Poll

Should they

Drop all passwords?
3 (7.9%)
Use it in multi factor authentication?
11 (28.9%)
Require everybody to use biometric authentication?
2 (5.3%)
Signed challenge (certificate based)
4 (10.5%)
Refuse to answer
4 (10.5%)
Regulate Biometric authentication from being used to restrict access to services and jobs
2 (5.3%)
Keep passwords for those who want it but enforce/make them more stricter
2 (5.3%)
Keep it the same and make no changes
10 (26.3%)

Total Members Voted: 36

Author Topic: People should drop passwords altogether  (Read 12072 times)

0 Members and 1 Guest are viewing this topic.

Offline MrMobodiesTopic starter

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
People should drop passwords altogether
« on: May 06, 2022, 07:34:17 pm »
I found this news article which I found disturbing.

https://www.gazettelive.co.uk/news/uk-world-news/people-should-drop-passwords-altogether-23867710
Quote
ByMartyn Landi, PA Technology Correspondent Will Maule
02:20, 5 MAY 2022

The public and businesses need to “drop passwords altogether” and move to other technology to protect personal information from hackers, a cybersecurity expert has said.

Marking World Password Day on Thursday, Grahame Williams, identity and access management director at defence firm Thales, said passwords were “becoming increasingly insecure” and “easily hacked”. He called on the industry to move to other forms of log-in, such as multi-factor authentication (MFA) – where users must provide an additional layer of identification to log in – or biometrics, such as face or fingerprint scans, to improve the general safety of personal data.

Mr Williams said a key issue was the widespread use of simple and easy-to-guess passwords. Data shows that common and obvious phrases such as “password” and “qwerty” – in reference to the common computer keyboard layout – are often among the most used passwords globally.

Now I can understand if they say there is a need to increase security and some services may require thumb or eyescan and a memoriable password but not ONE solution alone.

Experts advise people who are creating a password to use a collection of three unique, random words and not to reuse them across multiple accounts. But Mr Williams said where possible, platforms should introduce other ways for people to log in and users should strive to use them.

“Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take,” he said. “We would recommend that everyone – whether consumer or private – to start utilising these technologies.

“Our standpoint on this is there’s no reason why you should have to still use passwords and we should all be looking to really push forward.”


It sounds like an excuse, just because some may not be using reliable passwords they all need to drop it completely. I thought there were strict requirements with many sites when creating accounts and this 123456 or qwerty nonsense was stopped years ago. Isn't that the websites fault though for not enforcing restrictions to prevent easy to guess passwords?

I am not happy using parts of my body as the only form of a password and verifcation that I can't change that everybody can see and trace and get hold off in plain sight.

I think there should be passwords as well as biometrical stuff for some security stuff because a criminal is going to have to take longer to persuade a victim further for a memorial phrase than just presenting bits of their skin to a scanner.

Quote
Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take  :bullshit:,”


I can see the need for security but I don't know, it sounds to me like they up to something and some bullsh*t might be going on in saying all passwords are insecure. Maybe offloading the responsibility on the identity of the user effectively using them as a password.


What do you think?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: People should drop passwords altogether
« Reply #1 on: May 06, 2022, 07:45:52 pm »
I think websites should drop passwords indeed and just send you a link to a website over email or other messaging service. Much more convenient.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Online TimFox

  • Super Contributor
  • ***
  • Posts: 7934
  • Country: us
  • Retired, now restoring antique test equipment
Re: People should drop passwords altogether
« Reply #2 on: May 06, 2022, 07:49:24 pm »
Of course, to access my e-mail account I need a password.
Am I the only one here who doesn't keep my phone next to my computer?
 

