I hope that PINs and such always remain alternatives to biometrics. My usual concern -- if the locally stored biometric data is compromised (malware, poor crypto, etc.), I need a way to "change my password", which isn't really possible for something like facial recognition. Likewise, I'm curious if there's a fallback authentication method for people who lose a finger, get their faces deformed, etc.
That said, the whole device-based authentication piece seems useful. A Windows 10 computer is now one factor in a 2FA scheme and the OS (and at least one of its browsers) gets to be directly integrated into Microsoft's SSO scheme.
You don't need to only worry about your device being compromised, your biometric credentials are being leaked by your mere existence.
Before long, I can imagine someone being able to build facial models capable of fooling recognition systems using only a few source images. Your finger prints are everywhere. Iris would be a bit harder, for now, but potentially possible with an image of high enough resolution.
Yes, and the next step would be kinect-like 3D scanning and "video magnification" for pulse detection ( http://people.csail.mit.edu/mrub/vidmag/ ), but these too could be compromised with some effort.
That's why these should be used only as a replacement for usernames and not for passwords.
In fact my research lab recently received a donation of high power telescopes after being used for testing extremely long range iris identification technology. I'm not sure if the project was scrapped or if they are planning on continuing development.
Same thing, really, in this context. The biometrics are what uniquely identify someone (username, UUID, whatever). The password is what provides authorization. The problem is biometrics are being treated as both the identifier and the authorization.
On the same note, while I think the technology is cool, I think there should (and will) always be an alternative for the traditional PIN/password. One prime reason why you'd want a password-only entry is because LEOs (law enforcement officers) can force you to swipe your thumb, look into an iris scanner, look at a camera for face unlock, etc. but they cannot force you to type in your password.
You should check out biometric key-binding, basically you take a biometric and a password to build a template that can only authenticate the user if both are present.
> Likewise, I'm curious if there's a fallback authentication method for people who lose a finger, get their faces deformed, etc.
Deformation is a very real challenge for biometrics, but there is also a lot of active research in the area.
As someone who actively researches biometric authentication, when I hear/read someone saying that biometrics are "usernames" and not "passwords", I automatically think they fundamentally misunderstand what a biometric is.
A biometric is both a 'username' and a 'password' - for instance, when you access your computer/device/whatnot you type in your username and your password to identify to the system that you are requesting access (on mobile the account is implied). When using a biometric, the system will have a stored template (similar to a password) that it associates to the system user account, and in ideal situations you (the user) do not need to do anything other than be present to access the system resources. It's a difference between identification and verification. Do you go to your friends each time they ask you something and say "are you so and so?", or have you already identified who they are? Based on the video it seems that MS is starting to understand this difference. Check out the video at ~2:35. He sits down at the login screen, and it just opens the desktop. For consumer applications this is really the goal of any biometric system.
Now spoofing and biometric template data being stolen are still real problems. Unfortunately, spoofing is not a very hot topic in the biometric field (usually conferences only have a relatively small percentage of papers on the subject), but given more consumer applications I'm hoping more funding will start to head that way. Concerning biometric template data, no you can't change it in it's most raw format, your fingerprint is static..that's what so great about it. However, there are methods such as key-binding where the template is itself encrypted with a private key. This however leads to more passwords... In any case, it's unfortunately up to companies like MS to start paving the way to successful implementations - if the data breaches we hear about almost monthly (Uber, Target, etc) are any indication, your password is just as at risk as your fingerprint.
"A biometric is both a 'username' and a 'password' "
This is true, but usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.
"our password is just as at risk as your fingerprint."
Also true, but what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face. With existing password infrastructures after a breach the infrastructure can be upgraded to prevent that breach, then the users can be told to change their passwords, then that vulnerability is closed. Once a person's biometric data is stolen (or just taken from the hundreds of sources of our biometric data we leave around daily in the form of pictures and fingerprints) that's it, you can't close whatever breach they used to get in and then move on, because the user can't change their "password" to one that has not been compromised. That account is forever breached.
Biometrics violate several of the requirements for something that can be used as authentication, which is why they are great as identifiers, but terrible as authenticators.
> usually people don't go around showing their passwords to any camera they walk by or surface they touch. That is why people say that it is more appropriate for biometrics to identify someone than it is to provide their authentication.
Yea i see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.
> what do you do when these breaches happen if the data is biometric? You can't send out an e-mail asking people to change their fingerprints or face.
I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.
> Yea I see the point, but there will always need to be an asterisk after the statement, "a biometric is a username, not a password", because it's only valid in the sense there are concerns about the security of the biometric template. Down the line maybe we'll figure out this spoofing/liveness test thing, but we won't find out while many instantly write off the merit of the system to begin with.
