I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
But this isnt how biometrics in the modern sense works.
someone getting your fingerprint doesnt give them access to anything except your physical device. A "data dump" of biometric data is completely meaningless when each fingerprint/face/retinal scan is converted into math and then hashed / salted based on device-specific UUIDs and secrets in a secure enclave.
The exact same could be said of a password. Still a bad idea to use the same raw password everywhere and never change it even if in practice every time it is authenticated it gets hashed / salted.
Attacked by tweeeeeeees!
+4
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
syndalis on
SW-4158-3990-6116
Let's play Mario Kart or something...
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
But this isnt how biometrics in the modern sense works.
someone getting your fingerprint doesnt give them access to anything except your physical device. A "data dump" of biometric data is completely meaningless when each fingerprint/face/retinal scan is converted into math and then hashed / salted based on device-specific UUIDs and secrets in a secure enclave.
The exact same could be said of a password. Still a bad idea to use the same raw password everywhere and never change it even if in practice every time it is authenticated it gets hashed / salted.
Really, what I need is cybernetic bionic hands with fingerprints that can be changed like a wallpaper theme.
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
how does the ack go from the phone to the terminal, and why can't one man-in-the-middle that?
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
0
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
But this isnt how biometrics in the modern sense works.
someone getting your fingerprint doesnt give them access to anything except your physical device. A "data dump" of biometric data is completely meaningless when each fingerprint/face/retinal scan is converted into math and then hashed / salted based on device-specific UUIDs and secrets in a secure enclave.
The exact same could be said of a password. Still a bad idea to use the same raw password everywhere and never change it even if in practice every time it is authenticated it gets hashed / salted.
but its not a static resource on the back end or the front end - if your "password" had to travel along inside an encrypted package that is only unlocked by an aggregation of stuff only your device knows and timestamps and other metrics to get approval from the backend service, you might have a point.
Simply put, even though you are using your fingerprint to unlock everything from your device, you are a million miles away from storing the same password across multiple backend services.
SW-4158-3990-6116
Let's play Mario Kart or something...
Yeah, the issue isn't how biometrics is supposed to work, it's that some places still have bad security.
It doesn't matter if best practice is to salt and to use a modern hash method if you happen to be registered at a site with a poor hashing method. If that site ever gets hacked and you use the same password everywhere else, you're boned even in places that use top of the line security.
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
how does the ack go from the phone to the terminal, and why can't one man-in-the-middle that?
as far as I know it's a one time use key, so, if they MITM attack it, they can only charge something once through a custom store if they can finangle the times and block the original sale?
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
how does the ack go from the phone to the terminal, and why can't one man-in-the-middle that?
I think it's encrypted in-flight, but I don't know the protocol in-and-out.
0
Options
TavIrish Minister for DefenceRegistered Userregular
Work rejected my application for time off
I have the days to take, but they said I can only take up to ten at a time and I'd applied for 13 as I was going to the states
Well golly that sure has killed any chances of me ever staying late again
Biometric spoofing techniques already exist; people make fake fingertips and irises (contacts) and even faces (...depending on what system you use, you can just fool the image matching with a paper mask...). In these ways, biometrics almost feel less secure than passwords.
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
Steam, LoL: credeiki
0
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
I'm not a fan of biometrics because I'd rather tell someone my password at gunpoint than have my hand cut off or my eye gouged out.
Even without any hostage scenarios biometrics make terrible passwords because you can never change them. Sooner or later that information will get compromised and then you're fucked.
Counterpoint, I never have to carry a wallet again.
DMV, Post Office, Grocery Store, PC, all just by waving my hand in front of it.
Sold.
an RFID sticker on your arm would be more secure. At least you can switch that out when it gets included in a huge data dump due to Target or whatever getting hacked again.
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
how does the ack go from the phone to the terminal, and why can't one man-in-the-middle that?
what leaves your phone is a "yes this is the dude" along with an encrypted token that carries a bunch of stuff that the bank and your device agreed to at the point you set your card up with the bank (some of which is in the secure enclave and is basically completely inaccessible from the outside) and some time related shit just to jumble it further.
Your device saying this is the dude is the first step, then that shit all has to be validated on the back end.
It is immune to man in the middle. They would need to compromise both sides of the transaction to break this
SW-4158-3990-6116
Let's play Mario Kart or something...
to the outside world the iphone just acts like an RSA keyfob, but it will only spit out numbers should it internally decide that the correct finger is on its sensor
so it's down to how good, exactly, their 'secure enclave' tech is
which, I can 100% tell you it's possible to hack that shit, it's just matter of how hard you wanna try
Aioua on
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
+1
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
Biometric spoofing techniques already exist; people make fake fingertips and irises (contacts) and even faces (...depending on what system you use, you can just fool the image matching with a paper mask...). In these ways, biometrics almost feel less secure than passwords.