Offline jpanhalt

  • Super Contributor
  • ***
  • Posts: 3395
  • Country: us
Re: People should drop passwords altogether
« Reply #3 on: May 06, 2022, 07:56:46 pm »
Agreed.  There was a research article between 2006 and 2011 that concluded simply that passwords are designed to be hard to remember but easy for computers to break.  I've complained many times about the ridiculous requirement for "special characters" as the presence of which is a flag to "this may be a password."  In the real word, most data breaches that I have read about were due to human stupidity, such as inserting a thumb drive to see what was on it.   A simple PIN should suffice.

In my own field, Prof. Ray Bartlett (U Conn) long ago studied sources of errors in clinical laboratory testing.  Such labs are required to run controls and test sample lots of new reagents.  The most common cause of a control failure by far was the test, not the lot of reagent.  Overall,  bad reagents were something like 1/100,000 or less as frequent as human errors.  I suspect the ratio of cracking "passwords" to obtaining such information by stupidity is similar.
« Last Edit: May 06, 2022, 07:58:28 pm by jpanhalt »
 

Offline Gyro

  • Super Contributor
  • ***
  • Posts: 9410
  • Country: gb
Re: People should drop passwords altogether
« Reply #4 on: May 06, 2022, 08:00:11 pm »
I definitely feel more comfortable when an important site sends an sms verification code to my phone. One of the reasons that I don't have a banking app on my phone - I prefer it when there are two devices involved.

Am I the only one here who doesn't keep my phone next to my computer?

Possibly. My phone stays with me.
Best Regards, Chris
 

Offline Benta

  • Super Contributor
  • ***
  • Posts: 5839
  • Country: de
Re: People should drop passwords altogether
« Reply #5 on: May 06, 2022, 08:31:14 pm »
Mr. Grahame Williams has a major flaw in his argument. That he's a spokesman for Thales frightens me.

User name, fingerprint, face scan are all useful to identify you.

Fine.

But a password is in your brain, and hopefully only there. It's at a much higher and personal security level. That some people use idiotic passwords is their problem.

Mr. Williams' suggestion is equivalent to removing the lock from your apartment door. I hope he's only in marketing.
 
The following users thanked this post: hans, BillyD, Karel, MrMobodies

Offline langwadt

  • Super Contributor
  • ***
  • Posts: 4391
  • Country: dk
Re: People should drop passwords altogether
« Reply #6 on: May 06, 2022, 08:37:13 pm »
Mr. Grahame Williams has a major flaw in his argument. That he's a spokesman for Thales frightens me.

User name, fingerprint, face scan are all useful to identify you.

Fine.

But a password is in your brain, and hopefully only there. It's at a much higher and personal security level. That some people use idiotic passwords is their problem.

yeh no wrench needed https://xkcd.com/538/


and if some biometric "password" is somehow compromised you can't just get a new and revoke the old one
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14297
  • Country: fr
Re: People should drop passwords altogether
« Reply #7 on: May 06, 2022, 08:42:44 pm »
It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.
 
The following users thanked this post: Karel, PKTKS

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 3796
  • Country: gb
Re: People should drop passwords altogether
« Reply #8 on: May 06, 2022, 08:55:00 pm »
We should never eat snails ...

... and as soon as we are born we should be implanted an RFID under the skin, which encodes the personal DNA, the type of blood, the encoded proteins, etc. Because it is also useful for media robots, useful for accessing the Internet.

Old Cyberpunk novels. Philip Dick would also suggest to encode a sequence on the cornea of the eyes, like in BladeRunner 2049.

Real world: passwords like "P@is%n1vy" are good to remember, hard to crack, good and nice.
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 6877
  • Country: ca
Re: People should drop passwords altogether
« Reply #9 on: May 06, 2022, 09:08:20 pm »
You can't get the password out of a dead man.
As to fingerprints or other parts of tge dead body .... :-X
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: amyk, PKTKS

Online TimFox

  • Super Contributor
  • ***
  • Posts: 7934
  • Country: us
  • Retired, now restoring antique test equipment
Re: People should drop passwords altogether
« Reply #10 on: May 06, 2022, 09:22:57 pm »
Dead person's or severed fingers have been used in thriller novels--I don't know of any real-world use, but it is always possible.
The Nazis tortured rich victims to learn their secret Swiss bank account numbers long before computer passwords.
 