Any sensor accurate enough to perform biometrics is simultaneously accurate enough to create a spoof capable of fooling the authentication sensor. The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.
> I did mention this somewhat in the original post. Saving a raw biometric template (minutiae points or whatnot) is synonymous to keeping a database of plain text passwords. It's just wrong. The data breaches (Uber, Target, etc.) are proof that in 2015, we still have this problem. I would never trust a start-up or large corporation with consumer grade biometric authentication. However, on my laptop a different story...i've been using the Thinkpad fingerprint reader for years and love it.
A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.
Biometrics are only valid as a username or secondary authentication factor.
>The only way to avoid this requires an active activity, at which case you've just duplicated the password [e.g. the act of typing is identical to the act of sufficient action to make it virtually impossible to duplicate] which has better known security characteristics.
Only way is active activity? Or just the only way you can think of?
>A single breach and you cannot rely on biometric data for life is the reason this is only safe to use as a "username" and not a password. You won't be able to significantly change your biometrics w/o breaking other identification issues.
You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.
>Biometrics are only valid as a username or secondary authentication factor
It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.
>You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.
Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password. With biometric data points presumably if they get accurate and detailed enough (which you already admit they would have to do to be a valid authentication mechanism) you can extrapolate. Faces are known quantities. Knowing how 999 points of your face are arranged does give you data about how other points on your face are likely to be arranged. We already have modelling software capable of this, so it doesn't seem unreasonable that such methods may be improved if facial recognition gains traction. At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.
>It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.
I would agree. Especially opinions like how others "clearly know little about the topic".
But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?
> Well, is that an unreasonable assumption? With passwords knowing what one person's password used to be or even knowing one hash of their current password tells you nothing about a different hash of their current password.
Yea it is, this is very different from a password, even though it's being used in a similar way. Lets take fingerprints as an example - algorithm A uses minutiae points, and algorithm B does a simple normalized cross correlation between the two images. While this is a toy example, you can see there is a clear difference in what is being stored or even hashed.
> At the very least it brings down the solution space to a much smaller size the more data points are used, which is the opposite of what happens when more data points (characters) are used in alpha-numeric passwords.
No, it doesn't. You'd have better luck using a facebook profile picture printed on an old inkjet than you would trying to use a specific template as the 'solution space' of what other templates may be.
> But is it as frustrating as someone explaining their reasoning for their statement and then you ignoring that reasoning to discuss their closing statement as the entire argument?
I admit that it wasn't the classiest way to respond, and i apologize for it (i'm not going to delete it though, i wrote it and i won't run from it), but the same arguments keep coming up over and over again, and it's very clear that the users making these statements not reading any previous replies so i wasn't going to waste my time going over all the points again and again.
> For eliminating type 2 attacks, where a previously intercepted biometric is replayed, Ratha et al. [9] proposed a challenge/response based system. A pseudo-random challenge is presented to the sensor by a secure transaction server. At that time, the sensor acquires the current biometric signal and computes the response corresponding to the challenge (for example, pixel values at locations indicated in the challenge). The acquired signal and the corresponding response are sent to the transaction server where the response is checked against the received signal for consistency. An inconsistency reveals the possibility of the resubmission attack.
Please provide evidence you have a better defense against replay attacks. Then we can go through all the other avenues of attack on biometrics...
> You're assuming all recognition algorithms of the same biometric produce the same raw template. That if I get one I can gain access on another.
The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.
> It's often frustrating to discuss things with those who clearly know little about the topic and yet declare their opinion as fact.
How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?
Slide 44 has a long list of things other than active movement on the user end. Video liveness tests are effective, but there are more methods available than just activity, contrast to your previous statement.
When did i discredit replay attacks? It seems like you're setting up a straw man. You said the "only way to avoid this requires an active activity, at which case you've just duplicated the password". I refuted saying there's more than one, and you actually found a source that confirms that.
> The fact replay attacks are taken seriously in regards to biometrics and you arguing you cannot engage in such makes me seriously question your claims of authority on the subject matter.
"we propose a system that can attack a minutia-based fingerprint matcher"
In this case, the attack algorithm is building an optimization to determine a viable template - using some prior information of what type of template is acceptable (how it's stored, the features being used to build it, etc.) In real life, this type of information is not readily available, and at best, an attacker is going to be just guessing.
> makes me seriously question your claims of authority on the subject matter.
I honestly don't care what you think, but questioning my credentials is your right.
> How many papers basically agreeing some kind of challenge is needed in addition to the biometric will you need before you change your mind?
