Fingerprint sensors found on iPhone 5S and Galaxy S5 may become instrumental for trusted identities assertion, if and only if, the sensors are accurate enough to insure a required security level and user acceptance.
"Smartphones equipped with fingerprint scanners are definitely useful." said Jon White, Visa's Head of Marketing, Mobile Strategic Alliances (Gerald Lynch, GIZMODO UK, MONEY, Feb. 25 2014).
Useful but, insufficient!
Surprisingly enough, PayPal embraces the Samsung S5 biometrics for m-payment authentication. "The PayPal fingerprint authentication feature will go live on the Samsung Galaxy S5 in 26 markets this April." Said Eden Zoller, principal analyst at Ovum (MENAFN, Feb. 25 2014). Let us hope that fingerprint authentication is not the only mechanism PayPal puts its bet on. Better add another authentication factor to it, such as a password, or better yet, one-time-password. It is also reasonable to assume that PayPal’s still performing anti-fraud checks behind the scenes. A purchase in California minutes after one in New York, is still a red alert.
Research shows that fingerprint readers have a plethora of issues that make them inappropriate for standalone authentication. Look at your fingers after a bath or a swim. What happens when hands are sweaty or very dry or oily/waxy (as sweat liquids, salt and sebum are normally produced by our body)? Does your profession or hobby involve fingers' skin stress? When was the last time you cleaned the sensor (deposits magnify sensor accuracy deterioration)? Temperature and humidity have their toll, too.
High failure to enroll and high failure to access will deter users from activating such technology on their mobile device. Likewise, high rate of false acceptance deters chief information security officers from adopting it. Fingerprint sensors are susceptible to phishing and replay attacks. “Fingerprints are not private, you leave them lying around everywhere, and if someone has enough incentive – and the resources available to them – they may try to defeat any security system that you trust your fingerprint to unlock,” warns computer security blogger Graham Cluley. Even liveliness check may be fooled as presented in my previous blog post about the Touch ID flaws.
What is the state of the art identity authentication means?
It is well known that a static target is much easier to attack than a moving one. Moving target defense (MTD) can be employed to defend identities, too. One time password is a kind of MTD mechanism. It was invented to combat phishing and replay attacks.
It's time for one-time identity.
One-time-identity sounds like an oxymoron, however in reality, it is a dynamic trusted identity manifested by dynamic features that may identify a person and authenticate him or her accurately enough, to satisfy risk management policies. Those dynamic features involve multiple biometric traits, behavior analysis and one's knowledge checks. Dynamic trusted identities are probabilistic and thus, have to be context aware and adaptive to risk management orchestration.
Context awareness takes into account location awareness. Location may be physical, e.g. I am in a specific bank branch; I am withdrawing cash at an ATM machine; I am at my home, next to my desktop computer or at the office, within a hot-spot circle. Location may also be virtual, e.g. I am at an online store; corporate remote access log-in page; Google apps portal.
Risk management policies define the level of assurance required of the authentication process. It is one thing to allow access to my picture album and another, to allow access the corporate intellectual property documentation or to one's funds transfer portal of a bank account.
In summary, look for up and coming risk based, context aware, dynamic (MTD) trusted identity assertion.
Keep monitoring us @voisafe.
Dror Bukai,
www.voisafe.com
Thursday, February 27, 2014
Tuesday, December 10, 2013
Securing your most important life elements
Securing your most important life elements
Thomas Neudenberger of bioLock, shared on LinkedIn an article about recent theft of 2 million passwords. Take a look ... http://www.bankinfosecurity.com/2-million-passwords-reportedly-stolen-a-6266
I wrote a post and commented on the article to be shared with you, who is not connected with me on LinkedIn.
I wrote a post and commented on the article to be shared with you, who is not connected with me on LinkedIn.
There will be times when biometrics will be interleaved with our daily life in a way that is not noticeably intrusive and helpful in identifying and authenticating us. We will participate. Some will stay hostile until they, themselves will pay the price of using weak authentication technology. Alternatively, they might wait longer in lines until surrendering their biometric templates ... think of busy transportation systems such as airport passport control lines or ground mass transportation.
It is agreeable that a biometric template is not a replacement to a well constructed password in-and-of itself, however, a well constructed biometric solution, based not just on static templates could be a remedy to poorly constructed and managed passwords. Sadly enough, most passwords are poorly constructed and managed.
If biometrics is done properly, as an element in a large authentication schema, in the context of a specific application, uniqueness, accuracy, usability and revocation can be addressed.
I believe that technology advances and not behavioral changes will address security vulnerabilities.
In the meanwhile, here is a piece of advice:
Be cognizant of secure use of passwords:
- Don't don't don't reuse !!!
- Work and social network passwords should not be the same!
- Financial services e.g. banks and social networks should not intermix as well.