Offline tggzzz

  • Super Contributor
  • ***
  • Posts: 19279
  • Country: gb
  • Numbers, not adjectives
    • Having fun doing more, with less
Re: People should drop passwords altogether
« Reply #11 on: May 06, 2022, 09:28:48 pm »
Infosec truism: ATM card PINs protect the bank, not the individual. "We received the correct PIN which only you know, therefore you authorised it. Case closed"

Biometrics: just say no, due to the certificate revocation problem. When, not if, an ATM card is compromised, the bank revokes the card. Simple. What happens when, not if, my iris becomes compromised?
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 
The following users thanked this post: Karel, MrMobodies

Offline MrMobodiesTopic starter

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: People should drop passwords altogether
« Reply #12 on: May 06, 2022, 09:31:57 pm »
It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.

I don't depend on it, I'll close the account to move somewhere else.
My concern wasn't about the multi factor authentication.

I refuse under the grounds of privacy I should not need to submit private medical stuff relating my biology and identity just to use services.
Sounds ridiculous to me.

When I was paying for Youtube Premium, somewhere down for a lot of videos needed authentication that I was over a certain age.
I think they wanted my driving license or passport. I thought forget it I don't want hand Google anymore of my personal information.


I found this 11 year article just now:
Quote
Can I refuse to have my child fingerprinted at school?
This article is more than 11 years old Emma Norton
Thinkingcrumpet wants to know if refusing to allow their son to be fingerprinted by a new school will endanger his place
Fri 16 Jul 2010 11.38 BST

My child will be starting a school in September where the preferred registration method is fingerprint recognition. Is it lawfully possible to refuse to comply and keep his place at the school?
More and more parents are asking us for advice about this issue. No one knows how many schools are now using biometric technology like this because it seems that the government is not keeping a record. Some estimates suggest that as many as 30% of all schools in the UK have fingerprinting technology. This means that millions of children are having their fingerprints taken and retained. This massive expansion of the collection of highly personal data has been allowed to take place without parliamentary scrutiny or public debate.

The short answer to thinkingcrumpet's question is: we cannot see how it would be fair or lawful for a school to use a parent's refusal to consent to fingerprinting her child as a reason for rescinding an offer of a place at a school. The reaction would be wholly disproportionate (engaging the child's right to privacy and education).

The new coalition government has already stated that it intends to ban the taking of prints from children without parental consent so it would be very poor practice if schools did not take this proposed legislation into account (although they are, of course, not legally bound by it). Furthermore, the Information Commissioner's Office (the office that oversees compliance with the Data Protection Act 1998 (DPA), has published guidance on this issue and advises that even though there is no lawful requirement on a school to obtain parental consent for fingerprinting children, the school "must" involve the parents to ensure that information is obtained fairly, unless the school can be certain that the child understands the implications of giving up his/her prints.

The ICO states that "it would be a heavy-handed approach for schools not to respect the wishes of those pupils and parents who object". It specifically states that other systems can work just as well and that those who wish to opt out should be offered another means of accessing the same services.

The main reasons given by schools for introducing biometric technologies are to assist in registration, library and canteen systems. Upon entry, the pupil is required to place his or her finger on a scanner whereupon the software will identify them as someone entitled to access the service. It is argued that access to the service is made faster and more efficient, but also that the system can keep tabs on the pupil (so that it is easier, for example, to spot if a student is skipping school). Using a cashless system like this is also credited with reducing bullying and stigmatisation, especially for those on free school meals. It has been suggested that parents can keep better track of what their kids are eating, with some sort of block being put on the canteen system if the child tries to buy unsuitable food.

Although fingerprinting technology is still the main biometric systems employed by schools, other trials to date have included retinal scanning and palm-vein scanning.

