biometrics

18 Articles

FIDO2: The Dream Of Password-Free Authentication On The WWW

September 23, 2019 by 29 Comments

Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.

While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.

The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.

Continue reading “FIDO2: The Dream Of Password-Free Authentication On The WWW”

The Demise Of The Password

July 14, 2019 by 73 Comments

Although we hackers will sometimes deliberately throw away our passwords and then try and hack our own phones / WIFI systems for self amusement, for many people including the actual inventor of the password, Fernardo “Corby” Corbató (1926-2019), passwords have become extremely burdensome and dis-functional.

Sadly, Fernando (according to the internet) died on July 12th, and equally sadly, part of his legacy was the ordeal of his “having a three-page crib sheet to stay on top of his own 150+ passwords”.

We’re all used to being badgered by websites to use complex passwords with a minimum length and a minimum number of upper case characters, lower case characters, numerical digits and non alphanumeric characters AND being told at the workplace to use different passwords than at other places AND to being told to change our passwords regularly. The fact that somebody like Fernando had 150 passwords is not surprising.

However, there is some hope, as according to Alex Weinert of Microsoft, in his recent synopsis, “When it comes to composition and length, your password (mostly) doesn’t matter”. This may well sound counter-intuitive but Microsofts’s own research suggests that inter-webs gurus should focus more on “multi-factor authentication (MFA), or great threat detection” rather than badgering the user.

The research goes into quite a bit of detail about passwords and concludes that the biggest threat to password security is when criminals obtain data from insecure ‘breached’ sites, in which case it would not matter if your word was written in hieroglyphics, it would be of no consequence at all. Another interesting conclusion was that by making passwords so intractable this encouraged people such as Fernando himself to write them all down, only for someone to rummage through their office desk (technically known as ‘dumpster diving’) and copy them.

Maybe the end of the password will now swiftly be upon us as technology enables biometrics such as ocular based identifications to be more widely used, but then again we’ve all watched those films where the protagonist scoops the eyeball out of a person’s skull to gain entry to a secure area.

It’s easy to get carried away about passwords and security hype, but it should not be forgotten that Fernardo Corbató was an eminent computer scientist who pioneered ‘Time sharing’ on computers, as detailed in this Hackaday article: Retrotectacular: Time Sharing.

3D Printed Head Can Unlock Your Phone

December 19, 2018 by 23 Comments

[Thomas Brewster] writes for Forbes, but we think he’d be at home with us. He had a 3D printed head made in his own image and then decided to see what phones with facial recognition he could unlock. Turns out the answer is: most of them — at least, those running Android.

The models tested included an iPhone X, an LG, two Samsung phones, and a OnePlus. Ironically, several of the phones warn you when you enroll a face that the method may be less secure than other locking schemes. Conversely, one phone had a faster feature that is known to make the phone less secure.

Continue reading “3D Printed Head Can Unlock Your Phone”

Fooling Samsung Galaxy S8 Iris Recognition

May 24, 2017 by 34 Comments

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

Continue reading “Fooling Samsung Galaxy S8 Iris Recognition”

A Shareable Wireless Biometric Flash Drive

January 15, 2016 by 4 Comments

Wireless storage and biometric authentication are both solved problems. But as [Nathan] and [Zhi] have noticed, there is no single storage solution that incorporates both. For their final project in [Bruce Land]’s ECE 4760, they sought to combine the two ideas under a tight budget while adding as many extras as they could afford, like an OLED and induction coil charging.

final_product_600Their solution can be used by up to 20 different people who each get a slice of an SD card in the storage unit There are two physical pieces, a base station and the wireless storage unit itself. The base station connects to the host PC over USB and contains an Arduino for serial pass-through and an nRF24L01+ module for communicating with the storage side. The storage drive’s components are crammed inside a clear plastic box. This not only looks cool, it negates the need for cutting out ports to mount the fingerprint sensor and the OLED. The sensor reads the user’s credentials through the box, and the authentication status is displayed on an OLED. Files are transferred to and from the SD card over a second nRF24L01+ through the requisite PIC32.

Fingerprint authorization gives the unit some physical security, but [Nathan] and [Zhi] would like to add an encryption scheme. Due to budget limitations and time constraints, the data transfer isn’t very fast (840 bytes/sec), but this isn’t really the nRF modules’ fault—most of the transmission protocol was implemented in software and they simply ran out of debugging time. There is also no filesystem architecture. In spite of these drawbacks, [Nathan] and [Zhi] created a working proof of concept for wireless biometric storage that they are happy with. Take a tour after the break.
Continue reading “A Shareable Wireless Biometric Flash Drive”

Biometric Bracelet Electrifies You To Unlock Your Tablet

December 8, 2015 by 3 Comments

Researchers [Christian Holz] and [Marius Knaust] have come up with a cool new way to authenticate you to virtually any touchscreen device. This clever idea couples a biometric sensor and low-data-rate transmitter in a wearable wrist strap that talks to the touch screen by electrifying you.

Specifically the strap has electrodes that couple a 50V, 150kHz signal through your finger, to the touchscreen. The touchscreen picks up both your finger’s location through normal capacitive-sensing methods and the background signal that’s transmitted by the “watch”. This background signal is modulated on and off, transmitting your biometric data.

The biometric data itself is the impedance through your wrist from one electrode to another. With multiple electrodes encircling your wrist, they end up with something like a CAT scan of your wrist’s resistance. Apparently this is unique enough to be used as a biometric identifier. (We’re surprised.)

Continue reading “Biometric Bracelet Electrifies You To Unlock Your Tablet”

Getting Biometrics In Hand

September 20, 2015 by 7 Comments

It is amazing how quickly you get used to a car that starts as long as you have the key somewhere on your person. When you switch vehicles, it becomes a nuisance to fish the key out and insert it into the ignition. Biometrics aims to make it even easier. Why carry around a key (or an access card), if a computer can uniquely identify you?

[Alexis Ospitia] wanted to experiment with vein matching biometrics and had good results with a Raspberry Pi, a web cam, and a custom IR illumination system. Apparently, hemoglobin is a good IR reflector and the pattern of veins in your hand is as unique as other biometrics (like fingerprints, ear prints, and retina vein patterns). [Alexis’] post is in Spanish, but Google Translate does a fine job as soon as you realize that it thinks “fingerprint” is “footprint.” The software uses OpenCV, but we’ve seen the same thing done in MATLAB (see the video below).

Continue reading “Getting Biometrics In Hand”