I'm not sure biometric identification is such a great idea... with fingerprint id, it could make the bad guys have an incentive to chop fingers... Also, a fingerprint can be acquired in other ways and then replicated sintetically.
In the same fashion, voice identification doesn't seem to be so secure, since it could also be recorded... and if it were commonly used, there would probably be enough incentive to build on top of current text-to-speech and speech synthetizers, to emulate a voice, given enough sample data.
Also, what are the chances that someone can have a similar pitch/tone/voice as the password holder? I bet someone with enough incentive could find another like it.
ie. Google Glass fiasco where you could say, 'OK Google, porn,' behind people who are wearing Google Glass.
On my Moto X (2014), which has a custom activation phrase (mine is "Excuse me Carson"), I've noticed that my wife can not actually activate it. Other men often can, though.
It's not designed to be an authentication feature, of course.
Google Now doesn't care who says "OK, Google"; it'll (intentionally, I assume) allow anyone to say it.
Actual voice identification works in a similar way to how apps like Shazam do: they build a "fingerprint" of your voice. This is why it still works if you have a cold, or for some reason the pitch of your voice changes.
Although the "chop a finger" tactic might be a worry in some exceptional cases... in the vast majority of cases I think "punch someone in the face until they reveal their password" is a more plausible tactic.
It also just doesn't matter for a lot of cases. A lot of the systems people often think of as super important and secure and permanent (like banking) have a fair amount of wiggle room for rollback in the event of fraud/crime/etc, and policies/processes to minimize the extent to which you can carry out irreversible transactions. Security is imperfect, so there's value in a system which is robust to security failure.
If we assume that someone is giving the pass-phrase they've selected in their voice, then it does make the guess more expensive. Now there are two things to guess: What they sound like saying a particular thing and what that thing is.
Of course if you have a secure pass-phrase you're not gaining too much there. It's already very difficult to break. But ho-hum, it's not automatically a terrible idea.
Someone could record you saying it, but on the one hand I don't think that you're as much at risk from someone around you recording your password as you are from someone trying to guess it, and on the other this is a vulnerability that other forms of password share too - though I grant with a slightly different recording procedure.
The problem is that a lot of systems perceives biometric as password, while it really is a user name. Biometric doesn't provide security when there's possibility that people can tamper with it.
Like Bruce Schneier says...
"The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system."[1]
Hyperbole. Clearly, it's not a username. Touch ID has improved security for most users, precisely because it works more like a password than a username. (We all know it's not as secure as a real password.)
It's just a really long, complex, and hard to copy username. In many cases, that is much better than a username/password combination. But it's still just something you are/have and not something you know.
This could also be said about passwords:
I have bad memory I can't remember a long complex password.. Point being that there are issues with all forms of security. Bullet proof glass for example can be taken out by an RPG this reasoning is only detrimental to the advancement, innovation, and implementation of layers of security to protect consumers. I think it's neat and my take a way from the article is that the author felt comforted by the fact that at least someone at the bank appreciated the movie sneakers and was attempting to increase security measures through innovation.
I've used voice authentication with Nuance's SDK before and having a cold or gaining weight does not affect the verification process. It is based on acoustioc signatures in your voice and not necessarily a precise recreation of the original recording. This isn't a problem with this approach.
BTW: His main point is, "the best part is that clearly someone at the vast institution that is my bank—someone in a position of some authority no less—is a nerd."
His main point is not that it will be fast/secure/good.
Mac OS 9 had a voice login option. In my experience, it did not work very well because my voice when I first woke up in the morning was very different from my voice later on during the day, such that my Mac did not recognize my early morning voice when I tried to log in.
e: and yes, I believe the default phrase for the voice login option was "my voice is my passport."
Hmm. This the same biometric login routine used by USAA for their mobile apps. Curious to know who actually built it, is it being used under license or is it delivered as a service. Anyone have info?
Fingerprint, iris, and voice are identifiers not authenticators. Their perceived security comes from their perceived scarcity and difficulty in emulating their presence, barriers that are being removed as technology gets better. In the future the device will know who you are identified as by detecting these markers but you'll still need to prove you are who you are presenting yourself to be.
Fingerprints are still a better authenticator than a 4 digit passcode in practice. Nothing is infallible, it just needs to be good enough. Biometric security things can be very good at preventing 99% of the problems with 1% of the effort.
I disagree. Yes, fingerprints can be faked. But it is much harder to fake a fingerprint than to discover a passcode of a casual user by just watching them type it.
I'm absolutely sure that a much smaller percentage of fingerprint protected phones are accessed by unauthorized persons than passcode or password protected phones.
Most importantly, it requires a perfect finger print image. Random smears from your phone screen or a glass won't work.
The process is so complicated that only a very small percentage of the population is able to do it; anyone can peek over your shoulder when you unlock your phone (which most people will do dozens or hundreds or hundreds of times per day).
Last, remember that you only have limited attempts with your fake finger; in the demonstration video they only show unlocking a freshly trained phone in a controlled setting, they don't actually unlock a phone "in the wild".
Clearly we seem to have a different idea of what constitutes "easy".
I'm not claiming that biometric authentication is a good idea against a targeted attack.