So what is wrong with this? Certainly when I asked my 14-year-old and some of his friends about it, they didn't immediately see anything wrong with fingerprints and scanners in schools – in fact, they quite liked the futuristic style of the technology as opposed to their battered old library cards, or boring registration procedures. Liberty does not share their enthusiasm. Indeed one of our principal concerns is that it plays on these ideas and gets children accustomed to giving up their highly personal biometric data as a matter of routine.

If children at primary school age are taught that it is normal to hand fingerprints or other personal data to their school or local authority, how alarmed are they going to be if and when, as adults, a future government tries to reintroduce the idea of ID cards, for example, or to argue that there should be universal DNA retention?

It also touches on the important issue of consent. The law (see below) requires that the person must give their consent to the fingerprints being taken. How schools are ensuring that children are giving informed consent is very hard to determine and practice seems to vary widely. The ability of a seven-year-old to give consent is going to be very different from that of a 17-year-old. Surprisingly, the law does not require that consent be obtained from the parents of a child, although good practice and guidance has recommended that it be obtained in advance. We are aware of many cases where this has not happened, though, and parents are only informed after the event.

The massive expansion in the use of this technology has been pushed almost entirely by the private sector companies that make a lot of money out of it. Some have made claims about the benefits of the technology that are entirely untested. We have heard about one school that spent thousands of pounds installing retinal scanning software, only to have to remove it because the process of scanning each pupil took far longer than expected and all the pupils could not be fed inside the lunch hour. Concerns about preventing bullying and stigmatisation could also be met through the wider introduction of swipe cards and PIN numbers.

The law
The Data Protection Act 1998 contains a number of principles governing what a "data controller" (in this case, a school) can do with the personal information it holds. A detailed discussion of the data-protection principles is beyond the scope of this article, but in summary: the information must be processed fairly and lawfully; can only be taken for a lawful purpose; must be adequate and not excessive in relation to the purpose for which it was taken; must be kept for no longer than is necessary; and must be safely and securely maintained.

Liberty believes the problems touched on above with regards to consent raises immediate questions about whether information taken in such circumstances can be said to have been processed "fairly and lawfully". We are also very concerned about the possibility of other agencies outside the school being able to access the information. The ICO has confirmed, for example, that the police could ask the school to hand over biometric information about children. It has stated that biometric data should be destroyed once a pupil leaves the school but there is no system for checking and ensuring this is done. Compliance with the DPA is likely to be poor because it is effectively unchecked.

Article 8 of the Human Rights Act protects the right to respect for a person's privacy. The taking of DNA and fingerprints has already been held by the court of human rights to engage this right. The need for protection is even higher for children.

The right to privacy is not an absolute right and under the second part of the article the state may justify an interference with the right that is "in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".

You can see the sort of arguments that would be raised to try to show that the interference was justified. Assuming the DPA had been complied with, the school could argue that retention was necessary in a democratic society to ensure attendance of pupils at school or prevent bullying and stigmatisation (protection of the rights and freedoms of others). We think this is questionable. It is hard to see how installing a new system for taking books out of a library justifies the interference with privacy involved. And there are less invasive alternatives available to deal with concerns about attendance and bullying, which do not have such implications for personal privacy.

The expansion of biometric systems like this have been allowed without a proper public debate. If we get too hung up on issues about efficiency and modernisation, we will overlook these vital questions. This highly personal information belongs to the individual and it should not be for him or her to tell the state why they should not have it – it is for the state to justify why it should. So far, it has failed to do so.

 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14297
  • Country: fr
Re: People should drop passwords altogether
« Reply #13 on: May 06, 2022, 09:37:17 pm »
It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.
I don't depend on it, I'll close the account to move somewhere else.

