or Connect
AppleInsider › Forums › Mac Hardware › Future Apple Hardware › Apple's US-based chip development expanding in Florida, could be related to fingerprint tech
New Posts  All Forums:Forum Nav:

Apple's US-based chip development expanding in Florida, could be related to fingerprint tech

post #1 of 50
Thread Starter 
Apple's domestic development of custom chips continues to grow, as a new job listing references a mysterious "Melbourne Design Center" in Florida, likely connected to the company's interest in fingerprint scanning technology.

Fingerprint
AuthenTec's U.are.U 5160 Fingerprint Reader. The company, bought by Apple last year, is based in Florida.


The newly available position for a Software Engineer in Melbourne, Fla., was spotted by AppleInsider on Monday. It seeks a candidate who will work on software called "LabTool" that is used for sensor integrated circuits developed at Apple's "Melbourne Design Center."

Apple's new Melbourne Design Center may be connected to its purchase of AuthenTec, maker of fingerprint scanning technology.The city of Melbourne is located on Florida's Space Coast, named for being located near the Kennedy Space Center where NASA launched Space Shuttles until the program's retirement in 2011. The presence of NASA and various U.S. military installations has led to a number of high-tech jobs in the region.

The job listing gives no indication as to exactly what type of integrated circuits the software engineer might work on. But it's possible that the position is related to Apple's acquisition of AuthenTec, a Melbourne-based company that was purchased for $356 million last year.

There are no other job listings on Apple's site located in Melbourne, further suggesting the new hire would be a part of AuthenTec's existing operations on the Space Coast.

Apple's purchase of AuthenTec is believed to have been driven by its custom fingerprint sensor technology. That's fueled speculation that Apple could include an integrated fingerprint scanner in a future iPhone, potentially as soon as this year.

AuthenTec


Analyst Ming-chi Kuo of KGI securities, who has a strong track record in predicting Apple's future product plans, first reported in January that Apple plans to launch a so-called "iPhone 5S" this year with a fingerprint sensor featuring AuthenTec's technology. According to Kuo, the sensor will be located under the home button on the handset, and it will allow users to bypass password entry and potentially authenticate e-wallet transactions.

Apple's new Software Engineer vacancy in Melbourne seeks a candidate that will write low-level control firmware for "sensor ICs" built at the Melbourne Design Center. These "sensor functions" will include array control, gain control, calibration and security.

Qualified candidates for the newly available job must have a bachelor's degree in electrical engineering, computer engineering or computer science.
post #2 of 50

DO NOT WANT THIS FINGERPRINTING IN APPLE iDevices NOR MACS!

 

What I DO want is Push-To-Talk Nextel/iDEN Direct Connect style with a dedicated yet programmable button.  I NEVER used a finger scanner on a work laptop I had and never would.  Fingerprinting is for criminals not end users!

post #3 of 50
Quote:
Originally Posted by libertyforall View Post

Fingerprinting is for criminals not end users!

There have been countless people identified by their finger and foot prints that were done. Tragedies do happen and yet you would deny all those families closure by not being able to know if there loved one(s) were properly identified. Shame on you! 1oyvey.gif

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #4 of 50
Originally Posted by libertyforall View Post

Fingerprinting is for criminals not end users!

 

So how about a tongue print sensor instead?

Your tongue print is just as unique as your fingerprints, but the FBI doesn't have a tongue print database.

Great for paranoids such as yourself.

 

And lick-to-unlock would drastically cut back on sharing iOS devices, now wouldn't it?

Not sure I'd like to handle an iPhone whose owner just licked it.

Could boost iPhone sales.  Less sharing.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #5 of 50
Originally Posted by SockRolid View Post
So how about a tongue print sensor instead?

Your tongue print is just as unique as your fingerprints, but the FBI doesn't have a tongue print database.

 

Have the front-facing camera scan your ear. No two ears are the same.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #6 of 50
Seems a bit late if the tech is already slated for the iPhone 5s.
post #7 of 50
I went to Disneyworld last weekend. They fingerprint everyone in order to enter.
post #8 of 50
Originally Posted by Eccent View Post
I went to Disneyworld last weekend. They fingerprint everyone in order to enter.

 

Yet another reason I won't be going to Disney[location].

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #9 of 50
Quote:
Originally Posted by Eccent View Post

I went to Disneyworld last weekend. They fingerprint everyone in order to enter.