But I do think that they offer adequate protection against opportunistic attacks. It prevents random thieves from accessing my data, and it's convenient enough that people actually use it. It will significantly increase security on average.
If someone is targeting you specifically, neither a fingerprint nor a (usually short) passcode is adequate protection.
I'm not convinced. To get someone's passcode, I have to watch them type it in; something that happens in few places, at few times, and when they do it they will be aware of the need to not let me shouldersurf.
To get someone's fingerprints, I can simply wait until they touch something, or if I don't want to do it that way, I can take a picture of their fingers. I could do this from a distance without them ever knowing.
Sure, once I have their passcode, it's a lot easier that making the physical fake fingerprint, but getting a copy of their fingerprint is easy.
Fingerprint as part of 2 Factor Auth is nice. Instead of getting a text and copying it into a text box, I just swipe my finger. It's much more convenient and provides even better security.
Biometric security is one of the worst things to happen to security.
Personally I hate passwords, but biometrics aren't the answer.
How do you revoke the privilege when they are compromised?
How do you give the keys to someone else?
What happens when there is a life changing event that render your biometrics obsolete?
Can you still you a gumi bear to fool a fingerprint reader?
Sneakers - one of the best computer movies when I was a kid. I used to watch it over and over again. Good times. Must go find it somewhere. That movie probably had an impact on actually getting into the business later on.
I loved this movie and I still watch it a few times a month as I am working on other things. Sometimes listening to movies provides me more focus than random music from my playlists.
I'm the same way - for me, "Bladerunner", "Barbarella" and "Flash Gordon" are on auto-repeat as my background noise for serious coding sessions. For some reason these 3 movies just work so well in that sense ..
44 comments
[ 4.1 ms ] story [ 97.6 ms ] threadIn the same fashion, voice identification doesn't seem to be so secure, since it could also be recorded... and if it were commonly used, there would probably be enough incentive to build on top of current text-to-speech and speech synthetizers, to emulate a voice, given enough sample data.
ie. Google Glass fiasco where you could say, 'OK Google, porn,' behind people who are wearing Google Glass.
It's not designed to be an authentication feature, of course.
Actual voice identification works in a similar way to how apps like Shazam do: they build a "fingerprint" of your voice. This is why it still works if you have a cold, or for some reason the pitch of your voice changes.
It also just doesn't matter for a lot of cases. A lot of the systems people often think of as super important and secure and permanent (like banking) have a fair amount of wiggle room for rollback in the event of fraud/crime/etc, and policies/processes to minimize the extent to which you can carry out irreversible transactions. Security is imperfect, so there's value in a system which is robust to security failure.
Of course if you have a secure pass-phrase you're not gaining too much there. It's already very difficult to break. But ho-hum, it's not automatically a terrible idea.
Someone could record you saying it, but on the one hand I don't think that you're as much at risk from someone around you recording your password as you are from someone trying to guess it, and on the other this is a vulnerability that other forms of password share too - though I grant with a slightly different recording procedure.
Like Bruce Schneier says... "The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system."[1]
[1] https://www.schneier.com/blog/archives/2009/01/biometrics.ht...
I have a pretty severe cold today. My voice is unrecognizable. But I can still remember a password.
All future technology has, apparently, been predicted by 1980/90s sci fi.
His main point is not that it will be fast/secure/good.
[1] https://www.youtube.com/watch?v=G_XRqJV2zdk
http://www.phonelosers.org/2008/05/pla-radio-episode-17-voic...
That was in 2008.
e: and yes, I believe the default phrase for the voice login option was "my voice is my passport."
It was actually "my voice is my password" not "passport."
Fingerprints and a password, sure, but fingerprints only is the worst idea possible.
I'm absolutely sure that a much smaller percentage of fingerprint protected phones are accessed by unauthorized persons than passcode or password protected phones.
You could also be compromised by your glass in a bar, a handshake, the door handle of your car or your house.
Passwords can be changed but you can't change a finger so this sums up why fingerprints are shit.
Most importantly, it requires a perfect finger print image. Random smears from your phone screen or a glass won't work.
The process is so complicated that only a very small percentage of the population is able to do it; anyone can peek over your shoulder when you unlock your phone (which most people will do dozens or hundreds or hundreds of times per day).
Last, remember that you only have limited attempts with your fake finger; in the demonstration video they only show unlocking a freshly trained phone in a controlled setting, they don't actually unlock a phone "in the wild".
Legally, scanners are only allowed to save a certain amount of key points in your fingerprint, not the whole fingerprint.
False-positives are thus likely as are fingerprint collisions (like hash collisions).
And you still can't modify your finger once it has been hacked a SINGLE time.
I'm not claiming that biometric authentication is a good idea against a targeted attack.
But I do think that they offer adequate protection against opportunistic attacks. It prevents random thieves from accessing my data, and it's convenient enough that people actually use it. It will significantly increase security on average.
If someone is targeting you specifically, neither a fingerprint nor a (usually short) passcode is adequate protection.
To get someone's fingerprints, I can simply wait until they touch something, or if I don't want to do it that way, I can take a picture of their fingers. I could do this from a distance without them ever knowing.
Sure, once I have their passcode, it's a lot easier that making the physical fake fingerprint, but getting a copy of their fingerprint is easy.
/off-topic