Sure. Until they all do the same. Do you think they won't?

https://www.firstpost.com/tech/news-analysis/explained-why-apple-microsoft-google-want-to-get-rid-of-passwords-10640151.html
 

Offline MrMobodiesTopic starter

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: People should drop passwords altogether
« Reply #14 on: May 06, 2022, 09:51:10 pm »
I don't want my "password" to be in the form of a fingerprint left for anybody to look at or touch whether it be in a shop or the bar.
Sure. Until they all do the same. Do you think they won't?

https://www.firstpost.com/tech/news-analysis/explained-why-apple-microsoft-google-want-to-get-rid-of-passwords-10640151.html

Which is why I am actually quite worried and said I found it quite disturbing.

They all seem in unity about it, Microsoft, Apple, Google so I think they are up to something else.

Quote
The big three tech companies want to introduce a system where users will have to log in to online services using a passkey on their phones.[/quote
Well I already do that when paying for things over a certain value but it makes me wonder about sims swap. Oh yes they might fix the problems with that by requiring a biometric reading.

I don't know what I am going to do but I don't want to give anybody apart from doctor or healthcare my personal medical information thank you very much.

So they are effectively going to shut people out if they don't give them their biometrical details.
« Last Edit: May 06, 2022, 09:55:28 pm by MrMobodies »
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14297
  • Country: fr
Re: People should drop passwords altogether
« Reply #15 on: May 06, 2022, 09:54:39 pm »
Yep. I think we know what this inevitably leads to. Whether this is intentional or not doesn't matter (much).
 
The following users thanked this post: MrMobodies

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1182
  • Country: pl
Re: People should drop passwords altogether
« Reply #16 on: May 06, 2022, 10:02:17 pm »
Not participating in the survey, as it misses the option I would choose and is designed wrong.

As an entertaining intro, today’s story. My mother received documents from an insurance copany, over my mailbox, in an encrypted PDF. The password — as explained in the email itself — is the last four digits of her PESEL number.(1) I hope I don’t need to explain, how strong a 4-digit password is and how long it stands a bruteforce attack; in particular if the penultimate digit is determined by gender and the last one is a checksum value. If that wasn’t enough, the number is semi-public. The company itself somehow doesn’t understand, that their own worker received something used as a password by simply asking for that. While certainly using even such a weak solution is better than plaintext(2), it shows something very important: a failure to understand security at even the most basic level by laypersons.

Passwords must go. But the main reason is not their inherent weakness. It’s because of the users. For years now it is well known that:
  • Users are horrible at inventing passwords. Not understanding fundamental things about security, people substitute their guesses for knowledge. Based on poorly founded heuristics, often on perception of threats derived from entertainment industry, using schemes not addressing the actual attack methods, falling into “it’s ok because I can’t break it” theme and so on. Common examples: using simple words they think no one will know or substituting letters for look-alikes.
  • Policies designed by ignorants or people not updating their knowledge are pushing users to invent even worse passwords. Password rotation, in particular over short periods, have been beaten to death already. Yet you will encounter that type of requirements introduced even now, when I write this post. Worse, there are people who will try to defend it. Both ignoring that no matter what their predictions are, the reality has shown it leads to worsening security, and not realizing that the primary reason for the policy in the first place was blind importing it from eras predating computers, where threat models were very different. Requiring particular characters in the password, which only introduces very predictable changes to whatever the user already had. Almost universally “1!” or one of a very few similar suffixes.
  • Limited access to tools leads to users engaging into insecure practices, even if otherwise they would not. Using a properly designed password manager raises the bar for the adversary so high that password-based attacks are doomed to fail in nearly all circumstances.(3) Yet most people will not use them. They do not even know they should. The tools are cumbersome to use; or are proprietary service-based solutions that effectively make you give away your passwords. Users fail to address database loss situations and opt for not having protection at all. Hardware HID keys are so rare that I can’t even recall any specific name. An average member of society has no option to securely generate a strong password. There is no infrastructure to share passwords: the reason the insurance company used the PESEL number is because there is no sane way to given them any password in the first place. All this worsens the situation even more.

