biometrics
Auto Added by WPeMatico
Auto Added by WPeMatico
Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.
Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .
If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.
Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, as you’re not required to enroll in this new system.
As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”
Powered by WPeMatico

There’s a lot you can make with a 3D printer: from prosthetics, corneas, and firearms — even an Olympic-standard luge.
You can even 3D print a life-size replica of a human head — and not just for Hollywood. Forbes reporter Thomas Brewster commissioned a 3D printed model of his own head to test the face unlocking systems on a range of phones — four Android models and an iPhone X.
Bad news if you’re an Android user: only the iPhone X defended against the attack.
Gone, it seems, are the days of the trusty passcode, which many still find cumbersome, fiddly, and inconvenient — especially when you unlock your phone dozens of times a day. Phone makers are taking to the more convenient unlock methods. Even if Google’s latest Pixel 3 shunned facial recognition, many Android models — including popular Samsung devices — are relying more on your facial biometrics. In its latest models, Apple effectively killed its fingerprint-reading Touch ID in favor of its newer Face ID.
But that poses a problem for your data if a mere 3D-printed model can trick your phone into giving up your secrets. That makes life much easier for hackers, who have no rulebook to go from. But what about the police or the feds, who do?
It’s no secret that biometrics — your fingerprints and your face — aren’t protected under the Fifth Amendment. That means police can’t compel you to give up your passcode, but they can forcibly depress your fingerprint to unlock your phone, or hold it to your face while you’re looking at it. And the police know it — it happens more often than you might realize.
But there’s also little in the way of stopping police from 3D printing or replicating a set of biometrics to break into a phone.
“Legally, it’s no different from using fingerprints to unlock a device,” said Orin Kerr, professor at USC Gould School of Law, in an email. “The government needs to get the biometric unlocking information somehow,” by either the finger pattern shape or the head shape, he said.
Although a warrant “wouldn’t necessarily be a requirement” to get the biometric data, one would be needed to use the data to unlock a device, he said.
Jake Laperruque, senior counsel at the Project On Government Oversight, said it was doable but isn’t the most practical or cost-effective way for cops to get access to phone data.
“A situation where you couldn’t get the actual person but could use a 3D print model may exist,” he said. “I think the big threat is that a system where anyone — cops or criminals — can get into your phone by holding your face up to it is a system with serious security limits.”
The FBI alone has thousands of devices in its custody — even after admitting the number of encrypted devices is far lower than first reported. With the ubiquitous nature of surveillance, now even more powerful with high-resolution cameras and facial recognition software, it’s easier than ever for police to obtain our biometric data as we go about our everyday lives.
Those cheering on the “death of the password” might want to think again. They’re still the only thing that’s keeping your data safe from the law.
Powered by WPeMatico
… it was nice pressing you. Well, at least some of the thousands and thousands of times. Apple has finally abandoned a feature that’s been a staple of its smartphones since the very start, over a decade ago: A physical home button.
The trio of almost-all-screen iPhones unboxed today at its Cupertino HQ go all in on looks and swipes, with nothing but a sensor-housing notch up top to detract from their smoothly shining faces.
Last year Apple only ditched the button on its premium iPhone X handset, retaining physical home buttons on cheaper iPhones. But this year it’s a clean sweep, with buttons dropped across the board.
If you want to go home on the new iPhone XS, iPhone XS Max or iPhone XR (as the trio of new iPhones are confusingly named) well, there’s a gesture for that: An up swipe from the bottom edge of the screen, specifically. Or a look and that gesture if your phone is locked.
This is because Apple has also gone all in on its facial biometric authentication system, Face ID, for its next crop of iPhones — throwing out the predecessor Touch ID biometric in the process.
“Customers love it!” enthused Apple’s marketing chief, Phil Schiller, talking up Face ID from the stage, after CEO Tim Cook had reintroduced the tech by collapsing it all to: “Your phone knows what you look like and your face becomes your password.”
“There’s no home button,” confirmed Schiller, going over the details of the last of the three new iPhones to be announced — and also confirming Face ID is indeed on board the least pricey iPhone Xr. “You look at it to unlock it… you look at it to pay with Apple Pay,” he noted.
So hey there Face ID, goodbye Touch ID.
Like any fingerprint biometric Touch ID is fallible. Having been doing a lot of DIY lately it simply hasn’t worked at all for my battered fingertips for more than a month now. Nor does it work well if you have dry skin or wet hands and so on. It can also be hacked with a bit of effort, such as via silicone spoofs.
Still, Touch ID does have its fans — given relative simplicity. And also because you can register multiple digits to share biometric access to a single iPhone with a S.O. (Or, well, your cat.)
Apple has mitigated the device sharing issue by adding support for two faces per device being registered with Face ID in iOS 12. (We haven’t tested if it’ll register a cat yet.)
However the more major complaint from privacy advocates is that turning a person’s facial features into their security and authentication key normalizes surveillance. That’s certainly harder to workaround or argue against.
Apple will be hoping its general pro-privacy stance helps mitigate concerns on that front. But exactly how the millions of third party apps running on its platform make use of the facial biometric feature is a whole other issue, though.
Elsewhere, debate has focused on whether Face ID makes an iPhone more vulnerable to being force unlocked against its owner’s will. The technology does require active interaction from the registered face in question for it to function, though — a sort of ‘eyes-on’ check and balance.
It’s probably not perfect but neither was a fingerprint biometric — which could arguably be more easily forcibly taken from someone in custody or asleep.
But it’s irrefutable that biometrics come with trade-offs. None of these technologies is perfect in security terms. Arguably the biggest problem is there’s no way to change your biometric ‘password’ if your data leaks — having your fingerprints or face surgically swapped is hardly a viable option.
Yet despite such concerns the march towards consumer authentication systems that are robust without being hopelessly inconvenient has continued to give biometrics uplift.
And fingerprint readers, especially, are now pretty much standard issue across much of the Android device ecosystem (which may also be encouraging Apple to step up and away now, as it seeks to widen the gap with the less pricey competition).
In the first year of operation its Face ID system does appear to have been impressively resilient, too — barring a few cases of highly similar looking family members/identical twins. Apple is certainly projecting confidence, now, going all in on the tech across all its iPhones.
If you’re inconsolable about the loss of the home button it’s not entirely extinct on Apple hardware yet: The iPad retains it, at least for now.
And if it’s Touch ID you’re hankering for Apple added the technology to the MacBook Pro’s Touch Bar (on 2016 models and later).
Yet the days of poking at a physical button as a key crux of mobile computing do now look numbered.
Contextual computing — and all it implies — is the name of the game from here on in. Which is going to raise increasingly nuanced questions about the erosion of user agency and control, alongside major privacy considerations and related data ethics issues, at the same time as ramping up technological complexity in the background. So no pressure then!
At the end of the day there was something wonderfully simple about having a home button always sitting there — quietly working to take people back to a place they felt comfortable.
It was inclusive. Accessible. Reassuring. For some an unnecessary blemish on their rectangle of glass, for sure, but for others an important touchstone to get them where they needed to go.
Hopefully Apple won’t forget everything that was wrapped around the home button.
It would certainly be a shame if its spirit of inclusiveness also fell by the wayside.
Photo by Kim Kulish/Corbis via Getty Images
Powered by WPeMatico
In a move aimed at upping standards across biometric user verification systems, the industry consortium, Fido Alliance, has launched a certification program for biometrics systems.
“The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified authenticators,” it writes on its website.
While biometric verification systems such as fingerprint readers have been pretty widely adopted in the mobile space already — with Apple introducing its fingerprint biometric, Touch ID, to the iPhone a full five years ago; followed, last fall, by a facial recognition biometric (Face ID) for its high end iPhone X — the Alliance says that, up to now, there hasn’t been a standardized way to validate the accuracy and reliability of biometric recognition systems in the commercial marketplace. Which is where it’s intending the new certification program to come in.
While few would doubt the robustness of Apple’s biometrics components (and testing regime), the sprawlingly diverse Android marketplace hosts all sorts of OEM players — which inevitably raises the risk of some lesser quality components (and/or processes) slipping in.
And in recent years there have been plenty of examples of poorly implemented biometrics, especially in the mobile space — with hackers easily able to crack into various Android devices that were using facial or iris recognition technology in trivially bypassable ways.
In 2017, for example, Chaos Computer Club members used a print out of an eye combined with a contact lens to fox iris scanners on the Samsung Galaxy S8. And that was one of the most sophisticated biometric hacks. Others have just required a selfie of the person to be held up in front of a ‘face unlock’ system to get an easy open sesame.
Where the not-for-profit Alliance comes in — an industry group whose board includes security exec reps from the likes of Amazon, Google and Microsoft, among others — is it’s on a mission to reduce reliance on passwords for digital security because they inject friction into the online experience.
And biometrics do tend to be convenient, given they are attached to each person. Which is why they have been increasingly finding their way into smartphones and all sorts of other consumer electronics — from wearables to car tech, helped by component costs shrinking as biometrics adoption grows.
But it’s no good trying to speed up ID verification if the alternatives being reached for are badly implemented — and end up actively damaging security.
It certainly doesn’t have to be that way.
Apple’s biometrics are not so easily mocked. And while Touch ID is vulnerable to spoofing, like pretty much any fingerprint reader, its depth-mapping Face ID tech is by far the most sophisticated biometric implementation in the consumer electronics space to date. And hasn’t been meaningfully hacked (well, barring attacks by identical twins/strikingly similar looking family members).
So there’s clearly a world of difference (and, well, cost) between a well architected biometric recognition system which puts security considerations front and center, vs the awful sloppy stuff we’ve seen in recent years — where OEMs were just rushing to compete.
Biometrics has certainly often been treated more as a convenience gimmick for device marketing purposes, rather than viewed as a route to evolve (and even potentially enhance) device security.
The Alliance’s certification program is using accredited independent labs to test that biometric subcomponents meet what it dubs “globally recognized performance standards for biometric recognition performance and Presentation Attack Detection (PAD)” — and thus that they are “fit for commercial use”.
PAD refers to various methods that can be used to try to attack and circumvent biometric systems, such as using silicon or gelatine fingerprints, or deploying harvested facial or video imagery of the device owner.
So it looks like the Alliance’s hope for the program is to ‘upskill’ biometric implementations — or at least weed out the really stupid stuff.
“For customers, such as regulated online service providers, OEMs and enterprises, it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks,” it writes.
Speed is another goal too, as it says prior to this certification program due diligence was carried out by enterprise customers (or at least by those “who had the capacity to conduct such reviews”) — which required biometric vendors to repeatedly prove performance for each customer.
Whereas going forward vendors can use the program to test and certify just once to validate their system’s performance and re-use that third-party validation across the market — gaining what the Alliance bills as” substantial time and cost savings”.
Commenting in a statement, Brett McDowell, executive director of the Alliance, said: “While border control and law enforcement markets have mature assessment programs for their biometric systems, we were surprised that no such program existed for this rapidly growing consumer market.”
“With biometrics being a popular option for mobile and web applications implementing Fido Authentication, there is a growing need for those service providers to appropriately assess the risk of fraud from lost or stolen devices,” he added.
Asked whether the program had been introduced in response to particular concerns about weak consumer biometrics — given some of the aforementioned examples of poor implementations — McDowell also told us: “With the rise of any new technology, there’s a risk that some suppliers may over emphasize visible features at the expense of security considerations as they rush to market.
“This program, motivated by our online services community, mitigates that risk for mobile and desktop biometrics by providing a commercial-grade benchmark and independent lab assessment for performance features and spoof attack detection security considerations. Another benefit of the program is a clear way for service providers to prove compliance with strong authentication regulation, which is becoming the norm for financial services. This trend is expected to expand to other sectors as passwords continue to be exploited at increasingly alarming rates.”
Currently only one lab has been accredited to perform components testing for the program.
The lab, iBeta, is located in the U.S. but a spokeswoman for the Fido Alliance told us: “The Alliance is actively working to bring in additional labs.”
She added that the Alliance will update this list as more are added.
This post was updated with additional comment from McDowell
Powered by WPeMatico
Facebook has confirmed to TechCrunch that it’s acquired… Confirm.io. The startup offered an API that let other companies quickly verify someone’s government-issued identification card, like a driver’s license, was authentic. The Boston-based startup will shut down as both its team and technology are rolled into Facebook. Read More
Powered by WPeMatico
Passwords continue to be a glaring weakness in digital security. And while biometric alternatives, such as fingerprint readers, are finding their way onto more consumer electronics devices, they are not without their limitations either. So what about tightening the security screw further by applying a continuous biometric? Read More
Powered by WPeMatico