Will Biometrics replace Passwords?

The days of using a computer to access your bank account, using a password, may be coming to an end, to be replaced entirely (as some experts believe) with a fingerprint or face scan using a smartphone.

8DThe smartphone employment of such biometrics will drastically reduce hacking incidents, but will be problematic for those who do not own a mobile device. Major banks are already offering the fingerprint scan as a login option.

Other biometrics currently in use by banks are the eye scan, facial recognition and voice recognition. Banks are sold on the premise that biometrics offer significantly more protection of customers’ accounts than does the traditional means of accessing accounts, what with all the hundreds of millions of data pieces (e.g., SSNs, e-mail addresses) that have been leaked thanks to hackers.

Though biometric data can be stolen, pulling this off would be much more difficult than obtaining a password and username. For instance, only a specific mobile device may work with the owner’s biometrics; a crook would have to have possession of the phone in order to hack into the owner’s bank account.

Nevertheless, biometrics aren’t foolproof even for the rightful owner, in that, for instance, poor lighting could skewer facial recognition.

Unlike the once-venerable password, banks do not keep customers’ biometrics in storage; your fingerprint is not in some secret cache of your bank. Instead, banks store templates in the form of numerical sequences that are based on the customer’s biometrics.

Can hackers obtain these templates? It’s possible, but with additional security layers, banks say that it would be very difficult, nothing compared to the ease of getting someone’s traditional login data.

For instance, an extra security layer might be that the biometric of eye recognition requires a blink—something that a thief can’t do when using a photo of the accountholder’s eye for the scanning recognition process.

Doubling up on login requirements—biometric plus password—is an even stronger defense against hackers. And banks are doing this with the fingerprint biometric.

In a world where it seems that the hackers are getting closer to taking over, the time for biometrics as being a part of the login process has arrived—and not too soon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Introducing the very first Biometric Password Lockdown App

This application for your mobile device will change things in a huge way:

  • Locks down smartphones with a finger-based biometric password
  • Multi-factor authentication all-in-one
  • It’s called BioTect-ID

bioAnd why should you consider the world’s first biometric password for your mobile device? Because most smartphone security devices have been cracked by cyber thieves.

Layers of protecting your online accounts have historically involved the password, a PIN, security questions or combinations of these which isn’t that secure. However getting into your devices requires even less – a single password, connecting dots with your finger or nothing at all. Some devices can be accessed with stronger security using your fingerprint or in some cases a combination of biometrics like face scan, voice or fingerprints.

Now you may be convinced that a physical biometric, such as your fingerprint, palm pattern or face scan are so unique that they’re impossible to hack, but guess what: These are all hackable. In fact, a cyber crook could steal, for instance, your face or fingerprint image—for all time—and then what? You’re out of luck.

So why have that possibility looming over you? Why not eliminate it with the BioTect-ID app? You have only one voice, one fingerprint, one palm, etc., but fingering in a hand written password means you can change the gesture biometric or the “drawing” of the password any time—because this is a behavior, not a static physical characteristic. Nobody can steal your gesture, not even your identical twin.

BioTect-ID is also very privacy-conscious because there is nothing invasive about recording a gesture.

The choice of which biometric to use becomes a very important consideration. The Internet of Things (IOS) will see our devices increase in value as they control our home access, record our health scores and process/retain many other aspects of our personal lives. The use of biometrics will increase dramatically to protect our privacy and security. But you want to choose carefully. Remember your unchanging physical body information will be hugely attractive to thieves who can steal your identity or use it for other purposes. But you can’t steal the BioTect-ID information.

Here’s how the BioTect-ID multi-factor authentication works.

  • With your mouse or finger, create a four-character password.
  • BioTect-ID “learns” your unique finger/hand movements as you do this.
  • To access your mobile phone, you “draw” your password into the BioTect-ID application.
  • If you are the registered owner, you get access — with bad guys out of luck.

BioTect-ID even solves the big problem of physical data being irreplaceable because it is a gesture biometric also known as a “dynamic” biometric, rather than something like a fingerprint or facial recognition.

This is such exciting news from Biometric Signature ID that we just have to run through it again:

  • The first biometric app that does not require invasive information about a body part like your eyes.
  • The only privacy-conscious biometric security app in existence.
  • Passwords cannot be stolen, not even borrowed, and of course, can’t be lost.
  • Just draw your password with your finger, stylus or mouse, and this gesture will be captured.
  • Only this gesture will unlock (and lock) your smartphone, and it takes only seconds.
  • Easily reset your password at will.
  • The strongest identity authentication on the planet.

Don’t wait about getting this kind of protection, because biometrics is increasingly becoming a part of modern day life.