Secondary to the above, passwords have problems too. Even the strongest, most perfectly chosen password has them. They are inherently vulnerable to replay attacks. While not a limitation of the technology, the practical use of passwords often involves remembering them, which limits their quality. A password may easily be 256-bit strong (attacks not feasible), but in practice people employing diceware class of generators will obtain 48 to 64 bits, while the general population somewhere between 8 and 32 bits. Passwords are quite easy to acquire, because at least partially they must be transferred over insecure channels.

But there is another issue. For two at least decades we have technologies that are sufficient to deliver much better solutions. Better in many aspects: security, convenience, privacy and freedom. They are widely deployed, so it’s not sci-fi. The problem is both the level of adoption and that they are often partial. Where something more convenient is offered, it’s a privacy nightmare and often involves passing a bit of control to some third party. Where solutions respect your privacy and freedom, using them in practice is a horror story.


(1) An identifier in PESEL, a national database of all Polish residents. It’s a structured value, directly linked to the birth date and gender, with the last digit being almost universally valid checksum dependent on the other ten.
(2) The adversary is required to put some minimum effort in the attack.
(3) “Nearly all” because phishing attacks are still possible.
« Last Edit: May 06, 2022, 10:06:22 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 
The following users thanked this post: tooki

Offline MrMobodiesTopic starter

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: People should drop passwords altogether
« Reply #17 on: May 06, 2022, 10:12:47 pm »
I don't mind if it is changed in other ways but my concern is just based on forcing everyone to use biometric revealing information about themselves.

Not participating in the survey, as it misses the option I would choose and is designed wrong.

What would you like me to list as an option in the survey?

I thought it was for the website to enforce password restrictions.
Joke: Session hijacking... no problem just stick your finger here most of the time to make sure it is you.

In the real word, most data breaches that I have read about were due to human stupidity, such as inserting a thumb drive to see what was on it.   A simple PIN should suffice.

I suspect the ratio of cracking "passwords" to obtaining such information by stupidity is similar.

It will be interesting to see what the next level of scams are going to look like when this non password approach starts.
« Last Edit: May 06, 2022, 10:41:24 pm by MrMobodies »
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 8515
  • Country: us
    • SiliconValleyGarage
Re: People should drop passwords altogether
« Reply #18 on: May 06, 2022, 10:37:56 pm »
two pathway approach. Challenge gets sent over one path, answer thru another path. For example challenge goes over cellphone , cellphone applies key number one , shows result to user, user bridges that result to computer , computer applies key number two ( stored in secure module ) , sends back to server.

that way if you intercept one of the hardware machines ,or compromise one you still can't find relation as the human is the bridge. original request and final response do not exist on same machine at any given point in time. they only exist in the human inbetween.( you read it and type it on another device.)
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Online themadhippy

  • Super Contributor
  • ***
  • Posts: 2545
  • Country: gb
Re: People should drop passwords altogether
« Reply #19 on: May 06, 2022, 10:38:59 pm »
Dear apple google and microsoft.and wot about us renegades who have decided the best place for there mobile phone was in the bin?
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14297
  • Country: fr
Re: People should drop passwords altogether
« Reply #20 on: May 06, 2022, 10:52:31 pm »
Dear apple google and microsoft.and wot about us renegades who have decided the best place for there mobile phone was in the bin?

Well,  I guess they have unfortunately decided that the best place for people not willing to use mobile phones is in the bin.
The question remains as to who is gonna win, or if everyone's gonna end up in the bin eventually.
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1182
  • Country: pl
Re: People should drop passwords altogether
« Reply #21 on: May 06, 2022, 11:00:39 pm »
I don't mind if it is changed in other ways but my concern is just based on forcing everyone to use biometric revealing information about themselves.
That would be serious concern to me too. Of course in therms of both privacy and freedom, but — perhaps unexpectedly — also because it’s a security issue. Biometric authentication is alluring, because it’s extremely convenient, but under the hood it’s a key generator. Better than user-invented passwords, but in many ways worse. It’s one-factor authentication, with a factor that can never be changed and, while possibly hard to copy,(1) it is still publicly available information.

