Active Topics

 


Reply
Thread Tools
Posts: 958 | Thanked: 3,426 times | Joined on Apr 2012
#2661
For me, fingerprint is useful in that it's more secure than "no passcode", which is usually my default given how often I unlock the phone and how inconvenient other unlock types are (for instance, you have to be looking at the phone to type a passcode).
 

The Following 5 Users Say Thank You to taixzo For This Useful Post:
pichlo's Avatar
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#2662
Originally Posted by juiceme View Post
fingerprint is not a password, fingerprint is an user ID.
You are right and you are also right that people get confused about the distinction but (IMO) not quite in the way you think.

All access verification methods are about whether you have an access to some resource, be it a broom cupboard or a nuclear launch button. User identification is only secondary, on the principle that since juiceme is on the list of users who can enter the broom cupboard, once you identify a user as juiceme you can grant him the access.

There are three methods of access verification, based on something that you, in a decreasing level of security,
  1. are (the guard at the secret vault door recognizes you as the king, so he lets you in)
  2. have (a passport, an ID card, a key...)
  3. know (some piece of information that only select few know, e.g. a password or a pass phrase)

In the electronic age, various biometric entry methods (fingerprint, iris scan, facial recognition) fall under #1. A key card, microchip etc. would be #2. And finally, a password is of course #3.

There is nothing special about passwords. They are nothing but a way of checking that someone who claims to be juiceme really is juiceme, by prompting for a piece of information that (hopefully) only juiceme knows. But passwords are easy to share and thus are the most convenient for when you need to give access to many people simultaneously, including when that select group changes dynamically. But for the same reason, passwords are by far the least secure authentication method.

Passports, ID cards and keys are more secure for the simple reason that they are more difficult to copy. Not impossible and they can be lost or stolen but still less easy than passwords. But they are not very practical for granting access to resources that are a similar size to the key itself, such as a mobile phone.

Biometric identification has the potential to be the most secure. The guard letting only the king in would not be easily fooled and really only let the king in. And so it is with fingerprint, iris or facial recognition - at least in theory. But unfortunately the technology available to the likes of you and I still has some way to go, as you correctly point out. So, at least for the time being, the least secure method (the password) remains, ironically, the most secure. Hopefully not for long.
__________________
Русский военный корабль, иди нахуй!

Last edited by pichlo; 2018-07-13 at 07:27.
 

The Following 14 Users Say Thank You to pichlo For This Useful Post:
Community Council | Posts: 4,920 | Thanked: 12,867 times | Joined on May 2012 @ Southerrn Finland
#2663
Thank you @pichlo for summing this up in such an excellent way!

You are correct that the 1st kind of authentication method is the most secure in theory, but fingerprint is unfortunately one of the least secure ways to do it; the simple fact is that we are all the time leaving the damn things around for anybody to take!

I'd say something like an iris scan would be acceptable (or even better, a retinal scan since iris patterns can be copied off hi-resolution photos) provided the sensor could make a difffernce between a real living eye and a picture on an eye.
Or maybe an eeg-scan; provided that brain patterns of people are different enough?
Anything based on stuff we leave lying around like fingermarks or DNA is useless IMHO.

The 2nd kind of authentication is a fairly good compromise, but it has this problem of being the kind that can be lost, damaged, stolen, given away,... etc.

As for passphrases/PIN's; those are actually fairly secure since they are stored in the mind only. Losing those accidentally is much more difficult, provided of course people are not so stupid as writing 'em down on pieces of paper...

All in all, the best thing of course is to have access granted on a combination of two or more types of authentication; hence nowdays the trend of having 2-factor auth in many online systems. If done correctly it is mostly usable and secure enough.

And for the grand finale, a small tale on how this can easily go wrong.

Once upon a time there was a company that implemented remote connection security by a system where there were RSA tokens that generate a OTP code that one needed to salt with a PIN to get the access verification code.
This is fairly secure since the code was generated in a sealed box containing the algorithms and the pin was memorized in users mind; you needed both something-you-have and something-you-know

However this scheme has drawbacks; the token fobs cost money, the battery needs to be replaces every few years and there needs to be a whole support infrastructure and logistics for it.
Now the clever guys in some pennypinching department decided that it is important to save money, and they changed the system so that you need a software RSA token generator which can be run in a windoze PC or mobile phone, and that combined with the PIN provides the access code.

Now what's wrong with this thing? A plenty whole lotta!
What they had done is replace something-you-have & something-you-know with something-you-know & something-you-know!

A software solution is definitely not something-you-have. It can be copied to another system, given away, stolen without one ever knowing, etc...
Even though the RSA software is using a supposedly-unique-identifier of a windoze system-ID or cellphone IMEI, it's no protection since any child can write a wrapper/emulator around it to feed the application the data it expects...
 

