But on my iphone? 1password has had to integrate it’s own browser on it’s iOS app that i need to use if I want a simple way to login to all my sites.
Please edit the post, this is just ghastly.
I would love something like this. I hate signing into apps (mobile banking, in particular, is a pain). It'll end up being up to app developers to integrate the new fingerprint APIs though, and I bet you my bank still decides that their stupid username, password, 3 random letters from a 'memorable word' scheme is more secure.
If Apple's hardware implementation is as good as my two year old Motorola Atrix, their customers will love the fingerprint reader. But I, for one, would never entrust all my passwords to Apple's closed source software, especially given their record in the area of software quality control.
I currently do trust a good portion of my passwords to OS X's Keychain app, because based on my knowledge I'm fine with their record of software QC. What am I missing?
Almost ten years ago I bought a Logitech keyboard with a fingerprint reader. People were saying that fingerprint readers would be the end of passwords. The keyboard came with a nice piece of software that automatically entered passwords on websites upon a verified fingerprint.
It didn't happen. I would attribute it to two main frustrations: the readers only worked inconsistently due to particulate build up, and would occasionally have false positives. I think false positives are an inherent risk with fingerprint readers and in any case are not suitable for security as lifting a fingerprint from someone unwittingly is easy.
What's worse: if someone can get to the software fingerprint image stored in the computer, they can create fake fingers that work in conventional fingerprint scanners. http://youtu.be/K1Sx_BmfZ8I
Having a stolen fingerprint is worse than a stolen password. For one, people tend to trust fingers more; for the other, it's impossible to change your fingerprint, unlike your password.
I really can't trust these kinds of consumer technologies until their designers use revocable biometric systems to protect the fingerprint template. That area of the literature is quite well studied, but everyone seems to ignore it.
Fingerprints are great as a security token, but they should not replace passwords completely. Together with a PIN they will be useful.
"Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time."
Almost 8 years ago. Fingerprint readers could have improved since then (the article even points out that they have software in the lab to do so). Anybody know how good the current crop of HW/SW combinations is?
The purpose of the fingerprint is basically to be an extra button the device. You could get 95% of the security benefit of this with a special new button on the iphone ("login") and a normal passcode. The value is having credentials stored in the secure element of the phone, or encrypted under keys in the secure element (which is a standard keystore API thing since ios5), with a set of APIs for apps to access them and present a UI action to the user.
It's no different from the windows SAK (ctrl-alt-del) or the Mac "administrative user" dialog box.
I think prior to release lots of people will lean towards dreaming about fingerprint recognition being built into the glass touchscreen, but I do not think the tech is miniaturized enough yet. I looked into this a while ago and all I could find were a handful of Polish researchers using ultrasound technology which required ultrasound guns around the edges of the glass which reflect the beams off the fingerprint:
To sign on and off, I would enter my 6 digit employee number into a pin pad, then scan my right index finger.
It worked about 99% of the time, and mostly only failed because I worked in the meat dept. and often my hands would be extremely hot and wet from soap & hot water, or frozen and numb from handling meat all day. Then I would just use my left index finger.
It worked great in 1997, I see no reason it can't in 2013.
Your experience is that it gave very few false negatives in 1997, but you have no idea what its rate of false positives was b/c you presumably only entered your own ID. The required rate of false positives for an iphone has to be orders of magnitude lower than a Safeway employee sign-in which additionally required a 6 digit ID. Plus the false negative rate has to be at least as good.
It's the cycle of technology, we've grown to live without watches and now they want us to strap "smart" watches on our wrists. We've grown to live without glasses (thanks to better vision and contact lenses) and they want us to wear "smart" glasses.
Not so convinced, sometimes use a Bloomberg finger login and even after they changed it to the high sensitivity setting I can only manage 50% so I won't go for any fingerprint solution.
I don't think it's a good idea to use fingerprint as a way to authenticate. Fingerprint is not private data. By "private", I mean as private as a private GPG key. Any fingerprint is able to read a fingerprint as long as you put your finger on it. When there're more fingerprint powered applications, it's gonna be really easy to steal credentials.
You may use a passphrase. But that would be as secure as using a passphrase alone.
Fingerprint is the public key. The private key would be your hand + your physical presence. However, since fingerprint itself is public, you can't rely on fingerprint to identify physical presence.
Unless, you make fingerprint private enough. For example, permanently attach something on to your finger. Instead of providing your fingerprint to third-party application, it generates a key pair based on your fingerprint, and use these keys for authentication.
While fingerprints might work as a proof of identity, they should not be a replacement for passwords. Identity is who you are, passwords are authentication, and they are better when kept separate. Besides I cannot look at this issue without being paranoid: Apple is one of the companies that comply with the PRISM program. By putting your fingerprints in their products, you are just giving away more data for survelliance and creating a security "issue" rather than solution. Do we really need this?