The final frontier of privacy is your body, and by continuing to rely upon body-part biometrics, you keep that door open enough for a hacker to copy and, essentially, retain a part of your body. There goes your privacy, to say the least.

The gesture-based, multi-factor authentication is poised to change the future of cyber protection. But not before this technology gets adequate awareness and support. We need to get this groundbreaking technology out there into the minds of Internet users.

Here is how you’ll benefit with the BioTect-ID:

  • Peace of mind, knowing that even the most brilliant hacker will never be able to duplicate or steal your gesture.
  • Elimination of having to keep body-part details in files
  • Keeping your privacy and security safe from being exposed against your control
  • Being the first to benefit from this cutting-edge security technology

You can actually receive early edition copies of the app for reduced prices and get insider information if you become a backer on Kickstarter for a couple of bucks. Go to www.biosig-id.com to do this.

The World’s First Biometric Password Lockdown App is here

It’s about time: a biometric for your smartphone that will change the way you think about biometric security.

bioThis revolutionary biometric comes from Biometric Signature ID and it’s called BioTect-ID, and though it’s a biometric, it does not involve any so-called invasiveness of collecting body part information. The world’s first biometric password involves multi-factor authentication and just your finger—but not prints!

All you need to make this technology work to lock down your mobile device is a four-character password. But you can also draw a symbol like a star, leaf, a shining sun or smiley face as your password.

So suppose your password is PTy5 or a star. And suppose the wrong person learns this. In order for that person to get into your locked phone, they will have to literally move their finger exactly as you did to draw the “PTy5” or the star. This will be impossible.

BioTect-ID’s technology captures your finger’s movements, its gestures, and this biometric can’t be stolen or replicated.

BioTect-ID doesn’t stop there, however. The finger gesture biometric is only one component of the overall security. You’ve probably heard of “two-factor” authentication. This is when, in addition to typing in your password or answering a security question, you receive a text, phone call or e-mail showing a one-time numerical security code. You use that code to gain access. But this system can be circumvented by hackers.

And the traditional biometrics such as fingerprints and voice recognition can actually be stolen and copied. So if, say, your fingerprint is obtained and replicated by a cyber thief…how do you replace that? A different finger? What if eventually, the prints of all fingers are stolen? Then what? Or how do you replace your voice or face biometrics?

Biometrics are strong security because they work. But they have that downside. It’s pretty scary.

BioTect-ID solves this problem because you can replace your password with a new password, providing a new finger gesture to capture, courtesy of the patented software BioSig-ID™. Your finger movement, when drawing the password, involves:

  • Speed
  • Direction
  • Height
  • Length
  • Width
  • And more, including if you write your password backwards or outside the gridlines.

Encryption software stores these unique-to-you features.

Now, you might be wondering how the user can replicate their own drawing on subsequent password entries. The user does not need to struggle to replicate the exact appearance of the password, such as the loop on the capital L. Dynamic biometrics captures the user’s movement pattern.

So even though the loop in the L on the next password entry is a bit smaller or longer than the preceding one, the movement or gesture will match up with the one used during the enrollment. Thus, if a crook seemingly duplicates your L loop and other characters as far as appearance, his gestures will not match yours—and he won’t be able to unlock the phone.

In fact, the Tolly Group ran a test. Subjects were given the passwords. None of the 10,000 login attempts replicated the original user’s finger movements. Just because two passwords look drawn the same doesn’t mean they were created with identical finger gestures. Your unique gesture comes automatically without thinking—kind of like the way you walk or talk. The Tolly test’s accuracy was 99.97 percent.

Now doesn’t this all sound much more appealing than the possibility that some POS out there will steal your palm print—something you cannot replace?

Let’s get BioTect-ID’s technology out there so everyone knows about this groundbreaking advance in security. Here is what you’ll achieve:

  • You’ll be the first to benefit from this hack-proof technology
  • You’ll have peace of mind like you’ve never had before
  • Eliminated possible exposure of your body parts data kept in files

You can actually receive early edition copies of the app for reduced prices and get insider information if you become a backer on Kickstarter for a couple of bucks. Go to www.biosig-id.com to do this.

Fingerprint hacked by a Photo

You can’t change your fingerprint like you can change your password. But why would you want to change your fingerprint? The thought might cross your mind if your fingerprint gets stolen.

8DHow the heck can this happen? Ask Starbug. He’s a hacker who demonstrated just how this could happen at an annual meeting of hackers called the Chaos Communication Congress, says an article at thegardian.com. His “victim” was defense minister Ursula von der Leyen.