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
just so long as you realize biometric spoofing does involve a rather large degree of sophistication to get right, and only works if you have already stolen or gotten access to the physical device with the auth, it hasn't been powered off, and you can't mess up more than four times before that door closes.
Like, this shit is hard. You can do it in a vacuum or for a tech conference to look cool, but the practicality of it being an attack vector in the real world is staggeringly small, and much smaller than traditional passwords stored on a backend server.
syndalis on
SW-4158-3990-6116
Let's play Mario Kart or something...
to the outside world the iphone just acts like an RSA keyfob, but it will only spit out numbers should it internally decide that the correct finger is on its sensor
so it's down to how good, exactly, their 'secure enclave' tech is
which, I can 100% tell you it's possible to hack that shit, it's just matter of how hard you wanna try
Sure it's possible, but then the question is if those hacks are possible remotely, etc.
Peoples worry about passwords reminds me of a dude I just talked to worried about fraud in his transaction. He had no proof, no actual wrong doing, he just wanted to know to protect himself and there is literally nothing could be done if the other party was intent on committing a felony for some reason?
I would like some money because these are artisanal nuggets of wisdom philistine.
to the outside world the iphone just acts like an RSA keyfob, but it will only spit out numbers should it internally decide that the correct finger is on its sensor
so it's down to how good, exactly, their 'secure enclave' tech is
which, I can 100% tell you it's possible to hack that shit, it's just matter of how hard you wanna try
well, part of the "ack" it sends depends on info from the fingerprint which is converted into math and then is used as part of the token.
yes, anything can be hacked. But the FBI basically tried using the courts to force apple to open this particular door, so the likelihood of it being something that will be done to you is vanishingly small.
SW-4158-3990-6116
Let's play Mario Kart or something...
Hm, I showed the barber a picture of a handsome man with beautiful hair and told them to make me look like that but now I just look like me but with shorter hair. Ask for refund?
0
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
Biometric spoofing techniques already exist; people make fake fingertips and irises (contacts) and even faces (...depending on what system you use, you can just fool the image matching with a paper mask...). In these ways, biometrics almost feel less secure than passwords.
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
Authentication (are you who you say you are) is just one aspect of security, and passwords/biometrics/etc fall under that.
Authorization is just as important. Just because you're authenticated doesn't mean you should get access to everything, right? And just because you needed access before doesn't mean you need it now. And something valuable shouldn't be accessible by everyone/everything which has authenticated.
So is accountability. Just because you're supposed to have access and you're authenticated properly doesn't mean you're behaving securely. You could be doing things on purpose or by accident that may lead to the loss or theft of information. Replacing passwords with X doesn't solve the authorization or accountability issues, which I'd argue lead to more security issues than authentication problems.
Six on
can you feel the struggle within?
+1
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
Also its more like 3-4 RSA keyfobs running at different intervals and using different secrets.
SW-4158-3990-6116
Let's play Mario Kart or something...
Biometric spoofing techniques already exist; people make fake fingertips and irises (contacts) and even faces (...depending on what system you use, you can just fool the image matching with a paper mask...). In these ways, biometrics almost feel less secure than passwords.
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
just so long as you realize biometric spoofing does involve a rather large degree of sophistication to get right, and only works if you have already stolen or gotten access to the physical device with the auth, it hasn't been powered off, and you can't mess up more than four times before that door closes.
Like, this shit is hard. You can do it in a vacuum or for a tech conference to look cool, but the practicality of it being an attack vector in the real world is staggeringly small, and much smaller than traditional passwords stored on a backend server.
Oh yeah, I know. My company wanted to get involved in an effort on this subject and I did some research and went to a proposer's day and was like HAHA fuck no, this all requires a degree of expertise that we are not gonna plausibly develop in the given time frame, do not propose please
...so I am thinking of it essentially in the context of a tech conference/a government-sponsored biometric attack test with people trying to infiltrate, yeah
hmm now that I think about it
the hard part isn't the fingerprint, it's the private key stored on the device
you could extract that, but you need the physical device so you're probably SOL
security sure will go sideways when quantum computers break public/private key encryption
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
0
Options
SixCaches Tweets in the mainframe cyberhexRegistered Userregular
security sure will go sideways when quantum computers break public/private key encryption
The bad knee-jerk analysis of the CIA breach last week led some to believe this had happened. Thankfully it's only microwaves that turn into cameras that we really have to worry about.
can you feel the struggle within?
+3
Options
amateurhourOne day I'll be professionalhourThe woods somewhere in TennesseeRegistered Userregular
The best security is tripwire and solar powered floodlights with motion sensors and an alarm.