What would you like me to list as an option in the survey?
Unless there is a well proven reason to do otherwise, any survey should have a “Refuse to answer” and “Other (specify)” options. In my case I would respond with either MFA or some alternative methods (signed challange for example).


(1) I know that reports of successful copying are common. But so far no evidence of it being an inherent restriction of the technology itself. Rather failures in particular approaches. Of course that may change in the future, as contrary has not been proven either.
People imagine AI as T1000. What we got so far is glorified T9.
 
The following users thanked this post: MrMobodies

Offline MrMobodiesTopic starter

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: People should drop passwords altogether
« Reply #22 on: May 06, 2022, 11:38:06 pm »
"Refuse to answer" and "signed challenge" added to survey.

An "other specify" option would be nice maybe an idea for Gnif if that is something he willing to do in future.

I just found something interesting when forcing it upon employees:
https://www.abc.net.au/news/2019-05-21/fingerprints-biometric-data-worker-wins-unfair-dismissal-case/11129338
Quote
Jeremy was fired for refusing fingerprinting at work. His case led to an 'extraordinary' unfair dismissal ruling
ABC RN / By Anna Kelsey-Sugg and Damien Carrick for The Law Report
Posted Mon 20 May 2019 at 10:30pmMonday 20 May 2019 at 10:30pm, updated Tue 21 May 2019 at 6:25am

When Queensland sawmill worker Jeremy Lee refused to give his fingerprints to his employer as part of a new work sign-in, he wasn't just thinking about his privacy. It was a matter of ownership. "It's my biometric data. It's not appropriate for them to have it," he tells RN's The Law Report. For not agreeing to the new system, Mr Lee was sacked. What followed was a legal battle that delivered the first unfair dismissal decision of its kind in Australia. Mr Lee represented himself before the full bench of the Fair Work Commission — and won. "It's extraordinary," says Josh Bornstein, national head of employment law with Maurice Blackburn lawyers. "It's off the charts for a self-represented litigant dealing with very sophisticated legal issues to have such an outstanding result. That is a very unusual achievement. "There's not too many Jeremy Lees, in my experience." He says Mr Lee's case reflects the complicated intersection of privacy and technology — an area in which the law is struggling to keep up pace.

'My biometric data is mine' — or is it?

Mr Lee says his employers at Superior Wood "tried to coerce" him to agree to the new fingerprint scanning system for about three months. But he remained resolute. Mr Lee says he has no criminal record and has never been in trouble with police. Nor does he object to a drug or alcohol test at work. But he draws a firm line at handing over his biometric data — data relating to someone's physical or physiological make-up — for fear it could be shared and potentially misused. "If someone else has control of my biometric data they can use it for their own purposes — purposes that benefit them, not me. That is a misuse," he says. His employer argued the new scanning system meant they could better track who was or wasn't on the premises, but Mr Lee says there are other means of doing that. Swipe cards, he argues, could be just as effective as an electronic identity check. His employers disagreed.

Have you faced issues around biometrics or privacy with your employer? Email lawreport_rn@abc.net.au

In February 2018 Mr Lee was fired for refusing the new sign-in system. Represented by pro bono lawyers, he began an unfair dismissal case. That case, heard by a single commissioner at the Fair Work Commission, was unsuccessful. The commissioner found the fingerprint scanning system was a reasonable policy; therefore, the sawmill company had a right to require employees to comply with it — and to dismiss those who didn't. Mr Lee appealed against the decision, proceeding to argue his case before a full bench of the Fair Work Commission — this time without any legal representation or support. The legal framework he was operating within was highly complicated, but his reasoning was anything but. "I was insisting that my biometric data is mine," he says. "My objection was that I own it. You cannot take it. If someone wants to get it or take it they have to get my consent. "Surely if my employer tries to get it and sacks me for refusing to give it, that is illegal. That was my argument." But it was a different argument that convinced the commission's full bench.