 

It isn't actually a fingerprint scan. It scans the whole finger and analyses the geometry of the finger e.g. size, shape, etc.

 

Quote: http://allears.net/pl/fingerscan.htm

The admission system has nothing to do with your fingerprints. It scans your finger and uses a geometric formula to come up with a number that will identify your fingers. The calculated number is apparently something that is not totally unique, but is statistically significant in identifying you.
 
The data on the scans is kept independent of any other system and will be purged 30 days after the ticket expires or when the computer determines that it is fully used up.
 
Does everyone that has one of those passes have to use the finger scan system?
 
Yes except for children. If you personally prefer not using the finger scanners, a photo ID can always override the use of biometrics. Just present the gate CM a photo ID and be admitted without using the scanner. Otherwise, you will have to use the finger scanners to get in.

 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 50
Quote:
Originally Posted by libertyforall View Post

DO NOT WANT THIS FINGERPRINTING IN APPLE iDevices NOR MACS!

 

It's okay to not want it, but why not?

 

The match info would almost certainly only be stored in the device itself.  It's not like it's going to send your fingerprints to the FBI along with all your porn website searches.  No need.  Apple iTunes probably already has your name, after all.

 

Is it just the idea of fingerprints that worries you?  (Obviously you were never in the military or applied as a teacher, etc if you haven't been fingerprinted.)  

 

Some sensors look at the pattern of blood vessels under your finger skin, instead.  Would that be better?

 

On the good side of things, a fingerprint login would be pretty good proof that you were not at a murder scene, or the user who surfed child pron. On the bad side of things, it might be proof that you were!

post #11 of 50
Quote:
Originally Posted by libertyforall View Post

DO NOT WANT THIS FINGERPRINTING IN APPLE iDevices NOR MACS!

What I DO want is Push-To-Talk Nextel/iDEN Direct Connect style with a dedicated yet programmable button.  I NEVER used a finger scanner on a work laptop I had and never would.  Fingerprinting is for criminals not end users!

No problem. Just don't use it.

Security measures are always optional. If you don't care about security, turn off all the security features and go merrily on your way.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #12 of 50
Quote:
Originally Posted by KDarling View Post

Some sensors look at the pattern of blood vessels under your finger skin, instead.  Would that be better?

 

 

Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #13 of 50
Quote:
Originally Posted by mstone View Post

Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.

The biometric I prefer for security is the one that comes from a specific series of synaptic responses in the gray matter between my ears which means I can't be unconscious or dead when applied.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #14 of 50
Quote:
Originally Posted by SolipsismX View Post

The biometric I prefer for security is the one that comes from a specific series of synaptic responses in the gray matter between my ears which means I can't be unconscious or dead when applied.

We can waterboard that password out of you. lol.gif

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #15 of 50
Quote:
Originally Posted by mstone View Post

We can waterboard that password out of you. lol.gif

Can we at least start with sodium pentothal?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #16 of 50
Quote:
Originally Posted by mstone View Post

Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.

 

The tech that Apple bought recently apparently gets around this and apparently *can* tell if the finger is living flesh or not, but we'll have to see their implementation to see if that's actually true.  Companies in this area claim all kinds of things that later turn out not to be true, because the facts tend to argue against their claims.  

 

For instance a fingerprint is hugely *less* unique than a DNA profile and a DNA profile is still not much more than a 90% match most of the time.  The illusion that these kind of identifiers are a "lock" for security purposes, is something the security firms like to push but it isn't really true.  In any sufficiently large city, there are multiple persons with the same fingerprints or at least close enough to be impossible to tell apart.  

post #17 of 50

Know what I'd like? I'd like a security system that lies to you.

 

I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".

 

The fake failure is PART of the security. You have to get it right twice.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #18 of 50
Quote:
Originally Posted by Tallest Skil View Post

Know what I'd like? I'd like a security system that lies to you.

 

I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".

 

The fake failure is PART of the security. You have to get it right twice.

That makes no sense at all. You can add additional data points easily which won't confuse or annoy the user. For example banks may ask a series of questions such as your first school, or recent past address, in order to further verify you if you are logging in from a machine without a cookie or a known IP address.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #19 of 50
Originally Posted by mstone View Post
That makes no sense at all.

 

Of course not¡ 1oyvey.gif

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #20 of 50
Quote:
Originally Posted by Tallest Skil View Post

Know what I'd like? I'd like a security system that lies to you.

I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".

The fake failure is PART of the security. You have to get it right twice.

