The password is dead. Long live the password.

Passwords are becoming ‘the’ security problem that needs to be solved.

Password prompt
Will we ever see the password put to bed?

As security breaches become more commonplace, passwords are getting longer and more complicated. Take a mixture of your pets name, mother’s maiden name & your favourite holiday destination, shake them around a bit with some upper and lower case, numbers and symbols – and you’ve got a more secure password.

It’s a shame you can’t possibly remember it.

Multiply those passwords across multiple sites and log-ins and unless you use the same one on them all, or keep a list of them all on your computer (which is more of a security risk than anything else), you’ll be continually hitting the ‘forgotten your password?’ button.

Everyone’s trying to find an alternative, but like cockroaches – the password is hard to kill off.

So what else is there?

Biometrics

Fingerprint or ear scanners on your smartphone, iris scanners at work, vein scanners at the supermarket – there are a raft of biometric solutions out there promising unique authentication by using something that’s unique to you.

Like most things in authentication, it’s a case of horses for courses. Biometrics have more of a place in the workplace for proving your identity than in the consumer world. Unless you’re purchasing that DVD on your smartphone, for example, they’re useless for logging into your online store.

Also, they aren’t immune to hackers. The iPhone 5S’s fingerprint scanner was successfully fooled two days after its launch, as was the subsequent Samsung Galaxy SF. All the more worrying is the fact that the Galaxy SF’s scanner is being used to authenticate PayPal transactions. Read our previous blog.

2. Implants.

We chip our pets, so why not humans?

PC Advisor has just run a fascinating online poll:

If you could have a chip implanted or carry around an ID card that meant you never had to remember passwords or log-ins again, would you do it?

Out of 4098 votes, 39% said yes, 50% said no and the rest weren’t sure. Now the ‘yes’ vote was way higher than we would have expected.

It sparked off a great debate from the voters. Those against in the main were concerned about:

– privacy (Big Brother knowing your every move and location)

– the opportunities for crime (hacking out the implant and stealing your identity, then leaving you to bleed to death)

– the medical procedure of getting it under your skin in the first place (will it hurt?).

Others just didn’t fancy being bleeped every time they passed through the supermarket checkout.

But some were fully for the idea, seeing the benefits of having one means of identification that you can’t accidentally leave at home. The convenience ruled out any concerns – especially if it’s an implant you can remove.

As one tongue-in-cheek comment rightly pointed out, “kids are already chipped, they never leave home without their smart phone.”

3.  A colour wheel?

Mnemonic password
Would you prefer colour, sound or a story?

One design student at the Royal College of Arts in London thinks she may have an alternative. Renee Verhoeven’s graduation project ‘ID Protocol’ creates a series of password tools that does away with letters and numbers in favour of personal, mnemonic memory codes.

ID Protocol uses the 3 main pillars of mnemonic memory: movement (muscle memory), synesthesia (interpreting code as a texture or sound) and making a story from existing words.

It works something like this: the user selects an ID Protocol pass that plugs into their computer. Passes can use different sensory cues such as colour, pattern making, memory or storytelling: allowing you to use a colour wheel or a story mechanism rather than a set of numbers and letters to log in.

It’s just a concept for now, but as secondary authentication measures become more popular, maybe we’ll be identifying ourselves with a gesture or a story soon. Read more

4. Your heartbeat?

Just one of the latest pieces of kit around that promises a new way to log-in or prove your identity is the Bionym Nymi. It looks like a simple watch, but it’s actually a piece of technology that authenticates your identity by measuring the rhythm of your pulse. Your heartbeat is unique and can’t be faked, so they say. It’s only available for pre-order at the moment; watch this space.

A more realistic answer

The reality is it’s likely to be a combination of these things. Multi layer authentication is set to be the future, where we use two or more factors to prove our identity, depending on the perceived risk. So we may use a biometric method (a fingerprint for example) with a simple password or pin, or scan the information on our smart cards and follow-up with a mnemonic prompt.

We’re already using biometric methods on our smartphones, and their GPS or NFC capabilities add yet another layer.

One-time use passwords and PINS are also likely to feature strongly, as is pre authenticating mobile devices. However this only works if the device has been registered in the first place.

Passwords and PINS will probably never fully go away. But one thing’s for sure – they  won’t be replaced by one definitive solution.

Is security in schools about technology or common sense?

Should we turn our schools into fortresses?

Security within schools has always an emotive issue, and given the recent events in Leeds, it’s been thrust centre-stage again.

