Opinion about biometric authentication and its security level.
The importance of passwords has long been clear to most of us. Briefly about the basic rules:
- Do not use the same password on different sites. If the password databases on one site are compromised, your accounts on other sites are automatically subject to a similar risk.
- Do not use a short password. Passwords shorter than 12 characters (some claim up to 16 characters) are vulnerable to brute-force attacks.
- Don't use simple passwords. The password combination must include a combination of upper and lower case letters, numbers and symbols.
- Don't use easily guessed passwords. Family names, important dates, animal names, and similar information are not suitable for passwords.
- Do not use vocabulary concepts. Believe it or not, there are not many words in the dictionary. Enumerating them does not take much time, especially considering the computational power available to modern computers. For twenty years, we have learned to come up with passwords that are not easy for a person to remember, but which a computer can easily “crack”.
If all this seems complicated, then you are not mistaken.
I wonder how many people have changed their password on correcthorsebatterystaple
To make it easier for ourselves (and potential fraudsters), we use password managers (LastPass, KeePassX and tools built into your browser). Their disadvantage is that they are as reliable as 1) a password that protects the entrance to the application 2) a password that protects the device with the application, be it a phone, tablet or computer.
In addition to traditional password managers, you can use a wallet app on your phone (Apple Pay, Android Pay, Samsung Pay, Coinbase, Google Wallet, Square, PayPal or even a banking app), which means a potential risk to your finances in the event of unreliable device protection.
To make our life easier (I think I'm starting to see a pattern), OEMs began to create ways to verify our identity at the hardware level. From facial recognition to retina and fingerprint, most of them try to scan something that has the ability to personally identify us and each time to carry out this process under our control (assuming that someone has not taken possession of someone else's eye or finger).
But identity verification is not a password, and this is an important difference.
When I show someone my license or Tribal ID card, I am thus confirming my identity. I am not paying the bill. I don't buy soda. I don't open the door. I don’t do anything other than presenting evidence that I am me. At some point in the story, the analogy got mixed up and along with this a threat to our security appeared.
Yes, there are those who say that we are more protected now than before. If 'before' means a time when we did not use passwords and PIN codes to protect our devices, then they are probably right. Be that as it may, if you used a pin, password or pattern to unlock the device, and now switched to fingerprint, face recognition or retina recognition, then I would bet that the protection has improved.
'We must remember to wipe the display'
To illustrate my point with an example, imagine you are returning home from vacation and customs (or other law enforcement / intelligence agency) wants to 'inspect' your device. We hope you followed our advice and turned off your phone before you got into this situation. When a modern device turns on, you need to enter a password or PIN before using a fingerprint scanner, retina reader or voice recognition. If you did otherwise and do not want the customs representative to gain access to your device without special instructions, then they just need to lift the device to your face or press your finger against the scanner and voila, access is obtained.
Naturally, some of you will repeat the same hackneyed phrase: “If there is nothing to hide, then there is nothing to fear.” For those who continue to support this misconception, what if, instead of a government agent, there was a street robber, someone who took you hostage, or some other member of the criminal world? Still feeling safe?
Regardless of whether you are a paranoid who does not want others to pry into their personal affairs, fingerprint, retina and voice are not your passwords and it would be wise for you not to treat them as such.
Original material by Joe Levy
I will try to develop somewhat the thesis expressed by the author. Under the pretext of making it easier to enter identifying information to unlock the device, manufacturers on the other hand planted a 'pig' on us, and now we are already reading harmless and not very stories about unlocking devices with the fingers of sleeping owners, as well as their photos. Well, do not forget more sophisticated methods, for example, making a fingerprint of an inattentive owner. Involuntarily you wonder whether all these innovations are worth the risks that have appeared?
I approve of the author's concern for the safety of personal data of users, but while there are people who are not quite literate in this regard, there will be people who are ready to cash in on this. And no explanation of the reasons for storing on a smartphone without any protection against unauthorized intrusion of a photo with a login and password written on a piece of paper to a Google account / Apple will not return a lost / stolen device that was subsequently reset to factory settings. If you are 100% sure that your gadgets will not fall into the wrong hands, then you have nothing to worry about, if not, you should probably think about it.