Bad idea.
post #21 of 50
Quote:
Originally Posted by Tallest Skil View Post

Know what I'd like? I'd like a security system that lies to you.

I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".

The fake failure is PART of the security. You have to get it right twice.

Bad idea.
post #22 of 50
Originally Posted by MacBook Pro View Post
Bad idea.

 

Why? I, the user, have initiated it. I, the user, know what is happening.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #23 of 50
Quote:
Originally Posted by Tallest Skil View Post

Why? I, the user, have initiated it. I, the user, know what is happening.

My apologies if you missed the sarcasm. Please read my posts again then read your post again.

Ah, nevermind. My second post which was exactly the same as the first post was deleted.

I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.
post #24 of 50
Originally Posted by MacBook Pro View Post
My apologies if you missed the sarcasm. Please read my posts again then read your post again.

Ah, nevermind. My second post which was exactly the same as the first post was deleted.


HA HA HA HA HA HA HA! Oh, man. I'm so used to accidental double posts here. Oh, that's great.


I believe most consumers would fail your security measure which doesn't make it a poor idea simply an idea that is impractical for most of the population. A feature that perhaps 20% of the population would use, including myself.

 

Yeah, they'd fail it. They're morons. 1tongue.gif I'm not saying it would be the option, just an option. I'm sure most people don't use anything but the 4-number password, but the keyboard is there all the same.

 

I'd actually like to be able to use my international keyboards on the password screen. What's a more secure password than one in a language you can't read and in a character set you can't write? No one is going to crack that based on your personal information.

 

This whole idea, by the way, came from my experience in Windows, where I can type my password perfectly and the OS says no. Then I type it again and the OS says yes.

 

Microsoft's first innovation: a new security feature, of all things.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #25 of 50
Quote:
Originally Posted by mstone View Post

That makes no sense at all. You can add additional data points easily which won't confuse or annoy the user. For example banks may ask a series of questions such as your first school, or recent past address, in order to further verify you if you are logging in from a machine without a cookie or a known IP address.

I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:

- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.

- Who is your favorite musician? I don't have one favorite. It depends on my mood.

- Who is your favorite sports team? I don't like sports.

- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?

- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????

And so on.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #26 of 50
Quote:

Originally Posted by Tallest Skil View Post
 

The fake failure is PART of the security. You have to get it right twice.

Originally Posted by mstone View Post
That makes no sense at all.

 

Of course not¡ 1oyvey.gif

Advocating a system whereby fake failure is part of the process of verification is ridiculous.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #27 of 50
Quote:
Originally Posted by mstone View Post

Advocating a system whereby fake failure is part of the process of verification is ridiculous.

Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #28 of 50
Quote:
Originally Posted by SolipsismX View Post

Quote:
Originally Posted by mstone View Post

Advocating a system whereby fake failure is part of the process of verification is ridiculous.

Fake failure can be successful. I used to have a voice mail message years ago when I had a home phone that had the "This line has been disconnected or no longer in service" message. This was back when telemarketing was much more commonplace (or maybe it still is if you still have a land line).

Exactly my point. In a single case where you are the only one required to know about the fake failure, it works, but when you look at it from the perspective of the general populace it is a total failure. So when you met that hot potential date and shared your phone number, you had to also tell them "just ignore the fake message". Do you see how that might cause you to miss that rendezvous unless you clarified the obscure message? A commercial entity would be deluged with irate customers calling support because they could not log in. Not fake fail. Complete fail.

 

They first try the password they KNOW is correct but it doesn't work, so they think am I going crazy and they try some other password instead and of course that fails too, so they think maybe I mistyped the first time. Let me try the first one again but that is rejected as well. Calling support...


Edited by mstone - 4/8/13 at 12:19pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #29 of 50
Originally Posted by mstone View Post
Advocating a system whereby fake failure is part of the process of verification is ridiculous.

 

No, it's secure.

 

What better deterrent than a deterrent?

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #30 of 50
Quote:
Originally Posted by mstone View Post

Exactly my point. In a single case where you are the only one required to know about the fake failure, it works, but when you look at it from the perspective of the general populace it is a total failure. So when you met that hot potential date and shared your phone number, you had to also tell them "just ignore the fake message". Do you see how that might cause you to miss that rendezvous unless you clarified the obscure message? A commercial entity would be deluged with irate customers calling support because they could not log in. Not fake fail. Complete fail.

Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.

Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?

OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.