There has been a tide of articles in the press recently questioning what security processes can be put into place to keep our schools safe. Installing metal detectors and security technology such as locked gates, personal alarm buttons and access control systems are all being discussed, but do we really want our schools to turn into fortresses?

One of the hot topics is naturally concerned with visitors, and how to make sure you don’t receive any unwanted ones.

Do you rely on technology to control visitors, or common sense?

The answer will probably be related to the number of pupils, layout of the school and the funding available. Small primary schools are unlikely to have the budget – or need – for extensive CCTV systems or biometrics access control technology. Others will benefit from having areas within the school that can only be accessed by staff with the right cards, or doors that automatically lock for certain parts of the day.

But what about those who simply don’t have the funds?

A lot of security comes down to common sense

A lot of ways to prevent unauthorised visitors comes down to common sense, which won‘t impact on an already stretched school budget. For example:

– Ensure only one main entrance is in use during school hours

– Keep it locked from the outside, so visitors have to call or ring for entry

– Have the entrance ‘manned’ by a receptionist or secretary at all times

– Make sure all playgrounds can only be accessed from within the school

– All visitors – even parents who are known to the school – should use this main entrance and report to the receptionist/secretary

Have a clear procedure for dealing with visitors

The easiest way to deal with visitors is to issue school visitor passes or contractor passes to all individuals, regardless of the purpose of their visit or how well known they are to the staff.

It’s important to adopt a one rule for all stance – if you break the rules for one visitor, your staff will lose faith in the procedure.

School visitor passes usually come as part of a ‘system’ that allows you to record visit date, name, host, company and vehicle information. All these details are held on a discreet bottom sheet, whilst pre-numbered passes are handed to the individuals. This creates a future reference sheet and a current fire register, which meets your health and safety obligations.

Some processes to follow:

– Ensure ALL visitors wear a badge clearly identifying them as such

– Make sure the badge is visible at all times

– Give all visitors information about fire evacuation procedures, child protection procedures and any other relevant health & safety information

– Allocate a person who will be responsible for them during their visit

– Ensure that visitors can’t wander around the school on their own – either bring the allocated person to reception to pick them or escort them to their contact

– If in any doubt, ask for a form of ID before handing out the visitor’s badge.

Make sure all staff are briefed on your policy

One of the reasons security processes fall-down is because not everyone is aware of the policy. Make sure all staff know that every visitor should be clearly identified as such, and give them permission to challenge anyone they don’t know within the school if they aren’t accompanied or wearing school visitors passes.

School visitor passes can be bought off the shelf, or customised to your own branding. You could choose to include specific school health and safety information for example.

Deter opportunists

Whilst these measures won’t be able to prevent tragedies like Ann McGuire’s death from happening again, they will put off those opportunists who look for open doors or unmanned reception desks. They are an important way of safeguarding our children during a normal day at school.

 

Biometrics in schools: big win or big brother?

“If you don’t know the password you can’t come in.”

It’s a phrase often heard in school playgrounds up and down the country, as children play games with their friends.

But frankly, passwords could soon be irrelevant if biometrics continue to take off in the way that they have.

A piece of research carried out by Big Brother Watch based on data from the 2012-13 academic year, and published earlier this year, revealed that an estimated 40% of schools in England are using biometric systems. It therefore surmised that fingerprints have already been taken from more than one million school pupils; many without their parents consent.

These fingerprints are the necessary ‘password’ to access many of the school’s services, from paying for their lunch to checking out a library book.

The argument ‘for’

biometrics in schools
One upside can be the increase in library books being checked out

Supporters of using biometrics in schools are quick to point out a number of benefits. The most obvious one being security – a fingerprint can’t be copied or lost in the way that an ID card can. Then there’s the speed and convenience: no more queues at a card scanner when arriving at school or rummaging around for coins, holding everyone up, at lunchtime.

Let’s not forget the ‘cool’ factor in all of this as well. Opponents to fingerprinting in schools tend to be the parents, not the kids themselves, who generally welcome the idea, and look forward to the whole ‘sci-fi’ deal that goes with it.

One of the unexpected benefits was found in the library. Some schools reported a big jump in books being borrowed – the kids liked using the fingerprint scanner so they took out more books. Always having the means to check out a book ‘on them’ meant they were more likely to do so.

The solution also helps to ensure equality at meal times. With everyone using their fingerprint to ‘buy’ their lunch, it’s impossible to tell who qualifies for free school meals, which means no-one is singled out.