Hm, I showed the barber a picture of a handsome man with beautiful hair and told them to make me look like that but now I just look like me but with shorter hair. Ask for refund?
Biometric spoofing techniques already exist; people make fake fingertips and irises (contacts) and even faces (...depending on what system you use, you can just fool the image matching with a paper mask...). In these ways, biometrics almost feel less secure than passwords.
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
Authentication (are you who you say you are) is just one aspect of security, and passwords/biometrics/etc fall under that.
Authorization is just as important. Just because you're authenticated doesn't mean you should get access to everything, right? And just because you needed access before doesn't mean you need it now. And something valuable shouldn't be accessible by everyone/everything which has authenticated.
So is accountability. Just because you're supposed to have access and you're authenticated properly doesn't mean you're behaving securely. You could be doing things on purpose or by accident that may lead to the loss or theft of information. Replacing passwords with X doesn't solve the authorization or accountability issues, which I'd argue lead to more security issues than authentication problems.
this so hard.
Basically the most secure system in the world still has dumb people take screencaps of secure data and send them off via email to someone who should not have access.
Human behavior and the analog hole are the largest threats to security. The reason the massive password dumps happen is generally because someone fucked up somewhere.
That said, moving to a system where what you use to authenticate with the platform is guaranteed to be easy for the end user (reduce adherence refusal) and guaranteed to be unique and non-usable on any other platform (tokens, generated shared secrets, etc) closes one of the bad effects of human fuckups.
SW-4158-3990-6116
Let's play Mario Kart or something...
synd do you know if the iphone encrypts some or all of its RAM?
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
0
Options
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Productsregular
synd do you know if the iphone encrypts some or all of its RAM?
the main ram never touches the auth process, there is encrypted RAM in the secure enclave.
I hope that covers the memory location for $incorrectPasswordAttempts
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Hmm so if I get a new desktop and attempt to build it myself, and I'm shooting for under $1,000.00 what's the odds that I can craft a machine that is rul gud
You go in the cage, cage goes in the water, you go in the water. Shark's in the water, our shark.
synd do you know if the iphone encrypts some or all of its RAM?
the main ram never touches the auth process, there is encrypted RAM in the secure enclave.
I hope that covers the memory location for $incorrectPasswordAttempts
pretty sure everything from number of attempts to what was tried is stored there (if they store it at all).
It was part of what tripped up the FBI - they couldn't trick the device into thinking only 1 attempt was made because the memory was inaccessible on the auth process.
SW-4158-3990-6116
Let's play Mario Kart or something...
Hmm so if I get a new desktop and attempt to build it myself, and I'm shooting for under $1,000.00 what's the odds that I can craft a machine that is rul gud
Isn't there a whole thread on that in the tech forum?
I would like some money because these are artisanal nuggets of wisdom philistine.
Posts
yeah it's like
you think "It's ok even if my biometric info is out there spoofing it is a pain in the ass so I'd only be subject to being specifically targeted"
but if biometric passwords become commonplace then easy spoofing techniques will get developed.
Hell, just off the top of my head: ATM where you put in your card + thumbprint to authenticate. Crooks steal/skim a bunch of card #s and print IDs. They then hack an ATM with their own fingerprint reader where they can just feed in the IDs directly and skip the part where it scans a finger.
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
The exact same could be said of a password. Still a bad idea to use the same raw password everywhere and never change it even if in practice every time it is authenticated it gets hashed / salted.
As much as I am a fan of biometrics I am 100% super duper opposed to a system like the one you are proposing (ATM with thumb reader built in). That is a fresh hell waiting to happen.
The scanner needs to be on something you own, needs to be encrypted and disassociated from the thing it is validating off of enough that even getting the data somehow doesn't change anything, and should do nothing more than pass the appropriate "ack" from the trusted device to the terminal that lines up with the shared secret between the backend service and your device.
BofA supports apple pay right now. You go to the ATM, pull out your phone, use the thumb reader, and hold it up to the ATM - works the same as the card + pin, only more secure since there is no over-shoulder glances happening.
Let's play Mario Kart or something...
Where is my cyberpunk AF future?
how does the ack go from the phone to the terminal, and why can't one man-in-the-middle that?
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
but its not a static resource on the back end or the front end - if your "password" had to travel along inside an encrypted package that is only unlocked by an aggregation of stuff only your device knows and timestamps and other metrics to get approval from the backend service, you might have a point.
Simply put, even though you are using your fingerprint to unlock everything from your device, you are a million miles away from storing the same password across multiple backend services.
Let's play Mario Kart or something...
It doesn't matter if best practice is to salt and to use a modern hash method if you happen to be registered at a site with a poor hashing method. If that site ever gets hacked and you use the same password everywhere else, you're boned even in places that use top of the line security.
as far as I know it's a one time use key, so, if they MITM attack it, they can only charge something once through a custom store if they can finangle the times and block the original sale?