Security always comes with a cost of certain conveniences.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #31 of 50
Quote:
Originally Posted by Tallest Skil View Post

Originally Posted by mstone View Post
Advocating a system whereby fake failure is part of the process of verification is ridiculous.

 

No, it's secure.

 

What better deterrent than a deterrent?

I'm sorry TS but it is just a stupid concept unless you are the only person to ever log in to the site and you know about the fake failure. Can you imagine the chaos that would cause on a site where millions of users are logging in and are completely unaware of the fake failure? And if you make it well known that the fake failure is part of the process, the deterrent is lost because everyone knows about it. Just ridiculous.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #32 of 50
Quote:
Originally Posted by SolipsismX View Post

Right, but that's why it's secure. Disinformation, obscurity, and subterfuge are oft a part of security. If you want people to know it's real you tell them.

Remember the movie Spies Like Us? Remember the old abandoned drive-in theater that was a secret government facility?

OK, maybe not the best example, but how about camouflage and stealth fighter technology? Those are both are used to give a false presence of one's existence and it's quite successful. It does mean that your fellow solider can't see you as easily if you had put on a reflective orange vest but they use other methods to inform each other of their whereabouts as needed.

Security always comes with a cost of certain conveniences.

I really don't understand how this is so hard for you to grasp. There is no need for analogies. It just doesn't work for Internet logins. If people get confused and can't login, they call support. 1oyvey.gif

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #33 of 50
Quote:
Originally Posted by mstone View Post

I really don't understand how this is so hard for you to grasp. There is no need for analogies. It just doesn't work for Internet logins. If people get confused and can't login, they call support. 1oyvey.gif

I see. I jumped in with a generalized response about fake failures. I can't think of any example for a fake login failure working on a large scale because the more that know about it the less successful it becomes as a security measure.

If you want consider internet-only security then look at honey pots which are used for fake success. That's the opposite of a fake failure but in the same category. These are quite successful when done well and one can learn a great deal about the methods people use to get in and setup shop in a system.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #34 of 50
Quote:
Originally Posted by jragosta View Post


I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:

- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.

- Who is your favorite musician? I don't have one favorite. It depends on my mood.

- Who is your favorite sports team? I don't like sports.

- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?

- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????

And so on.

 

Wow, this is spot on as to why I also hate those stupid security questions.  They assume a kind of "normalcy" that I have never been in possession of.  

 

The exact nature of the answer is indeed a real problem for this type of security also.  I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.  

 

They might as well get you to remember a random text string ... 

post #35 of 50
Quote:
Originally Posted by jragosta View Post

I hate those questions. A lot of times, it's difficult to find questions that I know I can consistently answer. Too often, it's stuff like:

- What color was your first car? How the heck should I remember that? it's 40 years ago. In all likelihood, it was a rust-bucket, anyway.

- Who is your favorite musician? I don't have one favorite. It depends on my mood.

- Who is your favorite sports team? I don't like sports.

- What was your first job? Do you mean first professional job? First part time job in high school? First internship while in college? Mowing lawns for my neighbor? Mowing lawns at home which I got paid for?

- Favorite Teacher's name? Did I enter 'Mr. Jones' or 'Mr. Davy Jones' or 'Mr Jones' or 'Davy Jones' or 'David Jones' or 'D Jones'????

And so on.

Quote:
Originally Posted by Gazoobee View Post

Wow, this is spot on as to why I also hate those stupid security questions.  They assume a kind of "normalcy" that I have never been in possession of.  

The exact nature of the answer is indeed a real problem for this type of security also.  I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.  

They might as well get you to remember a random text string ... 

I sent the following letter to Tim Cook every workday for three months to no avail.



I am attempting to purchase media from my MacBook Pro which I have had for several years as well as my iPhone 4S which I have had for several months. My iTunes account is not locked. When I attempt a purchase I am stopped by iTunes and forced to select security questions and answers. The issue I have is that the new security questions in iTunes are too vague and obscure. I haven't forgotten the answers to the security questions. I simply refuse to answer the security questions because I will not be able to remember the answers without recording the information which defeats the purpose of having security questions.


Until the security questions in iTunes are changed by Apple I will not be able to purchases apps, books, movies, music, or TV shows. This is a serious issue for me as my family relies heavily on Apple since we have 2 new iPads (3rd generation), 2 iPhone 4S's, 2 iPod Touches, 2 AppleTVs and 1 MacBook Pro currently. We are planning to purchase several more Apple computers this year as well and were planning to cancel our cable subscription to use AppleTV. I strongly urge Apple reconsider the security questions. While I applaud the effort to improve security, the questions are not appropriate due to the reasons already specified.