- Develop your own system of password renewal and stick to it.
- Create strong passwords of as many characters as practical, based on private knowledge with no dictionary correlation. Yes, Momof3gr8k!ds is not secure, it's in the basic hackers passwords dictionary and will take seconds to compromise!
Please feel free to contact me for clarifications and assistance in any authentication project r topic.
VoiSafe, Making Log-in Safer, Faster & Easier
Monday, September 30, 2013
What's worse than finding a worm in your Apple?
... you know the joke :). Why did Apple let us see half a worm in the iPhone 5S?
"A day after the iPhone 5S hit the streets, a group of hackers in Germany said they have bypassed the biometric security on Apple's new Touch ID fingerprint sensor by using "easy everyday means"." CNET, Steven Musil, September 22, 2013
Doesn't this defy the whole concept of biometric authentication? Going half way with biometric authentication is a disaster waiting to happen. No one biometric sensor stands by itself against hacking! There must be other factors in the equation in order to balance for the false acceptance nature of an individual biometric sensor and replay attacks. Be it Iris scan or Fingerprints, FingerVain or PalmVain scan, Behavioral, Face recognition or Speaker verification, there are false accepts and false rejects.
While false rejects need to be kept to a level bearable by users, insuring satisfactory user experience, false accept can't be left as a stochastic number. Like passwords and PINs, Touch ID is a stationary target. While the claim is "no two are exactly alike," the Apple iPhone 5s: About Touch ID security is misleading. There can't be a 100% guarantee that two fingerprints aren't alike at the output of a biometric sensor. Even if that was feasible, recording and replaying is a relatively easy course of attack for fingerprint sensors. If a target is stationary, it is just a matter of time until it is compromised.
Run soldier, run, bend, fall to the ground, roll, jump, hide, be on the move - don't stay stationary or you'll be injured soon! We have learned this much as soldiers. Chinese philosopher, Sun Tzu, put it concisely “... let your methods be regulated by the infinite variety of circumstances.” The Art of War, written in China more than 2,000 years ago.
At VoiSafe, we are working hard to insure an "infinite variety of circumstances". We wrap biometrics with patent pending mechanisms against replay attacks. We make our biometrics moving targets. We make them move as fast as can be, so hackers won't be able to cope with the maneuvers.
This is interesting and will definitely change the way businesses and individuals are going to combat log-in hacking and even, hacking in general.
Keep monitoring us @voisafe; a time not wasted, in search for a safer and easier log-in solution and making what matters more secured than ever before.
Dror Bukai,
CEO & Co-founder,
VoiSafe Biometrics
www.voisafe.com
Sunday, July 14, 2013
Why VoiSafe?
Ever had trouble remembering your online passwords?
Most people do. In fact, 85% of respondents of a recent social media survey write them down in notebooks, on sticky notes or in their mobile phones. Some 67% respondents reuse passwords for multiple social and business accounts.
Passwords, apart from being a nuisance, have become one of the weakest links of cyber identity security!!!
VoiSafe presents a safe and friendly alternative to password typing. It combines biometrics and anti-fraud technologies in an innovative user friendly way.
'Voi' in Italian could mean 'You'. In Finnish it could mean 'Can', in the right context.
VoiSafe could mean 'You Safe' or 'Can Safe' ... or, 'Stay Safe', 'Be Safe' or 'You can be safe' in the context of identity security. That said, the truth is that when my young son heard about the new venture I had started, his suggestion for a name was VoiSafe, 'Voice Safe'. 'VoiS' or Voice for biometrics and safe for identity security.
Voice biometrics is the most intuitive means of personal verification. Voice verification, though, is not a good enough identification mechanism by itself. VoiSafe integrates other means to insure accurate verification of people's identity. VoiSafe is a cyber voice ID similar to the picture ID we use everyday for identification.
VoiSafe is in development. Let us know your thoughts and needs and help impact product development in making password typing a thing of the past. Please send comments by clicking here.
Want to 'Be Safe'? Stay tuned and be notified .... send us your email, click here.
Cordially,
Dror Bukai
VoiSafe, Founder & CEO
Most people do. In fact, 85% of respondents of a recent social media survey write them down in notebooks, on sticky notes or in their mobile phones. Some 67% respondents reuse passwords for multiple social and business accounts.
Passwords, apart from being a nuisance, have become one of the weakest links of cyber identity security!!!
VoiSafe presents a safe and friendly alternative to password typing. It combines biometrics and anti-fraud technologies in an innovative user friendly way.
'Voi' in Italian could mean 'You'. In Finnish it could mean 'Can', in the right context.