The Following 7 Users Say Thank You to juiceme For This Useful Post:
pichlo's Avatar
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#2664
But, juiceme, you could say the same about the RSA tokens. They are also a software silution, however disguised as a piece of hardware. Just like any other key, they are the "security through obscurity" type, relying on the key being difficult to copy. Done right, any other software solution could be no worse han that.

FWIW, our company also replaced RSA tokens with a mobile "app" for the second level authentication. I believe the "app" is one of those that are a mere front-end to a server solution but I do not really know or care. Luckily they have a backup for the few Luddities like me who do not have (in my case by choice) an Android or iOS phone: the system sends me an SMS with the unlock OTP. The disadvantage is that I had to tell the company my mobile phone number. You just can't win, they always find a way to get you in the end.

The system is far from perfect and is actually quite annoying. I understand that they want to guard the entry to sensitive areas like git and Jira but come on, you really do not have to bother me with authentication when I have already authenticated once to enter the network - either by logging in to the company network (where only authenticated devices are allowed entry) or to VPN (with another two-stage authentication). So I end up with SMS OTP several times for each operation. The word paranoia does not start to cover it
__________________
Русский военный корабль, иди нахуй!
 

The Following 4 Users Say Thank You to pichlo For This Useful Post:
Posts: 84 | Thanked: 267 times | Joined on Apr 2016
#2665
@pichlo Luddites at TMO? : ) I Suppose there is a modern definition for TMO luddite. ???

ps. My bank wants to use app for access codes, but it's not running on sailfish. So I got a small device. ---> makes me a fellow Luddite .
 

The Following 3 Users Say Thank You to feedme For This Useful Post:
Amboss's Avatar
Posts: 237 | Thanked: 502 times | Joined on May 2010 @ Mittelfranken, Germany
#2666
As far as I can remember RSA tokens is even more f**d up as they stored the seeds of their customers on their server somewhere. They weren't supposed to do that at all and they had promised their customers not to do so.
I wouldn't trust them any security token or softwarewise.

Can't find the security advisory from their CEO anymore, the former link ends dead. They probably moved it to "can't be found easily". I can find only this German link: https://heise.de/-1210245

That makes "something-you-have" obsolete in this case

EDIT: Sorry, forgot to mention: They did not only store the seeds, they also got them copied by some intruder (=stolen).

Last edited by Amboss; 2018-07-13 at 14:17.
 

The Following 3 Users Say Thank You to Amboss For This Useful Post:
Posts: 649 | Thanked: 762 times | Joined on Mar 2012 @ Ohio
#2667
Originally Posted by juiceme View Post
Yes, there are solutions for that too, the random keyplacement lockscreen, picture lock, etc...

The problem of fingerprint is that it has been verified that one can create an "artifical finger" from gelatin and a fingermark left into glass or similar surface.
I don't know what you guys have on your phone, but my reason for locking my device is not because I think someone will access my nuclear launch codes, but because I don't want my son to play on my phone. I feel fairly confidant that he won't be molding any artificial fingers any time soon.
 

The Following 9 Users Say Thank You to imaginaryenemy For This Useful Post:
Posts: 1,288 | Thanked: 4,316 times | Joined on Oct 2014
#2668
I prefer they cut my finger, rather than my Iris ��
 

The Following 10 Users Say Thank You to nieldk For This Useful Post:
Community Council | Posts: 4,920 | Thanked: 12,867 times | Joined on May 2012 @ Southerrn Finland
#2669
Originally Posted by imaginaryenemy View Post
I don't know what you guys have on your phone, but my reason for locking my device is not because I think someone will access my nuclear launch codes, but because I don't want my son to play on my phone. I feel fairly confidant that he won't be molding any artificial fingers any time soon.
What is there in phones, hmm?
  • PKI keys to everything from jenkins servers to github accounts and between
  • email correspondance, both professional and private
  • sms/mms correspondance, both professional and private
  • contact details for famous and infamous people
  • compromising pictures that could get you blackmailed
  • compromising pictures used for blackmail
  • cryptocurrencies
  • passwords for ebay, paypal, amex, visa, various banks, national lottery, car rental companies, airline accounts, etc...
  • personal documentation, medical information, electronic medicine receipts
  • GPS traces and tracks, coordinates for caches of drugs and precious metals

Getting access to someone's phone is the best way to hack that person, to totally steal identity.
Even if there is no special information in the device itself; just about every online account you have has 2-factor-auth based on your phone number. And the email client in the phone most probably already remembers your mail password... Need I spell it out for you?
 

The Following 9 Users Say Thank You to juiceme For This Useful Post:
Posts: 1,288 | Thanked: 4,316 times | Joined on Oct 2014
#2670
Needless to point out. Without fulldisk encryption, all of that is easily available, nevermind type of passcode, fingerprint, iris or bloodtest.
 

The Following 8 Users Say Thank You to nieldk For This Useful Post:
Reply

Tags
sailfish os, sony xperia x

Thread Tools

 
Forum Jump


All times are GMT. The time now is 08:10.