Here are examples of questions which Apple is asking:


What was the first car you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?

Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?

Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?

Many of these questions contradict or are contraindicated by good security question principles:

The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.

Bad examples:

* What is your driver's license number? (I haven't memorized mine, have you?)
* Car registration number (this may be easy for others to find on the web anyway)

But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:

* What was the name of your first pet?
* What was your first car, favorite elementary school teacher, first kiss, etc.

http://www.goodsecurityquestions.com/designing.htm


Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:

In which city, county and state were you born?
What is your maternal grandmother's maiden name?

According to http://www.goodsecurityquestions.com/designing.html the answer to a good security question:
1. Cannot be easily guessed or researched (safe)
2. Doesn’t change over time (stable)
3. Is memorable
4. Is definitive or simple


1. Safe - Cant Guess of Research
The most important characteristic of a good security question is security - it does not compromise the very thing it is trying to protect. A good security question would have answers that are not easy to guess or decipher and thus block unauthorized access to the account.

Good security questions meet a number of specific requirements and have high entropy. In general, this means that the number of possible answers is very high and that the probability of selecting any one specific answer is very low. When you create high entropy-based questions, only the authorized user is likely to provide the correct answers.

The answer cannot be found through research (mother’s maiden name, birth date, first or last name, social security number, phone number, address, pet’s name)
The question has many possible answers where the probability of guessing the correct answer is low.

Answers are unlikely to be known by others such as a family member, close friend, relative, ex-spouse, or significant other.

Bad examples:
What is your address?
What is your phone number?
What is your mother's maiden name?

Good examples:
What was your dream job as a child?
What is the first name of the boy or girl that you first kissed?
An additional option is to combine several data elements in one question thus increasing possible responses and decreasing the probability of others guessing the correct answer.

Examples:
What is the name, breed, and color of your pet?
What is the city, county, and state of your birth?
The downside to this is that it makes it more difficult for the user to answer consistently each time.

2. Doesn’t Change
The answer to a good security question doesn't change over time.
Bad examples:
Where did you vacation last year?
Where do you want to retire?
... work or personal address, employer, nearest relative, phone number, etc.

One of my biggest complaints is "favorites." Favorite vacation, teacher, color, movie, book, animal, song, artist, etc. The list is endless and worthless for those of us that aren't definitive or change our minds or are human. Last year my favorite vacation was Italy; this year it is Hawaii. Favorites change and the next time I login and have to answer a security question, I get locked out. Result: frustrated user, perceived untrustworthy website, wasted support time, or worse, the user doesn't return.

Good examples:
What is the middle name of your oldest child?
What school did you attend for sixth grade?

The other problem with favorite or preference types of questions is that people are displaying more information on social network sites like Facebook and Myspace. You should use more caution when using these types of questions.


3. Memorable
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.

Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.

Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.




4. Definitive
The question should be asked so the answer is 1) definitive or simple, 2) has an obvious format, and 3) is NOT case sensitive.

Definitive
The question should require a specific answer.

Bad example:
What was your first car?

Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too - but, honestly, I couldn't remember what my first car was - had to ask my wife).

Better example:
What was the make of your first car?" (Some will not understand "make")
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake.... hmm, do people name their snakes?

Simple Format
The format of the answer should be clear. Don't ask "When was your anniversary?" The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month were you married (e.g., January)?” Providing a format example in the question, indicates how the user should answer.

Bad example:
What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.

Better example:
What month and year were you born? (e.g., January 1900)
(include the example in the question)

Not Case Sensitive
Don't validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I've actually sat and wondered if I capitalized the name of my elementary school.
With these three definitive guidelines, here's how to make a bad question better.

Bad example:
What is your brother’s birthday?

Better example:
What is your oldest sibling’s birthday month and year? (e.g., January 1900)

User Written Questions

Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that creating good security questions are not simple. Permitting the user to create a good question at the moment of need is setting the user up for frustration and failure and potential security breach. Self-service password resets are more complicated than they appear, and you should think carefully before implementing this option. If IT professionals have difficulty writing good questions, how can we expect users to create a safe, consistent, memorable, and definitive question within moments.

My recommendation: don't let users write their own questions. You're the expert, that's what you're paid for.

