Posts by Jin 112 publicly visible posts • joined 28 Aug 2012
Some people might think of removing the password altogether as the quickest and easiest solution. This approach might well appear to be the very best for the people who are of the view that “‘not good enough’ is ‘bad’ and ‘whatever is bad should be removed’” and “‘login with a token alone’ is securer than ‘a login with a password + a token’”.
Is the user expected to give up the payment opportunity altogether or is expected to feed the default password as a fallback measure?
Alleging ‘improved usability’ would be misleading in the former case, whereas alleging ‘improved security’ would be misleading in the latter case.
As such, what they claim is false.
Incidentally, a nice figure is quoted as False Acceptance Rate, but such a figure makes no sense unless it comes with the empirical False Rejection Rate that corresponds to the said False Acceptance Rate; these two rates are in the trade-off.
Passwords are vulnerable to abuse while army is vulnerable to air attack. Remove the vulnerable passwords and we will get a more secure identity security. Remove the vulnerable army and we will get a more secure national defense. Adversaries will be very comfortable in both cases.
The PIN is the weakest form of numbers-only password. If it can kill the password, a small sedan should be able to kill the automobile.
They allege that a PIN is stronger because it is linked to a device while the password is not made linked to the device. Then we have to ask "What if you made the password linked to the device?
The actual/measured false rejection rates in the Aadhaar scheme have been publicized - reportedly 6% for fingerprints and 8.5% for iris scan. Those who were falsely rejected need to be rescued somehow.
If passwords are to be used as an alternative to the biometrics (as a fallback means), the overall security would be lower than the password-only authentication. It would mean that the huge amount of money spent for biometrics had contributed only to ruining the security. What an irony!
We must look at what are NOT MENTIONED.
Firstly, biometrics that is used with a fallback password against false rejection provides the level of security lower than the password.
Secondly, physical tokens and devices that store biometrics data, cryptographic keys or passwords are as subject to loss, stealth and abuse as a memo with a password on it.
Refutations against this observation would be welcomed.
Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection, which demands the co-use of a fallback password. Two entrances placed in parallel provide nice convenience to criminals.
Hacking by photos, masks and brothers are minor issues. Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection.
Two entrances placed in parallel in case false rejection provide nice convenience to criminals. This is what we witness in so many biometrics products in cyberspace
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
This tells that those people are not so much interested to offer security as to offer the false sense of security, which is more effective to dazzle consumers. We see a similar phenomenon in the case of biometrics that is said to offer higher security but actually only offers higher convenience at the sacrifice of security.
It is astonishing that so many people are indifferent to the fact that FAR (False Acceptance Rate) and FRR (False Rejection Rate) are NOT independent from each other.
The level of a FAR that rejects a twin would have to bring the level of a FRR that rejects the registered user very frequently. The level of a FRR that eliminates the need of a fallback means would have to bring the level of a FAR that accepts nearly anyone.
No biometrics, whether static or behaviourial, can escapte this inherent characteristics..
NIST and IARPA announced the winners of face recognition contest. The best figure for verification of 99.9% (0.1% reversely) seems to fall reasonably in the range that wouldn’t astonish anyone, although it does not look as fantastic as ‘one millionth’ that Apple boasts for Face ID.
This and the other related news that Apple’s Face ID was reportedly designed to learn to get fooled are not only eye-catching on their own but also demonstrate part of a more crucial problem.
It appears that the 'ex-factory Face IDs of low FAR with high FRR' are rapidly turning into the 'in-use Face IDs of high FAR with low FRR' day after day in a gigantic scale. Then criminals would only have to wait for a good time to come.
In any case, most critical is a fact that Face ID and other biometrics solutions are dependent on a fallback password, which only results in the level of security lower than that of a password-only authentication and also that of a biometrics-only authentication.
What FAR means when it does not come with the corresponding FRR?
Answer: It means nothing.
According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID.
It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale.
The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication.
Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted.
Security professionals are expected to speak up.
30-second video - https://youtu.be/7UAgtPtmUbk
The FAR/FMR (false acceptance/false match) of Face ID, reportedly one millionths, would make sense only when it comes with the corresponding FRR/FNMR (false rejection/false non-match) and when the values are empirical, not theoretical. I expect The Register to obtain the whole picture with all the empirical figures.
Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere.
Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals.
Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm.
Video: Biometrics in Cyber Space - "below-one" factor authentication
https://youtu.be/wuhB5vxKYlg
Authentication by biometrics comes with poorer security than PIN/password-only authentication. This video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
Also there is an interesting discussion about this issue on Payments Journal
http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/35382/
When the sensors are set as to effectively reject a third person, cases of false rejection of legitimate users happen frequently. What would you do when you are falsely rejected?
If you are requested to resort to PIN, we are not talking about security but just convenience. Convenience for you as well as criminals as shown in this 30second video.
https://youtu.be/7UAgtPtmUbk
However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Biometrics brings down security in cyberspace. Then the remembered password would be the last resort.
And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
Putting all your eggs in a basket and place it on a shaky shelf would not sound a nice idea.
It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Are you aware of this?
https://youtu.be/-KEE2VdDnY0
“User passwords are typically the easiest point of attack", so it is recommended to use your face with the user password as a fallback means against false rejection so that you/criminal can log in either by your face (videoed face) or your password. Is this a wise idea?
This video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
Look at body features to scan before looking at the body flesh for data transmission.
Biometrics are easy to fake, impossible to reset, intrusive and costly on top of contributing to poorer security as outlined in
"Biometrics in Cyber Space - "below-one" factor authentication"
https://youtu.be/wuhB5vxKYlg
It’s really worrying that so many people are so tragically misinformed. The authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
Biometrics should not be activated where you need to be security-conscious.
It is known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
False acceptance must be zero or very close to zero. Then false rejection necessarily occurs. Falsely rejected users must be rescued somehow. In cyber space, the users have to rescue themselves if they are not ready to accept the denial of access. They need a password for fallback. Passwords will never be allowed to go away.
The following video explains how biomerics with a fallback password makes a backdoor to password-protected information.
https://youtu.be/5e2oHZccMe4
In a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
Something is apparently overlooked in the discussions over the backdoor. iPhone and many other smart devices already have valid backdoors, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features, which can be collected from the unyielding, sleeping, unconscious and dead people.
It is now known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication. If Apple wants to claim that they are conscious of privacy and security, they could tell consumers to turn off the biometric functions. If the authority wants to have those backdoors open, they could tell consumers to keep them turned on all the times. And, security-conscious consumers could certainly refrain from turning them on.
iPhone and many other smart devices already have valid backdoors, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features, which can be collected from the unyielding, sleeping, unconscious and dead people. .
If Apple wants to claim that they are conscious of privacy and security, they could tell consumers to turn off the biometric functions. If the authority wants to have those backdoors open, they could tell consumers to keep them turned on all the times. And, security-conscious consumers could certainly refrain from turning them on.
It appears that something significant is overlooked in the heated debates about the backdoor.
The recent models of iPhone and many other smart devices already have an effective backdoor, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features which are easily collected from the unyielding, sleeping, unconscious and dead people. .
The vendors of those smart devices who are conscious of privacy and security of consumers could tell the consumers not to turn on the biometric functions. The authorities who want these biometric backdoors to be kept open could tell consumers to keep them turned on all the times. And, needless to say, consumers who are concerned about their privacy and security could refrain from activating those backdoors.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Incidentally, biometrics are dependent on passwords registered in case of false rejection in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.
However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.
And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
Incidentally, biometrics are dependent on passwords in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. Passwords will stay with us for long.
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