The argument against

For all its supporters, there are certainly those who are passionately against the use of biometrics. The concerns range from worries over privacy and the ability to ‘steal’ and misappropriate personal data, to the fact that these systems normalise the act of tracking and monitoring pupil’s behaviour.

Some of those responding to the report released by Big Brother Watch talk about the danger of biometric information lying on a database somewhere, at the mercy of hackers or lost by those clumsy enough to leave a laptop on a train. Biometrics providers are quick to point out that records of the actual fingerprint aren’t stored; rather it is encrypted into a series of digits. This is what’s used to confirm ID against the fingerprint presented.

One comment, left by Anonymous, sums up the concerns around privacy in the future:

Future generations will not have any privacy or know what it is like to have privacy if we do not stop the erosion of privacy now… Yes it might be easier for kids to provide a fingerprint to get a library book out now but can they really be sure that it won’t come back to bite them in the future removing any possibilities of choice and privacy that they might want?”

The Freedom of Information Act

One of Big Brother Watch’s major issues is the fact that as many as 31% of the fingerprints were taken without gaining consent from the parents. With the introduction of the Protection of Freedoms Act 2012, which was passed in 2013, this should be a thing of the past.

The legal framework states that colleges and schools must follow these rules for biometric recognition systems:

– For all pupils in schools and colleges under 18, they must obtain the written consent of a parent before they take and process their child’s biometric data.

– They must treat the data with appropriate care and must comply with data protection principles as set out in the Data Protection Act 1998.

– They must provide alternative means for accessing services where a parent or pupil has refused consent.

A moot point for many schools

Let’s not forget that installing a biometric system doesn’t come cheap, so it simply won’t be realistic within some school’s budgets. But for those who can afford it, what will be the real price?

You can read the full Big Brother Watch report here

Does your school use a biometric solution? What kind of feedback have you had from parents and the children themselves? We’d love to know what you think.

Smartphones and biometrics: we’re all ears

The iPhone 5S was the first. Their Touch ID fingerprint scanner on the lock-in screen heralded the beginning of biometrics security as part of smartphone furniture.

But it was easily hacked just two days after the phone went on sale in September last year.

Germany’s famous hacker team, the Chaos Computer Club, were able to create a fake fingerprint from a rubber mould that could then be used with a real finger to unlock the phone.

Another German team, Security Research Labs, have just done the same with the Samsung Galaxy SF, released earlier this month. You can see the video here.

More serious consequences 

Unlike the iPhone, the new Galaxy’s fingerprint scanner does more than just unlock the phone – it can also authenticate payments via PayPal. Which is all the more worrying from a security point of view, as the hacker could be successfully making payments directly into their own bank account.

And there is no limit to how many times you can try to fake it, like there is with the iPhone.

The point being that it gives a would-be-hacker a much greater incentive to create a fake fingerprint in the first place.

But is it really likely?

Is your average Joe really going to lift a high quality fingerprint from clean glass, scan it at high resolution, clean it up and then print it on to latex rubber?

Probably not. As evidenced by the fact that there haven’t been any recorded cases of the method being used beyond the hacker’s tests. Yet, anyway.

So do the ears have it?

Not content with fingerprint or iris biometrics, DesCartes Biometrics has just developed an ear biometric lockscreen app designed exclusively for Android smartphones. The president and CEO of the company, Michael Boczek talks about the convenience of the ‘most natural of phone gestures – lifting your phone to your ear’:

An individual user simply lifts the device to their ear and presses their ear to the touch screen to authenticate and unlock the device. By combining the most natural of all phone gestures – lifting your phone to your ear – with the unique geometry of your ear, Descartes Biometrics has created a robust and reliable mobile device security solution that is easy to use, non-invasive and non-distracting.”

Currently you can get it on Amazon apps and Google Play.

We can definitely see the logic and the benefit of a different biometric approach to fingerprints. Especially as, in the words of Frank Rieger, spokesmen of the Computer Chaos Club, “it is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token“.

But do we really care that much about biometric smartphone methods in general? Is it still just a bit too early for adoption – especially at $3.99 a pop? It’s one thing if it comes as part of the phone, another if you have to fork out hard cash for it.

We’ll be watching the downloads with interest.

 

One password your kids can’t memorise

Samsung are the latest to add a biometrics feature onto their new smartphone.