VoiSafe could mean 'You Safe' or 'Can Safe' ... or, 'Stay Safe', 'Be Safe' or 'You can be safe' in the context of identity security. That said, the truth is that when my young son heard about the new venture I had started, his suggestion for a name was VoiSafe, 'Voice Safe'. 'VoiS' or Voice for biometrics and safe for identity security.
Voice biometrics is the most intuitive means of personal verification. Voice verification, though, is not a good enough identification mechanism by itself. VoiSafe integrates other means to insure accurate verification of people's identity. VoiSafe is a cyber voice ID similar to the picture ID we use everyday for identification.
VoiSafe is in development. Let us know your thoughts and needs and help impact product development in making password typing a thing of the past. Please send comments by clicking here.
Want to 'Be Safe'? Stay tuned and be notified .... send us your email, click here.
Cordially,
Dror Bukai
VoiSafe, Founder & CEO
Thursday, May 9, 2013
Friday, March 8, 2013
Hooray ... A business was born
Hello people,
Authentivi Inc. was born and registered as a Corporation in Delaware on Feb 26, 2013 ... hooray :)
We will keep CaptchaV as the name of the Blog and for future use.
Authentivi has came to our world to help merchants reduce losses and increase revenue attributed to inefficiencies in eCommerce processes.
Keep in touch,
Dror Bukai, Founder
Authentivi Inc.
Authentivi Inc. was born and registered as a Corporation in Delaware on Feb 26, 2013 ... hooray :)
We will keep CaptchaV as the name of the Blog and for future use.
Authentivi has came to our world to help merchants reduce losses and increase revenue attributed to inefficiencies in eCommerce processes.
Keep in touch,
Dror Bukai, Founder
Authentivi Inc.
Monday, February 11, 2013
A new venture was born
Thank you for visiting the new CaptchaV blog.
My name is Dror Bukai. I am a serial entrepreneur.
I had founded my first business out of high school at the age of 18 and ran it profitably through my whole college term.
I am now launching my 4th venture, CaptchaV Inc.
Prior to that, I spent 10 years in 8200 Intelligence corps, developing and managing development and product management in a startup culture with top engineers and scientists doing magic with cutting edge technologies. While at 8200, I gained a BSCEE Cum Laude from the Technion in half the normal graduation term. Then came Nice Inc., where I have managed development of products and business units for 8 years and built a worldwide network of connections with financial institution customers and distributors. Throughout the years I was instrumental in leading successful businesses in Israel and the United States.
My fields of expertise are financial institutions enterprise software (Nice Inc.), telecommunications (Acceris Inc.), Internet telephony (founded ActVoIP Inc.) and eCommerce (founded TenOdGas Holdings Ltd.) .
Please refer to some of the recommendations I've got from colleagues, here, at the bottom.
I am well versed in multi-disciplinary technology facets and international, inter-cultural and multi-modal business development, sales and marketing. I am ready for my next big business adventure.
CaptchaV is under construction in stealth mode, however, information will be shared through this blog as may be fit from time to time. Please visit us occasionally.
Please Note ...
I am currently in search for a CTO entrepreneur, an expert in making things work perfectly and quickly using up to date web and big data storage and analysis cloud technology. If you are an entrepreneur in heart, technologist in mind and full of energy to become a worldwide leader in a significant market that will impact eCommerce dramatically, please send me an SMS.
Sincerely,
Dror Bukai
052-6954600
RECOMMENDATIONS
Aviram Fidel
CEO at Fidel Internet Marketing
January 26, 2013, Aviram worked directly with Dror at SafePeak TechnologiesDror is a true professional and all around player with 360 degrees understanding of biz-dev and marketing. I was delighted to work with him as an advisor and would gladly recommend him for any high profile marketing position.Jim Ducay
Networking Business Operations at Avaya
February 17, 2009, Jim worked with Dror at Acceris Communications, Inc.I have tremendous respect for Dror as a person who has the technical knowledge and the management abilities required to lead a major development project or a technology oriented start-up company to success. He is someone who fully commits himself to an initiative and does it with complete integrity. I give him my highest recommendation.Nina Macheel
Marketing Communications
January 13, 2009, Nina reported to Dror at I-Link Inc.Dror Bukai is a man of brilliant strategic vision and astute technical understanding and training. He understands the business case of the product as well as the engineering underlying the product. He knows how to use resource and manage teams to achieve success. I worked on Dror’s team at I-Link, where he provided inspiring leadership, offering the empowerment I needed to...moreJD Whitaker
Technical Marketing and Sales at Xeltek
February 28, 2007, JD worked with Dror at Nice Inc.Dror was instrumental in developing an advanced digital audio recording system for an airborne wideband surveillance platform. Our customer had a strong preference for NICE Digital Audio recorders they were already using in standard commercial form. However, the performance requirements for the airborne project could not be met with off-the-shelf NICE products. Dror...more
Subscribe to:
Posts (Atom)