Later this month, people who use GitHub may find themselves suddenly getting an error message while trying to authenticate against the GitHub API or perform actions on a GitHub repository with a username and password. The reason for this is the removal of this authentication option by GitHub, with a few ‘brown-out’ periods involving the rejection of passwords to give people warning of this fact.
This change was originally announced by GitHub in November of 2019, had a deprecation timeline assigned in February of 2020 and another blog update in July repeating the information. As noted there, only GitHub Enterprise Server remains unaffected for now. For everyone else, as of November 13th, 2020, in order to use GitHub services, the use of an OAuth token, personal token or SSH key is required.
While this is likely to affect a fair number of people who are using GitHub’s REST API and repositories, perhaps the more interesting question here is whether this is merely the beginning of a larger transformation away from username and password logins in services.
Sometimes, a project comes along that makes a good reference design for anyone doing similar work. In this particular case, it’s a DIY USB polygraph-like machine by [Juangg] using an Arduino and sensors on the hardware side, and a Python front end for data visualization. It’s even complete with 3D printed enclosure and sensor elements.
[Juangg] designed it to use three sensors: a pulse sensor, a breath sensor, and one to measure Galvanic Skin Response (GSR). The pulse sensor uses a piezo element pressed against a fingertip to detect changes in pressure resulting from blood flow. It can be picky about placement, but finding sweet spot can yield remarkably good readings. The breath sensor works on a similar principle but uses a 3D printed fixture to hold the sensor between a strap and the subject’s chest, so that breathing in and out can be detected. The GSR sensor is a voltage divider used to measure small changes in skin conductivity. How well does it all work? That depends on what one is looking to get out of it, but the documentation and design files are available from the project page and the GitHub repository if anyone wants a reference for similar work.
When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.
[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.
This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.
It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.
Of all the things which are annoying about the modern World Wide Web, the need to create and remember countless passwords is on the top of most people’s lists. From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.
While one can totally use a password manager to streamline the process, this does not absolve you from having to maintain this list and ensure you never lose access to it, while simultaneously making sure credentials for the password manager are never compromised. The promise of password-less methods of authentication is that of a world where one’s identity is proven without hassle, and cannot ever be stolen, because it relies on biometrics and hardware tokens instead of an easily copied password.
The FIDO2 project promises Web Authentication that means never entering a password into a website again. But like everything, it comes with some strings attached. In this article, we’ll take a look at how FIDO2 plans to work and how that contrasts with the state of security in general.
Although we hackers will sometimes deliberately throw away our passwords and then try and hack our own phones / WIFI systems for self amusement, for many people including the actual inventor of the password, Fernardo “Corby” Corbató (1926-2019), passwords have become extremely burdensome and dis-functional.
Sadly, Fernando (according to the internet) died on July 12th, and equally sadly, part of his legacy was the ordeal of his “having a three-page crib sheet to stay on top of his own 150+ passwords”.
We’re all used to being badgered by websites to use complex passwords with a minimum length and a minimum number of upper case characters, lower case characters, numerical digits and non alphanumeric characters AND being told at the workplace to use different passwords than at other places AND to being told to change our passwords regularly. The fact that somebody like Fernando had 150 passwords is not surprising.
However, there is some hope, as according toAlex Weinert of Microsoft, in his recent synopsis, “When it comes to composition and length, your password (mostly) doesn’t matter”. This may well sound counter-intuitive but Microsofts’s own research suggests that inter-webs gurus should focus more on “multi-factor authentication (MFA), or great threat detection” rather than badgering the user.
The research goes into quite a bit of detail about passwords and concludes that the biggest threat to password security is when criminals obtain data from insecure ‘breached’ sites, in which case it would not matter if your word was written in hieroglyphics, it would be of no consequence at all. Another interesting conclusion was that by making passwords so intractable this encouraged people such as Fernando himself to write them all down, only for someone to rummage through their office desk (technically known as ‘dumpster diving’) and copy them.
Maybe the end of the password will now swiftly be upon us as technology enables biometrics such as ocular based identifications to be more widely used, but then again we’ve all watched those films where the protagonist scoops the eyeball out of a person’s skull to gain entry to a secure area.
It’s easy to get carried away about passwords and security hype, but it should not be forgotten that Fernardo Corbató was an eminent computer scientist who pioneered ‘Time sharing’ on computers, as detailed in this Hackaday article: Retrotectacular: Time Sharing.
[Thomas Brewster] writes for Forbes, but we think he’d be at home with us. He had a 3D printed head made in his own image and then decided to see what phones with facial recognition he could unlock. Turns out the answer is: most of them — at least, those running Android.
The models tested included an iPhone X, an LG, two Samsung phones, and a OnePlus. Ironically, several of the phones warn you when you enroll a face that the method may be less secure than other locking schemes. Conversely, one phone had a faster feature that is known to make the phone less secure.
We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.
Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!
Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode. A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right. No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.