Among the daily churn of ‘Web 3.0’, blockchains and cryptocurrency messaging, there is generally very little that feels genuinely interesting or unique enough to pay attention to. The same was true for OpenAI CEO Sam Altman’s Ethereum blockchain-based Worldcoin when it was launched in 2021 while promising many of the same things as Bitcoin and others have for years. However, with the recent introduction of the World ID protocol by Tools for Humanity (TfH) – the company founded for Worldcoin by Mr. Altman – suddenly the interest of the general public was piqued.
Defined by TfH as a ‘privacy-first decentralized identity protocol’ World ID is supposed to be the end-all, be-all of authentication protocols. Part of it is an ominous-looking orb contraption that performs iris scans to enroll new participants. Not only do participants get ‘free’ Worldcoins if they sign up for a World ID enrollment this way, TfH also promises that this authentication protocol can uniquely identify any person without requiring them to submit any personal data, only requiring a scan of your irises.
Essentially, this would make World ID a unique ID for every person alive today and in the future, providing much more security while preventing identity theft. This naturally raises many questions about the feasibility of using iris recognition, as well as the potential for abuse and the impact of ocular surgery and diseases. Basically, can you reduce proof of personhood to an individual’s eyes, and should you?
With the proliferation of biometric access to mobile devices, entering a password on your desktop can feel so passé. [Snazzy Labs] decided to fix this problem for his Mac by liberating the Touch ID from a new Apple keyboard.
When Apple introduced its own silicon for its desktops, it also revealed desktop keyboards that included their Touch ID fingerprint reader system. Fingerprint access to your computer is handy, but not everyone is a fan of the typing experience on Apple keyboards. Wanting to avoid taping a keyboard under his desk, [Snazzy Labs] pulled the logic board from the keyboard and designed a new 3D printed enclosure for the Touch ID button and logic board so that the fingerprint reader could reside close to where the users hands actually are.
One interesting detail discovered was the significantly different logic boards between the standard and numpad-containing variants. The final enclosure designs feature both wireless and wired versions for both the standard and numpad logic boards if you should choose to build one of your own. We’re interested to see if someone can take this the next step and use the logic board to wire up a custom mechanical keyboard with Touch ID.
If [Snazzy Labs] seems familiar, you may recognize him from their Mac Mini Mini. If you’re more in the mood to take your security to the extreme, check out this Four Factor Biometric Lockbox that includes its own fingerprint reader.
Have you heard about this One? At least three United States senators have, and they want to know what Amazon plans to do with all the biometric data collected by the Amazon One program. It’s their new contactless payment method that uses your unique palm print instead of cards or phones to make purchases, gain access to venues of work and play, and enter or pay in whatever other spaces Amazon can invade down the line. The idea is that one day, we’ll all be able to leave our homes without any form of money or ID of any kind, because we’ll all be stored away in Bezos’ big biometric file cabinet.
We tossed this one around in the writer’s room back when the Amazon One concept was nothing but a pile of buzzwords and a render or two, but these kiosks are now active in 50+ Whole Foods and Amazon 4-Star locations across the US. Here’s the deal: you can only sign up at a participating store that has a kiosk, because they have to scan your palms into the system. We were worried that the signup kiosk could easily take fingerprint scans at the same time, but according to the gifs in Morning Brew’s review, it just uses another of their point-of-sale palm scanners along with a touch screen and a card reader. But you still have to hover your entire hand over it, so who’s to say that the scan ends where the fingers begin?
Later this month, people who use GitHub may find themselves suddenly getting an error message while trying to authenticate against the GitHub API or perform actions on a GitHub repository with a username and password. The reason for this is the removal of this authentication option by GitHub, with a few ‘brown-out’ periods involving the rejection of passwords to give people warning of this fact.
This change was originally announced by GitHub in November of 2019, had a deprecation timeline assigned in February of 2020 and another blog update in July repeating the information. As noted there, only GitHub Enterprise Server remains unaffected for now. For everyone else, as of November 13th, 2020, in order to use GitHub services, the use of an OAuth token, personal token or SSH key is required.
While this is likely to affect a fair number of people who are using GitHub’s REST API and repositories, perhaps the more interesting question here is whether this is merely the beginning of a larger transformation away from username and password logins in services.
Sometimes, a project comes along that makes a good reference design for anyone doing similar work. In this particular case, it’s a DIY USB polygraph-like machine by [Juangg] using an Arduino and sensors on the hardware side, and a Python front end for data visualization. It’s even complete with 3D printed enclosure and sensor elements.
[Juangg] designed it to use three sensors: a pulse sensor, a breath sensor, and one to measure Galvanic Skin Response (GSR). The pulse sensor uses a piezo element pressed against a fingertip to detect changes in pressure resulting from blood flow. It can be picky about placement, but finding sweet spot can yield remarkably good readings. The breath sensor works on a similar principle but uses a 3D printed fixture to hold the sensor between a strap and the subject’s chest, so that breathing in and out can be detected. The GSR sensor is a voltage divider used to measure small changes in skin conductivity. How well does it all work? That depends on what one is looking to get out of it, but the documentation and design files are available from the project page and the GitHub repository if anyone wants a reference for similar work.
When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.
[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.
This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.
It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.
Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.
While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.
The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.