BYOI (Bring Your Own Identity): My fingerprint is my name not my password

2 Flares Twitter 0 Facebook 0 LinkedIn 0 Buffer 2 Email -- Filament.io 2 Flares ×

Do I contradict myself?…I contradict myself, I am large, I contain multitudes”

Whitman (and with the courtesy of a suggestion in the #mobilebiz chat from Steve Wilson [@Steve_Lockstep])

It was a sort of epiphany. I was blogging about “http://alfweb.com/bg/byoi-bring-your-own-identityaaaadaptive-authentication-and-authorization/” , chatting in the #mobilebiz tweet chat (please see note at the end of this post) and reading some great papers on the “onion model” by Robin Wilton (@futureidentity) and I started to think about it.

If password are anymore secure and we need a replacement is there any chance we are failing at it? I’m not going to say that current state of security is failing just wondering are we looking at things from the right point of view.

2013_1107_fingerprint-convenience

Let me clarify. We use a combination of data in the authentication process: a username and a password. We already know that one single factor of authentication is not anymore secure or, at least desirable, so everyone tend to agree that we need of introduce a (at least) double factor of authentication.

Still we’re going to use combination of usernames and password, at least in one of the two factors of authentication. My opinion? It’s just a workaround mostly done because we (the community of digital users) are not able to define (yet) a better standard. Think at automotive and the use of keys, you don’t have a double key pair to open your car don’t you? And the car keys are not cutting your trousers anymore like they used to do (yes I’m older than what you think…) so the same level of “usability” but with a better “security” is somehow reachable. Okay I’m pity since I’m having a little joke of a complex problem but my thought were directed to a specific factor of authentication: biometrics.

I have a smartphone who allow me to authenticate using my fingerprints, it’s just a way to do it, easier and quicker than typing the “password”. There are many examples of biometrics who make use of different human “parts” from voice to the eye retina, from facial recognition to, as said, fingerprints.

It’s just one of the many ways to authenticate an identity and seemed one of the most secure until these days. No I’m not going to share any leak about some company biometric auth system hacked simply I am considering  the world we are living.

First what is a biometric information. Is it a unique identifier? Let me tell you quietly:

NO!

What make you think that your eyes retina or the fingers or any other part of your human body (voice and DNA included) are unique and not clonable?Dolly the sheep anyone (http://en.wikipedia.org/wiki/Dolly_(sheep))?

So what make you think that anyone cannot clone your data with a 3D printer and use it against your secure system? yes I said 3D printer and cloning what? a yes my fingerprint.

“but my dear Alex you have to get my finger print first!”. Do you have a tables, a smartphone anything touchable? do you use some nice screen protection over there, maybe that nice obfuscating screens protection to avoid anyone to read your important data. So if I steal that do you think I may find a good sample of your finger print over that?

Yeah sure chances are that you registered a finger that you’ll not use over the tablet, after all “security is a habit” but well, soon or later, the phone need to be unlock while driving or while your hands are busy so you’ll end up registering your thumb or the index finger and bam! I got them.

Eyes? James Bond movies for that.

Voice? I know some 15 y/o kids who may do magic with a recorder and a mix

DNA? Dolly the sheep showed more than 20 years ago that anything is not anymore unique and by the way neither the snow flakes.

Okay I’ll play fair nothing of the potential attack I described are easily to be done but, in the end, is there any cyber-attack that is “easy” and so has not been tried in the past?

So what’s the point? Well the point is the same with the text password. What makes the text password so successful?

Are those unique? well not exactly but are uniquely chosen and kept (or should be kept) in the best vault ever…your brain. Yes if like me your brain is not smart you’ll probably use a software to keep your password and again, do you trust this company that offer you to store your password? Is is so secure to relay on a third party to get your own password if in the end those must be used anyways? My company and I personally am a specialist of a solution that, manage the password of the so called privileged accounts (aka password safe) but still the question is there? isn’t it just a workaround to not type the password and let something else do it on your behalf?

The text password was and still is so successful not because of its strength but because is easy to remind in other word is an information that stay with us always. In the very beginning of the information tech era the password where a very well know information’s of our own so isn’t it your fingerprint the same?

Think about it:

  • It is always with you
  • it does not guarantee or should not guarantee you to log in but just to be recognized: if the fingerprint is recognized that probably is you and you may proceed with the “password”
  • it is unique (if not when an attacker try to clone it of course)

Sound like…like..oh well do you have an ATM card? yes a pin code associated to a ATM card works almost the same way:

  • You have the card always (or almost always) with you
  • the PIN code says that since you have the card and you know the PIN code associated with it you’re mostly who you said you are
  • it is unique..since nobody else should have your ATM card physically

it’s a well-known model and it is around since many years so I simply thinking at a similar model but where I won’t use my biometrics for authentication but for authorization.

Let imagine something like this:

  • A user use it’s biometrics to start an auth-N process
  • A sub-process alert all the apps/services who may be provide federate Auth-N consequently to the correct access (pre-Auth-Z)
  • User is requested to “create” the token for the temporary access (will post lately a model on this)
  • The token exchange auth-N metadata with the Auth-N IDP and provide authentication (this could be a local process or a remote one)
  • The apps combine the token and the “username” and provide a pre-Auth-N (if needed aka the user call the app)

Biometric is the center of an “onion” and I really need to thank Robin Wilton to share to me his onion model that was revealing.

Do I contradict myself?…I contradict myself, I am large, I contain multitudes”

Whitman (and with the courtesy of a suggestion in the #mobilebiz chat from Steve Wilson [@Steve_Lockstep])

Note: #mobilebiz tweet chat is hosted by @bmkatz and @PaladorBenjamin every Thursday at 1PM EST, 10AM PST

 

 

Topics

Archives