Thanks for the commentary. This one reminds me of a major error I made on my Thesis. I was exhausted after months of writing and rewriting and re-rewriting my thesis, so when I had to do the biographical sketch, I put it out without much thought. I had lived in the same town my whole life up to that point, so I listed that town as where I was born. In reality, my town didn't have a hospital, so I was actually born in an adjacent town (my baby sister was happy to point out the error in my thesis).
Many of the 'good' questions you listed have problems, though:
- Middle name of your oldest child.....what if you don't have kids?
- Where did your parents meet.....what if you don't know and they're not around to ask?
- Father's middle name...what if he doesn't have a middle name?
- Name of first person you kissed (or city)...I don't know for sure, but I'd wager that a large percentage of the over 40 population can't remember. It was probably playing spin the bottle at a birthday party when you were 12 or so.
- What elementary school did you attend....does that include Kindergarten? More importantly, you get into the 'must spell it exactly right' situation. For example, take the common name of Little Town Elementary #1 School. Or is it Little Town #1 Elementary School? Or Little Town Elementary School? Or Little Town Elementary?
Of course, the nonsense that they go through to insist on secure passwords is getting out of control, too. "Must have upper case, lower case, numbers, and symbols, must be at least 8 characters and less than 20, can not repeat any of the characters....... on and on and on". That doesn't really do anyone any good. Most security breaches are human engineering, so it doesn't matter how secure the password is. And the more complicated you make it, the more likely the person is to write it down somewhere.
Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.
The particular sensor apple is interested in from Authentec does just that and cant be spoofed by a dead finger cut from someones hand, it scans the live tissue under the surface as well which degrades when dead, there was an article a while back I read interviewing the guy who made the sensor for authentic. He was talking about how it scans the underlying live tissue so that a severed finger (dead one) would not work. The picture AI using above is from that sensor and Authentecs site.
The particular sensor apple is interested in from Authentec does just that and cant be spoofed by a dead finger cut from someones hand, it scans the live tissue under the surface as well which degrades when dead, there was an article a while back I read interviewing the guy who made the sensor for authentic. He was talking about how it scans the underlying live tissue so that a severed finger (dead one) would not work. The picture AI using above is from that sensor and Authentecs site.
Darn. There go years of Sci Fi and action movies down the drain.......
Know what I'd like? I'd like a security system that lies to you.
I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".
The fake failure is PART of the security. You have to get it right twice.
Yeah, that doesn't sound like a pain in the ass or anything. What's better than entering a password everytime I want to access my iPhone? Entering it twice.
…unless you are the only person to ever log in to the site and you know about the fake failure.
Sounds like exactly the use case for every iOS device to me.
Can you imagine the chaos that would cause on a site where millions of users are logging in and are completely unaware of the fake failure?
No. Because once again, you, the user, turn it on.
And if you make it well known that the fake failure is part of the process, the deterrent is lost because everyone knows about it.
Not when it's an option.
Why in the WORLD is everyone against this assuming that I'm pitching it as the ONLY security option, and why do I have to tell them all otherwise SEPARATELY?
Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.
Some fingerprint sensors look for the heatbeat in the blood under the skin to make sure it's a live human.
Of course, even that can be faked, but the effort required is more like something a government would do to get access, not a thief. Even then, I think a government would use other, quicker methods, such as freezing the RAM and digging out access codes.
Neat side story: Researchers at first had trouble using a fake finger to fool capacitive print ridge sensors. While the differential value between ridge and valley was okay, the absolute electrical value was just all wrong and made it harder to spoof a sensor with good code behind it.
Then one day in the late 1990s a researcher discovered that if you first licked the fake finger, the saliva made everything fall into the correct range. It didn't take long for this "discovery" to get publicized and change the way such fingerprint sensors were viewed by security researchers.
I think that most of you are missing TS'S point. By adding the extra layer you create some kind of paradox for one who was trying to guess it.
Since the one breaking in does not know whether the measure is on for that particular account/iPhone, he does not know whether he should try the password again. This might even work better with two different passwords, where the second login screen is only prompted after entering the first password correctly (while the system says its wrong).
This will bomb -- remember the fingerprint payment systems that were installed and then removed at Jewel grocery stores (and others)?! Yes, people were weird out by them and did not use them -- hence the company that made them went bankrupt and their removal. Good riddance!
This will bomb -- remember the fingerprint payment systems that were installed and then removed at Jewel grocery stores (and others)?! Yes, people were weird out by them and did not use them -- hence the company that made them went bankrupt and their removal. Good riddance!
Demand - There appears to be demand in the marketplace for mobile payments (Square, etc.)
Security - A concern of many, Apple could easily placate concerns about security
User Experience - Apple is known for an excellent customer experience that removes barriers from features and functions
This will bomb -- remember the fingerprint payment systems that were installed and then removed at Jewel grocery stores (and others)?! Yes, people were weird out by them and did not use them -- hence the company that made them went bankrupt and their removal. Good riddance!