Not for Everyone
A good security question will not work for all people and most good questions still have some flaws. Therefore, it is best to offer 2-3 sets of questions (more if data is more sensitive) with a variety of questions. I recommend offering 15 questions in each of three sets as seen below. You would need to eliminate the selected question from the first question for the subsequent question groups.

Security Questions
You must select three questions and enter an answer for each question. You cannot use the same question more than once. Anwsers are NOT case sensitive (caps or no caps are OK).

1. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?


Answer to Question 1:

2. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?


Answer to Question 2:

3. Security Question:
Select one question
In what city did you meet your spouse/significant other?
What was your childhood nickname?
What is the name of your favorite childhood friend?
What street did you live on in third grade?
What is your oldest sibling’s birthday month and year? (e.g., January 1900)
What is the middle name of your oldest child?
What is your oldest sibling's middle name?
What school did you attend for sixth grade?
What was your childhood phone number including area code? (e.g., 000-000-0000)
What was the name of your first stuffed animal?
In what city or town did your mother and father meet?
What was the last name of your third grade teacher?
What is the first name of the boy or girl that you first kissed?
What is your maternal grandmother's maiden name?
In what town was your first job?


Answer to Question 3:

Other Tips
Well, that's just about it, but here's a few other tips when creating good security questions.

There are few good questions that work for all people. Some questions are poor for some people and good for others. Offer a variety of good questions and users will select what works for them.

Don't ask too many questions. I've been through some registrations for sign-in verification that asked 15 security questions. My eyes started to glaze over after five (probably just old age). Perhaps more than five questions are warranted, but be kind to users.

Make your questions grammatically correct. It may not affect the quality of the question, but it can affect your reputation.

Avoid questions about color — there are limited number of colors that people will use.
Once you have good and great questions selected, provide good instructions for users.


Thank you very much for your time and consideration.
post #36 of 50
Quote:
Originally Posted by Gazoobee View Post

Wow, this is spot on as to why I also hate those stupid security questions.  They assume a kind of "normalcy" that I have never been in possession of.  

 

The exact nature of the answer is indeed a real problem for this type of security also.  I have several times been locked out of my accounts because of forgetting whether there was a comma or a capital letter in one of my answers.  

 

They might as well get you to remember a random text string ... 

I don't think the problem is one of a faulty concept but one of poor execution by presenting typical questions/answer options which may not apply to everyone.

 

In the case of my bank when I screwed up my login because I changed my password and then forgot I did so, they went into the extreme verification mode.

 

The part I found the most impressive was multiple choice questions. They submitted four apparently random addresses and asked if any of them were associated with me. They repeated the sequence a number of times and in some cases the correct answer was none of the above. The addresses they presented, that were correct, they got from public records not from any information I supplied to them. Then they somehow got information about my acquaintances, perhaps from my online presence, but nevertheless they were able to determine beyond any statistical margin of error that I was legitimate even though I may have answered some questions incorrectly.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #37 of 50
Wait wait wait. is that an article on the fact that a multibillion dollar company hired an engineer?


Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."

Or am I just a bit too harsh?

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #38 of 50
Quote:
Originally Posted by SolipsismX View Post


Can we at least start with sodium pentothal?


Codeine and being nice to an injured agent is said to work too.

 

Well, I also understood "agent" means allies and "spy" means ennemies... so I guess it's "an injured spy" :p

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #39 of 50
Quote:
Originally Posted by lightknight View Post

Wait wait wait. is that an article on the fact that a multibillion dollar company hired an engineer?


Next week on AppleInsider, "Beijing's Apple Store hires new employee, clearly proving the company's focus on Greater China. This level of dedication to its customers has never been reached by any other company than the "Think different" awesome Apple. Android sucks, by the way. An article by DED."

Or am I just a bit too harsh?

Not sure if you're too harsh, but many Apple watchers are genuinely curious about when/if Apple implements this technology and whether or not they get it right. I didn't detect any rampant "fanboism" or Android trashing.

For your sake, I hope you're right.
Reply
For your sake, I hope you're right.
Reply
post #40 of 50
Originally Posted by MacBook Pro View Post
[post]

I'm surprised Tim didn't take out a restraining order or get an Apple security goon after you.

For your sake, I hope you're right.
Reply
For your sake, I hope you're right.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Future Apple Hardware
AppleInsider › Forums › Mac Hardware › Future Apple Hardware › Apple's US-based chip development expanding in Florida, could be related to fingerprint tech