The more layers of security, the better. A while back, I expressed delight at the potential scenario of using NFC as a layer of security using proximity as a parameter.
I'm sure Apple are aware that storing the "plaintext" equivalent of a finger print would defeat the entire purpose.
There seems to be a lot of focus on replacement of keylock. The wonderful thing about the fingerprint reader is that it effectively enables both the username and password and makes for a much simpler path to supporting multiple users in future iOS releases/devices.
That's exactly why "revocable biometrics" are so important. There are ways of combining a fingerprint and a password to combine the security of using both with the revocability of an ordinary password: http://www.wjscheirer.com/papers/wjs_icb2009_bipartite.pdf
But but iPhone is not he only device I access many sites from. What if I need to sign into the website from my PC and need to use firefox or IE for that?
The fingerprint sensor auth will just fill in the form fields with your username and password. You can sync these over to your desktop machine and use them like you usually would there.
My thought exactly! I still occasionally want to login to sites on, for example, my Android tablet. Given that Apple doesn't provide other platforms access to my data in iCloud, I find it hard to see how they would allow software on other platforms access to my login credentials.
[+] [-] scrumper|12 years ago|reply
Please edit the post, this is just ghastly.
I would love something like this. I hate signing into apps (mobile banking, in particular, is a pain). It'll end up being up to app developers to integrate the new fingerprint APIs though, and I bet you my bank still decides that their stupid username, password, 3 random letters from a 'memorable word' scheme is more secure.
[+] [-] win_ini|12 years ago|reply
[+] [-] leephillips|12 years ago|reply
[+] [-] epistasis|12 years ago|reply
[+] [-] mixmastamyk|12 years ago|reply
[+] [-] tbenst|12 years ago|reply
It didn't happen. I would attribute it to two main frustrations: the readers only worked inconsistently due to particulate build up, and would occasionally have false positives. I think false positives are an inherent risk with fingerprint readers and in any case are not suitable for security as lifting a fingerprint from someone unwittingly is easy.
See the Mythbusters episode on stealing a thumbprint: http://www.youtube.com/watch?v=3Hji3kp_i9k
[+] [-] gcr|12 years ago|reply
Having a stolen fingerprint is worse than a stolen password. For one, people tend to trust fingers more; for the other, it's impossible to change your fingerprint, unlike your password.
I really can't trust these kinds of consumer technologies until their designers use revocable biometric systems to protect the fingerprint template. That area of the literature is quite well studied, but everyone seems to ignore it.
[+] [-] draugadrotten|12 years ago|reply
"Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time."
http://www.informationweek.com/biometric-readers-fooled-with...
[+] [-] Someone|12 years ago|reply
[+] [-] rdl|12 years ago|reply
It's no different from the windows SAK (ctrl-alt-del) or the Mac "administrative user" dialog box.
[+] [-] apaprocki|12 years ago|reply
http://www.optel.pl/article/english/article.htm
[+] [-] grecy|12 years ago|reply
To sign on and off, I would enter my 6 digit employee number into a pin pad, then scan my right index finger.
It worked about 99% of the time, and mostly only failed because I worked in the meat dept. and often my hands would be extremely hot and wet from soap & hot water, or frozen and numb from handling meat all day. Then I would just use my left index finger.
It worked great in 1997, I see no reason it can't in 2013.
[+] [-] bostonpete|12 years ago|reply
[+] [-] cliveowen|12 years ago|reply
[+] [-] justincormack|12 years ago|reply
[+] [-] songgao|12 years ago|reply
You may use a passphrase. But that would be as secure as using a passphrase alone.
Fingerprint is the public key. The private key would be your hand + your physical presence. However, since fingerprint itself is public, you can't rely on fingerprint to identify physical presence.
Unless, you make fingerprint private enough. For example, permanently attach something on to your finger. Instead of providing your fingerprint to third-party application, it generates a key pair based on your fingerprint, and use these keys for authentication.
[+] [-] smackfu|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] raldu|12 years ago|reply
[+] [-] hnriot|12 years ago|reply
and yes, we need this. convenience is the antithesis of security, so anything that builds a bridge for more users is welcome.
[+] [-] iQuercus|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] kmfrk|12 years ago|reply
I'm sure Apple are aware that storing the "plaintext" equivalent of a finger print would defeat the entire purpose.
[+] [-] lurkinggrue|12 years ago|reply
What's great is there is an NFC Yubikey that I just put close to my phone to get the phone version of LastPass to auth.
[+] [-] adolph|12 years ago|reply
[+] [-] sliverstorm|12 years ago|reply
[+] [-] gcr|12 years ago|reply
[+] [-] drivebyacct2|12 years ago|reply
[deleted]
[+] [-] barista|12 years ago|reply
[+] [-] kschrader|12 years ago|reply
[+] [-] villek|12 years ago|reply