Not at all the same thing. Why did people avoid using those? Either concerns about hygiene or concerns about giving their fingerprint to the store. Neither one of those would be a problem if Apple uses a fingerprint sensor on a phone combined with NFC.
Comments
Originally Posted by MacBook Pro
[post]
I'm surprised Tim didn't take out a restraining order or get an Apple security goon after you.
Thanks for the commentary. This one reminds me of a major error I made on my Thesis. I was exhausted after months of writing and rewriting and re-rewriting my thesis, so when I had to do the biographical sketch, I put it out without much thought. I had lived in the same town my whole life up to that point, so I listed that town as where I was born. In reality, my town didn't have a hospital, so I was actually born in an adjacent town (my baby sister was happy to point out the error in my thesis).
Many of the 'good' questions you listed have problems, though:
- Middle name of your oldest child.....what if you don't have kids?
- Where did your parents meet.....what if you don't know and they're not around to ask?
- Father's middle name...what if he doesn't have a middle name?
- Name of first person you kissed (or city)...I don't know for sure, but I'd wager that a large percentage of the over 40 population can't remember. It was probably playing spin the bottle at a birthday party when you were 12 or so.
- What elementary school did you attend....does that include Kindergarten? More importantly, you get into the 'must spell it exactly right' situation. For example, take the common name of Little Town Elementary #1 School. Or is it Little Town #1 Elementary School? Or Little Town Elementary School? Or Little Town Elementary?
Of course, the nonsense that they go through to insist on secure passwords is getting out of control, too. "Must have upper case, lower case, numbers, and symbols, must be at least 8 characters and less than 20, can not repeat any of the characters....... on and on and on". That doesn't really do anyone any good. Most security breaches are human engineering, so it doesn't matter how secure the password is. And the more complicated you make it, the more likely the person is to write it down somewhere.
Did you really need to quote his 100+ line message to add that comment?
Quote:
Originally Posted by mstone
Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.
The particular sensor apple is interested in from Authentec does just that and cant be spoofed by a dead finger cut from someones hand, it scans the live tissue under the surface as well which degrades when dead, there was an article a while back I read interviewing the guy who made the sensor for authentic. He was talking about how it scans the underlying live tissue so that a severed finger (dead one) would not work. The picture AI using above is from that sensor and Authentecs site.
Darn. There go years of Sci Fi and action movies down the drain.......
Quote:
Originally Posted by Tallest Skil
Know what I'd like? I'd like a security system that lies to you.
I'd like a security system where you put in your password correctly, it comes back "no", and then you put it in again and it comes back "yes".
The fake failure is PART of the security. You have to get it right twice.
Yeah, that doesn't sound like a pain in the ass or anything. What's better than entering a password everytime I want to access my iPhone? Entering it twice.
Originally Posted by mstone
…unless you are the only person to ever log in to the site and you know about the fake failure.
Sounds like exactly the use case for every iOS device to me.
Can you imagine the chaos that would cause on a site where millions of users are logging in and are completely unaware of the fake failure?
No. Because once again, you, the user, turn it on.
And if you make it well known that the fake failure is part of the process, the deterrent is lost because everyone knows about it.
Not when it's an option.
Why in the WORLD is everyone against this assuming that I'm pitching it as the ONLY security option, and why do I have to tell them all otherwise SEPARATELY?
Quote:
Originally Posted by mstone
Biometrics are better because presumably they can tell if it is a real living hand print where as finger prints can be faked with plastic replica or gruesomely, a severed digit.
Some fingerprint sensors look for the heatbeat in the blood under the skin to make sure it's a live human.
Of course, even that can be faked, but the effort required is more like something a government would do to get access, not a thief. Even then, I think a government would use other, quicker methods, such as freezing the RAM and digging out access codes.
Neat side story: Researchers at first had trouble using a fake finger to fool capacitive print ridge sensors. While the differential value between ridge and valley was okay, the absolute electrical value was just all wrong and made it harder to spoof a sensor with good code behind it.
Then one day in the late 1990s a researcher discovered that if you first licked the fake finger, the saliva made everything fall into the correct range. It didn't take long for this "discovery" to get publicized and change the way such fingerprint sensors were viewed by security researchers.
Since the one breaking in does not know whether the measure is on for that particular account/iPhone, he does not know whether he should try the password again. This might even work better with two different passwords, where the second login screen is only prompted after entering the first password correctly (while the system says its wrong).
But, heck, just give us biometrics
http://consumerist.com/2008/04/14/creepy-fingerprint-pay-processing-company-shuts-down/
There is a vast difference:
Demand - There appears to be demand in the marketplace for mobile payments (Square, etc.)
Security - A concern of many, Apple could easily placate concerns about security
User Experience - Apple is known for an excellent customer experience that removes barriers from features and functions
Not at all the same thing. Why did people avoid using those? Either concerns about hygiene or concerns about giving their fingerprint to the store. Neither one of those would be a problem if Apple uses a fingerprint sensor on a phone combined with NFC.