'A fantastic and unusual outcome'

The commission's full bench found there was no valid reason to fire Mr Lee for refusing to provide consent to the company to use his fingerprints and biometric data. On May 1, 2019, more than a year after Mr Lee was sacked, it was found he had been unfairly dismissed.
"I think it was a fantastic and unusual outcome," Mr Bornstein says.

He says all employees have an obligation to "comply with all lawful and reasonable directions" from an employer. But the Privacy Act states that when an employer wants to collect sensitive information — and biometric data like fingerprints are classified as such — they must give sufficient notification and allow for a process of informed consent. Mr Lee's workplace failed on both accounts. The commission found the sawmill's scanning policy had violated the Privacy Act. Mr Bornstein says the law "has been shifting very much in favour of employers being able to give employees direction successfully about medical information [and] other information, making greater and greater incursions into their employees' lives".

But Mr Lee's victory presents a major roadblock. "[Mr Lee's] is a rare case, which actually says 'no, what you did was not right' ... and the employee actually had a win," Mr Bornstein says. He says the win highlights the increasingly fraught intersection of privacy, technology and regulation. "There's a huge issue more broadly in our society as to whether people's privacy protections are being maintained with the rapid pace of technological change," Mr Bornstein says. "We're seeing employees more closely regulated than ever before — on a 24/7 basis.  "There's no doubt regulation is lagging well behind the development of technology."

Who really owns our biometric data?

Mr Lee is proud of his win, but his case has left him disappointed too. While the law declared him unfairly dismissed, his case didn't set a legal precedent — as he'd hoped it would — about the ownership of biometric data. But Mr Bornstein says the law has never recognised biometric information as property and — precedent or not — Mr Lee's win is remarkable. "What he's achieved is quite spectacular and very, very unusual," he says. "He may not have achieved a finding that he couldn't be forced to hand over his property, but he did achieve a finding that he could not be forced to hand over, without his consent, sensitive information under the Privacy Act." Mr Borstein says the issue of whether biometric information is property is "a philosophical debate". "Ultimately, is our personal information, is our fingerprint data, is the image of our face, property? In some ways it's a legal debate [but] I think it is an even broader argument that's more philosophical in nature," he says. "So it was, I think, a fantastic and unusual outcome to do this on your own, from first tier up to a full bench, and be successful. "It's an amazing achievement."


Sounds to me very intrusive and not very nice.
« Last Edit: May 07, 2022, 12:29:00 am by MrMobodies »
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 6693
  • Country: nl
Re: People should drop passwords altogether
« Reply #23 on: May 07, 2022, 12:37:26 am »
Biometric authentication is alluring, because it’s extremely convenient, but under the hood it’s a key generator. Better than user-invented passwords, but in many ways worse. It’s one-factor authentication, with a factor that can never be changed and, while possibly hard to copy,(1) it is still publicly available information.
On a phone it's effectively treated as half a factor, the pass code is still required after reboot and when the phone has been unused too long. So let's call biometric + pin a full factor. Then if you use a phone to authenticate on a laptop you have three factors, ownership of the phone, laptop and biometric + pin.
 

Offline tggzzz

  • Super Contributor
  • ***
  • Posts: 19279
  • Country: gb
  • Numbers, not adjectives
    • Having fun doing more, with less
Re: People should drop passwords altogether
« Reply #24 on: May 07, 2022, 06:38:38 am »
Two points about fingerprints:
  • not everybody has fingerprints, e.g. those working collecting pineapples! Yes, this causes them some problems
  • what happens when you cut your fingertip and it is covered with a plaster, or permanently scarred?

Often the "exceptional case" recovery process can be much weaker than a decent password. Classic example is a forgotten password leading to manual intervention involving questions with "well known" answers. In one case a company even sent my (stored!) password in cleartext email. Yes, I had words with them.
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 
The following users thanked this post: DiTBho


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf