Or how about we realize that biometrics are a horrible security mechanism. This supposed PurePrint will likely be hacked in days if not hours. As long as you can lift a print (which isn't hard with a known target), you can bypass pretty much anyway to detect for liveness. Retinas have the same issues. Biometrics are really no more secure than your name, and unlike your name, they can't be easily changed. Security requires secrets, biometrics simply aren't secret.
The problem is that despite being easier to use, biometrics-based authentication uses a set of unchanging parameters so the weaknesses are pretty obvious. A password can be periodically changed and different systems can use different passwords. If you use a biometric mechanism across a host of electronics and computer devices, you're effectively picking the same UID and password for authentication across the board and you've selected one that can't ever be changed if its compromised. Biometrics are therefore inherently weak as a standalone security method. Using biometrics in conjunction with some other means in a multi-factor system is far more secure, but there's a loss of ease in doing so and you're still foolishly handing off biometric data to devices and systems from which it can be stolen.
Depends how they use this (and I have every confidence nearly all products will have the security of the IoT). The big advantage is that this blocks most "bad maid" attacks. Traditionally, access to the hardware is equal to access of the system, but it now takes a bit more than handing a USB key to a person with physical access.
I'm curious to how they made the laptop fingerprintproof. If you find one of these on the subway, can you lift a print from it (or nearby goods) and make it work? That seems one of the few real advantages for such a thing (although possibly second to leaving the thing in a hotel room, here it will shine). I'm guessing they won't let anyone near one of these with fingerprint dust during an expo/dog-and-pony show.
Biometrics is largely a joke, but can shore up some critical holes. And passwords have failed almost as badly, but somehow we still haven't found anything better. And I do think that making it somewhat difficult to pwn a machine you have physical access to is an advantage.
Consider the security vs. the attack spectrum. An attacker that can spoof an eyeball isn't one you can stop once he has physical access. These really only prevent "bad maid" and "lost laptop" cases, but these are really hard to secure. Don't worry so much about secret/non-secret.
Synaptics won't post a list themselves. We're free to call out devices we've tested. Both my Mate 9 and Matebook X were compromised easily, both using Goodix sensors.
A lot of clevo laptops have a fingerprint sensor integrated into the touchpad. However, clevo has removed detailed specifications about all its systems from its website--apparently they don't want to deal with customers directly. Perhaps, you could ascertain and tell us in a news piece.
Synaptics is crazy to use this and so is any client who uses it, it's old old school am out dated. The new method and most secure thar also samples DNA aa it's 6th step I'm 8 seconds or less is the most secure I have ever seen
Fingerprints should be used as part of a two factor authentication. IOW, the username (the who are you part of TFA). Passwords should still be required (the what you know part of TFA).
Isn't this one of the advantages of ultrasound fingerprint sensors? They create 3D images and can actually scan the derma and not just the epidermis. Meaning if properly implemented gummy bears and conductive ink won't work (though the middle man vulnerabilities could still potentially work).
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
12 Comments
Back to Article
ats - Friday, June 9, 2017 - link
Or how about we realize that biometrics are a horrible security mechanism. This supposed PurePrint will likely be hacked in days if not hours. As long as you can lift a print (which isn't hard with a known target), you can bypass pretty much anyway to detect for liveness. Retinas have the same issues. Biometrics are really no more secure than your name, and unlike your name, they can't be easily changed. Security requires secrets, biometrics simply aren't secret.GTRagnarok - Friday, June 9, 2017 - link
Don't you have to balance security and usability? I don't want to type a long random character password every time I unlock my phone.BrokenCrayons - Friday, June 9, 2017 - link
The problem is that despite being easier to use, biometrics-based authentication uses a set of unchanging parameters so the weaknesses are pretty obvious. A password can be periodically changed and different systems can use different passwords. If you use a biometric mechanism across a host of electronics and computer devices, you're effectively picking the same UID and password for authentication across the board and you've selected one that can't ever be changed if its compromised. Biometrics are therefore inherently weak as a standalone security method. Using biometrics in conjunction with some other means in a multi-factor system is far more secure, but there's a loss of ease in doing so and you're still foolishly handing off biometric data to devices and systems from which it can be stolen.wumpus - Friday, June 9, 2017 - link
Depends how they use this (and I have every confidence nearly all products will have the security of the IoT). The big advantage is that this blocks most "bad maid" attacks. Traditionally, access to the hardware is equal to access of the system, but it now takes a bit more than handing a USB key to a person with physical access.I'm curious to how they made the laptop fingerprintproof. If you find one of these on the subway, can you lift a print from it (or nearby goods) and make it work? That seems one of the few real advantages for such a thing (although possibly second to leaving the thing in a hotel room, here it will shine). I'm guessing they won't let anyone near one of these with fingerprint dust during an expo/dog-and-pony show.
Biometrics is largely a joke, but can shore up some critical holes. And passwords have failed almost as badly, but somehow we still haven't found anything better. And I do think that making it somewhat difficult to pwn a machine you have physical access to is an advantage.
Consider the security vs. the attack spectrum. An attacker that can spoof an eyeball isn't one you can stop once he has physical access. These really only prevent "bad maid" and "lost laptop" cases, but these are really hard to secure. Don't worry so much about secret/non-secret.
DanNeely - Friday, June 9, 2017 - link
"For an obvious reason we do not publish images of the devices installed, brands, models and other information of this sort."Wasn't the brand of the compromised hardware given in the twitter feed a few days ago?
Ian Cutress - Friday, June 9, 2017 - link
Synaptics won't post a list themselves. We're free to call out devices we've tested. Both my Mate 9 and Matebook X were compromised easily, both using Goodix sensors.I made a quick to-camera video about the demo they did later in the day when we had it: https://twitter.com/IanCutress/status/869956007878...
James5mith - Friday, June 9, 2017 - link
Downside to the new sentrypoint FPR's is no fingerprint reader support in Linux.My Dell XPS 15 remains relatively weak-password secured when in linux simply because the fingerprint reader is dead weight in that OS.
drajitshnew - Friday, June 9, 2017 - link
A lot of clevo laptops have a fingerprint sensor integrated into the touchpad. However, clevo has removed detailed specifications about all its systems from its website--apparently they don't want to deal with customers directly.Perhaps, you could ascertain and tell us in a news piece.
Gich - Friday, June 9, 2017 - link
Biometrics are flawed.I can change a password, but I can't change my fingerprints once "stole"... which is not so hard to get.
Rpmcoffee - Friday, June 9, 2017 - link
Synaptics is crazy to use this and so is any client who uses it, it's old old school am out dated. The new method and most secure thar also samples DNA aa it's 6th step I'm 8 seconds or less is the most secure I have ever seensonofgodfrey - Friday, June 9, 2017 - link
Fingerprints should be used as part of a two factor authentication. IOW, the username (the who are you part of TFA). Passwords should still be required (the what you know part of TFA).Tarwin - Sunday, June 11, 2017 - link
Isn't this one of the advantages of ultrasound fingerprint sensors? They create 3D images and can actually scan the derma and not just the epidermis. Meaning if properly implemented gummy bears and conductive ink won't work (though the middle man vulnerabilities could still potentially work).