I think it's encrypted in-flight, but I don't know the protocol in-and-out.
I have the days to take, but they said I can only take up to ten at a time and I'd applied for 13 as I was going to the states
Well golly that sure has killed any chances of me ever staying late again
You can also, as with any system, try to just hack into the actual system and put in data for a fake employee or whatever, but of course at that point you have also bypassed password protection.
what leaves your phone is a "yes this is the dude" along with an encrypted token that carries a bunch of stuff that the bank and your device agreed to at the point you set your card up with the bank (some of which is in the secure enclave and is basically completely inaccessible from the outside) and some time related shit just to jumble it further.
Your device saying this is the dude is the first step, then that shit all has to be validated on the back end.
It is immune to man in the middle. They would need to compromise both sides of the transaction to break this
Let's play Mario Kart or something...
to the outside world the iphone just acts like an RSA keyfob, but it will only spit out numbers should it internally decide that the correct finger is on its sensor
so it's down to how good, exactly, their 'secure enclave' tech is
which, I can 100% tell you it's possible to hack that shit, it's just matter of how hard you wanna try
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
just so long as you realize biometric spoofing does involve a rather large degree of sophistication to get right, and only works if you have already stolen or gotten access to the physical device with the auth, it hasn't been powered off, and you can't mess up more than four times before that door closes.
Like, this shit is hard. You can do it in a vacuum or for a tech conference to look cool, but the practicality of it being an attack vector in the real world is staggeringly small, and much smaller than traditional passwords stored on a backend server.
Let's play Mario Kart or something...
Sure it's possible, but then the question is if those hacks are possible remotely, etc.
pleasepaypreacher.net
well, part of the "ack" it sends depends on info from the fingerprint which is converted into math and then is used as part of the token.
yes, anything can be hacked. But the FBI basically tried using the courts to force apple to open this particular door, so the likelihood of it being something that will be done to you is vanishingly small.
Let's play Mario Kart or something...
Authentication (are you who you say you are) is just one aspect of security, and passwords/biometrics/etc fall under that.
Authorization is just as important. Just because you're authenticated doesn't mean you should get access to everything, right? And just because you needed access before doesn't mean you need it now. And something valuable shouldn't be accessible by everyone/everything which has authenticated.
So is accountability. Just because you're supposed to have access and you're authenticated properly doesn't mean you're behaving securely. You could be doing things on purpose or by accident that may lead to the loss or theft of information. Replacing passwords with X doesn't solve the authorization or accountability issues, which I'd argue lead to more security issues than authentication problems.
Let's play Mario Kart or something...
Oh yeah, I know. My company wanted to get involved in an effort on this subject and I did some research and went to a proposer's day and was like HAHA fuck no, this all requires a degree of expertise that we are not gonna plausibly develop in the given time frame, do not propose please
...so I am thinking of it essentially in the context of a tech conference/a government-sponsored biometric attack test with people trying to infiltrate, yeah
the hard part isn't the fingerprint, it's the private key stored on the device
you could extract that, but you need the physical device so you're probably SOL
security sure will go sideways when quantum computers break public/private key encryption
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
The bad knee-jerk analysis of the CIA breach last week led some to believe this had happened. Thankfully it's only microwaves that turn into cameras that we really have to worry about.
NO ONE is getting in once that shit wakes me up.
https://www.youtube.com/watch?v=Bxozf6EJTU0
this so hard.
Basically the most secure system in the world still has dumb people take screencaps of secure data and send them off via email to someone who should not have access.
Human behavior and the analog hole are the largest threats to security. The reason the massive password dumps happen is generally because someone fucked up somewhere.
That said, moving to a system where what you use to authenticate with the platform is guaranteed to be easy for the end user (reduce adherence refusal) and guaranteed to be unique and non-usable on any other platform (tokens, generated shared secrets, etc) closes one of the bad effects of human fuckups.
Let's play Mario Kart or something...
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
the main ram never touches the auth process, there is encrypted RAM in the secure enclave.
edit: mind you, not a lot - it is basically on-die RAM on the AX chip. Just enough to do what it does.
Let's play Mario Kart or something...
That's good
You are but a simple creature.
pleasepaypreacher.net
I hope that covers the memory location for $incorrectPasswordAttempts
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Do you have a specific piece in mind?
https://www.youtube.com/watch?v=c33q87s03h4
????
What the shit.
That is HORSEshit.
pretty sure everything from number of attempts to what was tried is stored there (if they store it at all).
It was part of what tripped up the FBI - they couldn't trick the device into thinking only 1 attempt was made because the memory was inaccessible on the auth process.
Let's play Mario Kart or something...
Isn't there a whole thread on that in the tech forum?
pleasepaypreacher.net