When did i ever state that an additional challenge wasn't needed? You're setting up another straw man instead of actually backing up your claims.
Many of my posts mention biometric key-binding as a good alternative to a pure biometric system. In a large scale operation i would never suggest or imply that a pure biometric is good enough - you should really read the rest of the thread. However, what MS implemented here is probably good for the average user.
The perfect use case for biometrics is identifying people who don't want to be identified specifically because they can't change their "password". For example, prisoners, fugitives, enemy combatants, people trying to use software they are not licensed to use or listen to music they have not properly licensed.
In the future the bottom 64 bits of your ipv6 address will be a unique biometric identifier that all licensed internet devices must collect and send with each and every packet.
A government grade application does just this - look at the NIST competitions, they focus on verification scenarios (one to one matching) which span over large datasets.
Appending a biometric id to your ipv6 address seems a bit redundant and unnecessary - you don't need to authenticate to the internet...why not encode more hardware or location information?
> if the data breaches we hear about almost monthly (Uber, Target, etc) are any indication, your password is just as at risk as your fingerprint.
Two things - let's assume these companies follow best practices and both the fingerprints, biometric details and passwords are all hashed. Still:
a) Unlike a password your biometric data is publicly obtainable.
b) You cannot change your biometric data after it's been compromised.
> As someone who actively researches biometric authentication,
If you are an expert in the field - I think you are doing people an active disservice by telling them the security is just as good.
Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this - but its hard for me to see the greater degree of convenience as a huge breakthrough (even without the security implications).
Read the post, i never discuss the security or merit of a biometric versus a standard user/pass login. I only discuss the advantages/disadvantages and goals of each system. If you inferred a recommendation for one or the other then you misunderstood.
> Finally I think typing passwords just isn't that hard - everyone is used to it by now. I maybe odd in this
I completely agree. However, when you see people go to their 'secret drawer' and open up their password book to login to X, then you realize it's a fundamentally broken system (just as using a raw biometric is).
there are 2 main reasons why you wouldn't want this as a password, 1: you leave a biometric footprint everywhere you go, 2: once compromised, you can't reset your biometric profile. In situations where you would want it to automatically authenticate you, it's likely for a system you wouldn't have had password protected in the first place ex. your xbox.
> 1: you leave a biometric footprint everywhere you go,
Latent fingerprints, high resolution video, facebook profiles...all examples of how i can pick up someone's biometric. This is not an unknown problem.
> 2: once compromised, you can't reset your biometric profile.
Clearly. Just based on the definition you can draw that conclusion - a unique, unchanging trait that is used to separate the user from a group.
Common and justified criticisms that people think are just the 'silver bullet' of why a biometric should never be implemented. I've posted replies to these a few times. Feel free to check them out.
Either way, the difference between a corporate login system, and me logging into my laptop is huge. MS implementing a biometric for a consumer laptop is fitting given the current state of the field. Use it or don't, no one is forcing you.
However, I always have the choice of not giving up my passwords, under (even painful) threat. Also, someone cannot get my passwords if I am dead. Ever.
Unfortunately, with biometrics, it is quite easy to force me to put my face/finger/iris in front of the machine and unlock it. Even if I am (freshly) dead.
Real talk: I feel like the demographic of people who read and comment on HN is primarily people for whom "painful threat" is purely theoretical. Downstream folks are talking about preventing information leak if the adversary is literally willing to kill you via torture.
In the real world, torture is a fairly effective way to make somebody divulge information, especially in the case where it can be readily checked (by trying the password they divulge). It's a fairly well proven fact that living beings will do pretty much anything to make the pain stop. For recent reference, this HN article, where he repeatedly complied with demands, even including lying about being tortured, in the hope that it would make the torture stop:
Not gonna lie, under threat of severe physical damage or death, I'd give away everything I know. Granted, I don't have access to nuclear weapons or anything, but I wouldn't care who gets effed up as long as I'm intact...
The last one really just prevents the (immediate) death scenario. The something you know could presumably be why they're torturing you in the first place, caveats about the effectiveness of torture notwithstanding.
Movies like to exploit this fear (e.g., Demolition Man when Wesley Snipes takes out the eye of a doctor to escape the prison), and it's understandable. It really comes down to when a biometric is a good fit for a system. For the average person with a laptop MS is doing a great thing. And just like any new piece of tech, there is a responsibility of the user to understand the implications and restrictions that come with it. From the video i can't see any indication that MS could prevent forced login (dead or alive), thus using this may require that you separately encrypt your data.
I honestly think biometric is just eye-candy. The real interesting thing here is MS Passport.