Starbug (real name Jan Krissler) used VeriFinger, a commercial software, with several photos of von der Leyen’s hands taken at close range. One of the photos he took, and the other was from a publication.

And this gets more fun, total and complete James Bond stuff: The conference showed that “corneal keylogging” can happen. Reflections in the user’s eyes occur as they type. Photos of these reflections can be analyzed to figure out what they typed. This is another lovely gateway to getting passwords.

But back to the fingerprint thing. In 2013, says The Guardian article, Starbug took a fingertip smudge from a smartphone, and using a few clever techniques, printed an imposter finger. He used the fake thumb to get into the phone. This shows it’s possible to crack into a mobile device with a stolen fingerprint—obtained without even having to be near the victim.

Biometrics is a groundbreaking advance in security, and it was just a matter of time before hackers would figure a way to weaken it. All is not lost. Hacks like this aren’t easy to accomplish and there’s always multi factor authentication available as another layer of protection.

Biometrics can certainly be a replacement for passwords, but again should include, a second-factor authentication. Passwords are secrets, stored inside people’s heads (ideally, rather than written on hardcopy that someone could get ahold of), but biometric features, such as fingerprints, photos and voice IDs, are out there for all to perceive. Though it’s hard to imagine how a hacker could figure out a way to fool voice recognition software, don’t count this out.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Multifactor Authentication trumps knowledge based Authentication (KBA)

What is knowledge-based authentication? The KBA design asks the user to correctly answer at least one question, a “secret” only the user would know.

8DThere are two types of KBA: 1) Answering a question that the user has pre-selected (static scheme), and 2) Answering a question that’s determined by garnering data in public records (dynamic scheme).

The idea is that if a question is correctly answered, the person’s ID has been verified.

KBA Flaws

Fraudsters can answer “secret” questions—even those that the user must think hard to answer. But how?

Spear-phishing: gaining access to the public data aggregators by tricking their employees and getting into their accounts, getting the “keys” to the data. Knowledge-based authentication is definitely flawed. Additionally, with all our personal information floating out there in social sites, it is becoming much easier to research anyone enough to pass these questions.

KBA is especially unreliable when it applies to people new to the U.S. or who are young, as they don’t have much public data built up.

Though KBA is flawed, it’s also the heavily preferred method for ID because it’s so technically easy. This is why Obamacare will be using it for the new healthcare insurance exchanges.

Attempts at Regulation

A regulation attempt was made by the U.S. banking regulators that involved costliness. That didn’t go over well. Another instance was that in 2006, ChoicePoint was fined by the FTC for a 2004 breach; they were ordered to conduct intense security audits for possibly 20 years.

Solutions

Authentication should be multifactorial. A multidimensional security system might include:

  • Customer history and behavior is considered.
  • Dual customer authorization via varying access devices
  • Transactions verified via out-of-band
  • Debit blocks, positive pay and other methods that appropriately curtail an account’s transactional use
  • More refined controls over account activities, such as number of daily transactions, payment recipients, transaction value thresholds and allowable payment windows
  • Blockage of connection attempts to banking servers from suspicious IP addresses
  • Policies for addressing potentially compromised customer devices
  • Improved control over any changes done by customers to their account
  • Better customer education to increase awareness of security risks, including how customers can mitigate risks

A layered security program should include, at a minimum, the following:

  • Detection of suspicious activity followed by a response. Suspicious activity may be related to logins and verification of customers wanting access to the bank’s electronic system, and also to initiation of electronic transactions that pertain to fund transfer to other parties.
  • Institutions should do away with using simple device ID as the primary control.
  • They should also do away with using basic “secret” questions as a primary control.

An Alternative to KBA

There is now a software-only biometric that can authenticate the user’s identity in a way that’s so unique that no imposter can beat it.

This patented software is referred to as the “Missing Link,” created by Biometric Signature ID (BSI). It’s the strongest form of ID confirmation on the market today, and it doesn’t even require any additional hardware.

How does this biometric work?

It measures how a person moves their mouse,  finger or stylus when they log in using a password created with BioSig-ID™.

Biometrics measured include elements like height, length, speed and direction, angle of each stroke. These all define the user’s unique pattern—that a fraudster cannot replicate. Positive IDs can be done when someone logs in on any device.

In order to access the device, or whatever else (bank account, medical information, online college exam, etc.), the user must be previously authenticated against their original profile. . In seconds and with only 3-4 characters BioSig-ID™ software will establish whether the person who registered for the account is the same person who is attempting access. This SaaS based software is now used in over 60 countries and was recently awarded a grant by the White House to use their solution to validate user identity before online they can access a digital asset.

Robert Siciliano, personal security and identity theft expert and BioSig-ID advisory board member. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.