Galaxy S5 smartphone
New biometrics feature authenticates mobile payments

The Galaxy S5, which is currently available to pre-order, will feature a fingerprint scanner in the same way as the Apple iPhone 5 does, with the main button on the front doubling as a scanner to unlock the device.

The security feature won’t just help to protect the phone from unwanted access if it’s lost or stolen, it can also be used to authenticate payments, as Samsung has partnered with Paypal to offer ‘payment-by-finger’.

That’s one way to stop the kids from buying something they shouldn’t on your Ebay account.

Is biometrics the future in mobile payments?

This new feature is a talking point, but can we expect this type of techology to become commonplace?

Mobile payments as a concept is proving to be slower to catch on here than was predicted. Market analysts have been saying ‘this is the year’ for nearly a decade, but in the US, only 3-7% of consumers currently use their phones to buy goods in a shop.

Mobile banking is popular, but actually making a mobile payment, for example paying your bill in a restaurant via PayPal, is taking a while to get off the ground. But making person-to-person transactions via your mobile phone is growing, and nearly twice as many consumers are using mobile payments now than they did last year.

Is biometrics the stumbling block?

The kids don’t mind

There is still a real reticence amongst consumers about the use of biometrics technology, particularly when it comes to payments. Iris scanners, fingerprint scanners and even the newer palm & vein scanners all generate concerns that primarily revolve around privacy and the potential for misappropriation of data.

Those with a darker side worry about the lengths thieves might go to in order to steal your biometrics password: severed fingers, gouged-out eyeballs etc.

But is it merely a generation thing?

For those who have grown-up with the technology, a fingerprint scanner is commonplace. The fact that it’s now part of the latest smartphones makes it part of the furniture. Much in the way that they’re used to being able to stop and rewind live TV (“you mean there was a time when you couldn’t?”), it will become normal to authenticate payments with their own body.

School rules ok?

Many schools, particularly in the US, are looking into biometrics methods to ensure the safety and security of their students. A biometric solution brings a whole host of advantages in terms of access control. Unlike smart cards that can be passed around, stolen or misused, a fingerprint can’t.

There is naturally caution over the introduction of such a system, but most opposition comes from the school administration and parents – not the kids themselves.

After all, using the fingerprint scanner on your smartphone to pay for lunch, take out library books and get in the building isn’t just convenient, it’s kinda cool.

Get used to it, it’s the future

As the oft-quoted Douglas Adams said, in describing our reactions to technologies:

1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.

2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.

3. Anything invented after you’re thirty-five is against the natural order of things.

So it’s only a matter of time.

Pay for your milk using your veins?

Forget fingerprint and iris scanners. You could soon be able to pay for the week’s groceries using the veins on your hand.

The Biyo: no wallets, no receipts – all you need is yourself

The next thing in biometrics payment authentication?

US Biometric company Biyo (formerly Pulse Wallet) have created a revolutionary way to make payments for everyday purchases.

Rather than opting for the mere fingerprint to authenticate payments, like so many other biometric specialists, Biyo have gone for the whole hand.

How does it work?

To set it up, you swipe your credit card as you normally would on the Biyo reader in store, then scan your palm and enter your phone number to link it to your account.

The unique vein patterns in your palm create your own secure biometric password for all future transactions. One of the key benefits being, as Biyo points out, that this is a password ‘you never have to remember.’

Then the next time you pop into a shop (one that supports the Biyo technology of course), all you have to do to authenticate your purchase is wave your hand over the reader. Job done. No more shielding your PIN from the person behind you.

You can then track your transactions online or via the Biyo app.

Will it take off?

The problem as far as we can see it, is ensuring enough merchants sign up to the technology to make it accessible. The fact that you can forget your wallet and still pick up tonight’s dinner by scanning your palm is great, but what if the Take Away doesn’t have a Biyo terminal? You’ll have to drive back home to pick up your cards. Which goes against the benefit of ‘convenience’ somewhat.

It’s only available in the US at the moment, but if it’s successful, you can probably expect it to roll out to other countries.

What’s wrong with a finger – why do we need the whole hand?

Biyo points out that their palm vein pattern recognition uses near infrared light to capture your own individual vein pattern which is more than 99% accurate. The sensor is contactless, so you won’t be leaving traces of your pattern like you can do with fingerprints. Also, the technology isn’t affected by any blemishes or cuts on your hand as it’s looking underneath the skin.

We know what you’re thinking. What if someone chops off your hand and whips it out at the till?

Ignoring the inherent problems of getting a severed hand past the shop assistant, Biyo are quick to put you at ease on this one – it wouldn’t work due to the lack of blood flow.