Passwords are only broken because for most intended purposes they act as a symmetric key that you happen to leave around everywhere and when it leaks, you have a problem.
If we had a web standard for asymmetric key authentication, you just unlock your device and your device authenticates you. A leaked public key (created for a single service) is useless.
And once you only need to unlock ONE device, you might as well remember that single password, because at that point it is way more secure than a fingerprint.
Of course devices break and get stolen, so you need to back up your keychain, and I bet that is exactly what MS Passport does for you, which is why it will never be adapted by other vendors.
One thing I like about passwords is that they give me the choice to not unlock something, should I wish that, which isn't the case with biometrics. Say I'm a journalist who gets stopped at the border of a country and am asked to open up my computer. If I want to, I can refuse - and face the consequences but still, i can make that choice. With biometrics all they'd have to do is force my finger onto the scanner, or put the computer in front of me and scan my iris or face. That's a big downside.
Also, after everything we know about Microsoft and and the security services, there's absolutely no way I'd give them my biometric data.
Just an FYI, but that was the least useful bit of the Snowden leaks and is more speculation and insinuation than anything. It's literally based on the reading of a PowerPoint slide. AFAIK, there's been no actual evidence of "direct access", whatever that's supposed to mean. An automatic subpoena-serving could easily be written down as " direct access " on a ppt to management.
It's probably a good idea to not store critical data with any third parties, but I'd be far more worried about Google than MS.
Eh, some parts are clearer than others. A ppt that says "direct access" and everyone coming up with their own interpretation of what "direct" means is silly. Especially when high level engineers have directly contradicted those statements.
I trust Google less than MS because MS seems less likely to go use my data or even get their act together. They seem more legally scared and bureaucratic due to their past legal problems. Google seems intent on making us give up privacy (didn't Schmidt say something to that effect)? My interaction with Google services includes them constantly and repeatedly asking me to turn on history or other tracking systems. Even when I constantly decline, they keep returning. Google's main goal is to datamine to sell advertising, so that's sort of fundamentally in conflict with my personal values. Android permissions is another shining example (and now, at version 5, what exactly is the excuse?).
If Bing ever took off and replaced MS's real revenue, then I suppose I might feel the same way about MS. But that whole division, the MSN/Live/Bing/whatever, seems mired with idiotic managers that can't get anything straight (hence them losing to Skype, not turning MSN messenger into a real social network, repeatedly rebranding and offering random services then discontinuing them, etc.). They did have some great engineering though. But even if they were intent on malice, I'm not sure they'd be capable of pulling it off due to the legal/management part getting in the way for good or bad.
Overall, I give MS money, so I'm their customer, for the most part. Not true for Google, at all.
Actually the reference doesn't totally work in hindsight because she was never asked for her password, but it seems as though it was encrypted and hence they just destroyed her laptop instead of asking her for the pw. If it had biometrics they might have just forced her to open it. So actually, the example might work after all.
If you are unwilling to allow border guards to inspect something you are attempting to bring into their country, then you should be prepared for them to tell you to leave it outside at best or punish you for attempted smuggling at worst. I am skeptical of the story you linked as it's entirely from the perspective of the smuggler, but I don't see any reason to believe anything wrong happened there.
Nanna isn't suggesting smuggling contraband. As a journalist, they have a responsibility to maintain the privacy of their sources. They shouldn't be letting customs officials go through their emails and identifying people they have contact with, or photos or whatever.
No matter what is on the device, border security shouldn't be able to access it without probable cause for a search, and knowing what they are looking for.
If the legitimate border guards of a country are unable to inspect something to their satisfaction, they are well within their rights to force you to leave it outside their country, or to keep you yourself out.
Sometimes they will make decisions that are bad either for the people of the country or the greater global community, but smuggling is not the right way to protest.
with technology that is much safer than traditional passwords
From what I understand this is simply not true - could someone with a security background weigh in if this statement has any basis (were they comparing to <first_name>-"1234" and "user"-"password")?
I'd love to understand more about how the face recognition works. Does it have any way to combat someone just printing out a picture of your face and holding it up? I've done some simple face recognition stuff with OpenCV and it's super easy to fool with photos.
Windows Hello uses a combination of special hardware and software to accurately verify it is you – not a picture of you or someone trying to impersonate you. The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.
and later in the webpage:
all OEM systems incorporating the Intel® RealSense™ 3D Camera (F200) will support the facial and iris unlock features of Windows Hello
So by reading this we can assume it does more than 2D recognitions since this is a "3D Camera"
3D models have been created out of 2D images before. I'm not saying this will be hackable from day one, but it will probably take a few short years for a well sponsored and motivated attacker. Hopefully the technology will also keep up and within a year or two we'll see updated versions that make it even harder to replicate.
