication for the masses and a "bring your own security" model. This should make banks and government services happy since they don't have to stock, provide and support tokens which is a help desk cost and hassle. If you lose your FIDO key, you can get a temporary code sent to your mobile phone or use a back-up FIDO key (you can have as many as you like). Then simply order another FIDO key from Amazon and register it to your account.

Reach out to SurePassID if you want more information or want to pilot a FIDO solution for free.

Best regards,
Kevin
 
Status
Not open for further replies.