So that’s a relief.

Find out more at http://biyowallet.com/

No entry – sorry, your face doesn’t fit

If you read in the news about someone not being allowed entry to a club because they were wearing trainers or the ‘wrong type of jeans’, you wouldn’t be surprised.

But to be denied entry because your face isn’t right? Surely not.

Well actually, yes.

3D facial recognition technology for an exclusive membership club

3D facial recognition reader
“You may enter, 007”

MorphoTrak, an established provider of biometric readers for access control, has just introduced its 3D facial recognition technology to The Marque, an exclusive membership club in Houston, Texas.

The technology means that you won’t be allowed in unless your face fits – quite literally. A quick glance at the reader and members are instantly recognised, and the access control door unlocks to allow entry.

The Morpho 3D Face Reader™ is described as being ‘lightning-speed’, highly secure and convenient. The General Manager of The Marque comments that it’s “all very James Bond – which is why we love it.”

We can definitely see one advantage to this latest trend in access control: you won’t have to put your glass of champagne down to open the door.

ID cards replaced in a heartbeat?

Ever thought you’d be able to unlock a door or your PC with your heartbeat?

No? We didn’t either. But Bionym’s latest brainchild – the Nymi – promises to do all that, and more.

Bionym nymi
It’s enough to set our pulses racing

On first glance, the Nymi is a simple looking wristband, a bit like a minimalist watch. But according to Bionym, it’s actually “the first wearable authentication technology that allows you to take control of your identity through cardiac rhythm recognition”. Or put another way, this nifty wristband is able to authenticate your identity by measuring the rhythm of your pulse.

So in any situation where you have to prove your identity to do something – like use your ID cards, pay for your lunch or boot up your laptop – the Nymi will automatically do it for you.

The latest advance in access control?

There have been a lot of innovations unveiled recently in the world of access control and ID cards security. HID Global have recently introduced their gesture based methods – which would allow us to open doors with the right wave of the hand. New biometric methods and smartphone technologies continue to make headlines. Will this new wristband be the way you unlock your car doors in the future?

Be still my beating heart…

What we want to know is what happens if your heartbeat speeds up or down? What if someone in the office reception sets your heart racing? Will you be locked out until you calm down?

We’ll have to wait and see – it’s early days. The company haven’t released the hardware yet, or the developer program.

However if you want to be first in line when they do come out, you can pre-order for the launch price of $79. There’s even a choice of colours.

See more at http://www.getnymi.com/

Stepping up access control in schools: is biometrics the answer?

Biometrics information
Biometrics will increase security, but how many will opt out?

Security is always at the forefront of the school agenda, and never more so than recently. More educational establishments are embracing the many benefits presented by access control reader systems in terms of identifying and controlling who enters their buildings. In most cases this means presenting staff and pupils with access control key cards, fobs or tokens – which often double up as ID cards.

Biometrics offers more security and peace of mind   

Some institutions are now looking at increasing the level of protection offered by access control solutions, and that search inevitably leads them towards biometrics.

Installing a biometrics system is an obvious choice for schools in many ways: it negates the threat of stolen or lost tokens, it prevents the misuse of entry cards and ‘tail gaiting’ and on a simple level, does away with the ‘But I forgot my card/fob today’ scenario. In simple terms, a system employing biometrics prevents entry to anyone who doesn’t have a right to be there.

So why aren’t more schools going down the biometrics route?

The Protection of Freedoms Act

The Protection of Freedoms Act 2012 (which comes into force in September 2013) makes that decision a great deal trickier. Under the terms of the Act, schools and colleges will need to notify and gain consent from parents if they intend to use and store their children’s biometric information. But pupils themselves will also be able to refuse to participate, even if their parents have consented.

This new legislation applies to the storing of biometric information such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements.

Where a pupil or parent refuses consent, the school/college will have to provide an alternative. Which means they could end up with a mix of security systems in place: not ideal for administration or equality, not to mention the bottom line.

Access control manufacturers such as TDSi see this as an opportunity for education providers rather than a threat. They regard it as an opportunity to future-proof security systems and offer real choice. They advocate a multi-format access control reader that (as the name suggests) offers multi format security options (biometric, token or pin). Doing so means there will be choice now and in the future as the security market continues to rapidly develop.

Schools and colleges will need to weigh up the pros and cons for themselves, and see if biometrics is the right route.

Read more about what TDSi think here.