However, if I were to pick, I'd go for fingerprint recognition instead. Images of people's faces are everywhere online. It's much less likely to have a good photo of your fingerprints.
It was an odd way to demo the tech as it was really quick. But what happens in the video is that the user holds a picture up in front of his face and nothing happens. Then he removes the picture to show his face and is immediately logged in. It seemed to happen much quicker than the other examples of unlocking, in the same video, that I assumed it was a video example of how the tech would work and not necessarily a real life demo. Obviously I could be wrong though.
For facial or iris detection, Windows Hello uses a combination of special hardware and software to accurately verify it is you – not a picture of you or someone trying to impersonate you. The cameras use infrared technology to identify your face or iris and can recognize you in a variety of lighting conditions.
Ah, so reading between the lines I'm going to guess they're building Win 10 devices with a built in kinect-like device that does depth sensing in addition to photo recognition.
You could, but it is an IR camera, so you better have the IR characteristics of your 3D face match also. If you combine IR and visible light photography you actually get a layered face-scan which is VERY hard to fake (not impossible, hard).
And then point a projector at it to warm up the paper at the right places.
I really wish biometrics would quit claiming to be significant improvements over anything but writing your password on a post-it on the computer. They all fall very quickly.
This is an important point. I wonder if they're going to have hardware standards for the fingerprint readers. Low-quality finger print readers can be spoofed with prints lifted from everyday sources.
They claim physical access for "hacking" is required, but that is not true. As long as you have a root access on a device you can do anything from anywhere. I don't see how this replaces or improves passwords from this perspective. Yes it is easier for the user, since they don't have to remember the password, but everything else stays the same.
> As long as you have a root access on a device you can do anything from anywhere.
As Raymond Chen likes to say, "it rather involved being on the other side of this airtight hatchway." Once you have root, yes, you have compromised the machine.
Biometrics sound like the next frontier for milking licensing revenue. Pretty soon they will offer a discounted license for office, but only for one biometricly identified user. Multiple users, such as library users, will require the special license, even though they are all using the same computer.
I hope this will make laptop vendors and others include IR capabilities in their devices, and that those are usable outside Windows Hello. Would be cool to see what other uses people could come up with, for this "baby-kinect".
It would be interesting if Cortana would get speaker recognition on top of speech recognition. Plus, she could ask you a question based on something (maybe whom you met for lunch a few days ago)to counter recorded voice attacks.
This was demoed to my employer when Microsoft came through a month ago. I was not impressed -- biometrics are a username, not a password.
edit: the article does not cover using your voice. I'm 99% sure they demoed to us the ability to use a custom phrase to authenticate with your voice as well.
Can you clarify what you mean by that. People like to parrot it, but few if any will explain why they feel that way.
If you simply mean that you don't find it secure enough, wouldn't that really depend on the use-case? For example, what may not be secure enough to log into a DC, may be secure enough to let the secretary log into their computer which just has access to address books and calendars. It is all relative.
Some biometric systems are fairly secure, like fingerprints. The cost and skill required to extract and reproduce a fingerprint so it is scannable make it a non-trivial affair. While the security services and a dedicated adversary could, for 80%+ of normal computer users it is a non-threat.
Android's face unlock may have been trivially beaten but it reads like Microsoft are using multi-level photography (i.e. both IR for under-the-skin and visible light for on-the-skin) to extract a layered model of a person's face and head which could (maybe) prove harder to bypass with just a photograph.
Simply put, for good authentication you want a token which is secret and easily changed.
Biometric data are not secret (face, fingerprints, voice) nor can be changed.
That means they are easy to forge and hard to revoke when compromised, and at most they can be useful as identification, like your email, and not as password.
I wonder why none thought of biometric identification with an hardware token which plays a one time tone outside audible spectrum. That would be incredibly convenient for users and still quite resilient. Just throw in side channel auth like phone message for unknown position or devices and of you go.
An iris scan does not identify who you are talking to. A fingerprint scan does not either. These are unique to an individual, if they were the person who set them up, then it is, in 99% of cases, a unique element to a person that can be used to authenticate them.
That's a whole of a lot better than a password, which can be shared by multiple people.
Great!
While we're at it: Can i please use my Microsoft Account to Remote Desktop into any currently available Device that is registered to my account, without having to jump through the hoops of doing all the port and network configuration beforehand?
That said, the whole device-based authentication piece seems useful. A Windows 10 computer is now one factor in a 2FA scheme and the OS (and at least one of its browsers) gets to be directly integrated into Microsoft's SSO scheme.