Passwords are about to get some much-needed assistance -- from your body
Passwords are "inconvenient and insecure," according to Microsoft executive Joe Belfiore in a March 17, 2015, post on the Windows blog. Yahoo security chief Alex Stamos says passwords "are so incredibly, ridiculously broken that it is almost impossible to keep users safe as long as we have any." Stamos is quoted by KSL.com's Brandon Bailey in a March 23, 2015, article.
Despite their acknowledged weaknesses, we'll be entering passwords for a good long time to come. Fortunately, we won't rely solely on passwords to authenticate ourselves. Our computers and devices will be able to sense something unique about us -- our fingerprint, face, iris, heartbeat, even the way we press keys -- before granting access.
But not right away. First, the sensors have to be added to our phones and computers. For example, Intel's RealSense 3D camera technology is required to make full use of facial recognition in Windows Hello, the biometric authentication feature that will ship with Windows 10. (Windows Hello will also work with fingerprint scanners built into computers and devices.)
RealSense uses infrared signals to capture a 3D image of your face even in situations with poor lighting, as Computerworld's Agam Shah describes in a March 18, 2015, article. Microsoft has joined the FIDO Alliance (Fast IDentity Online), which will extend biometric authentication to online services.
Authentication via two devices is safer than via just one
Until the biometric options are available, the most secure way to protect your data is by using two-factor authentication, which is offered by Google, Amazon, Facebook, Twitter, and most big-name online services. In a January 2013 CNET post I described how to enable two-factor authentication on Google, Facebook, PayPal, Dropbox, and other sites.
With two-factor authentication enabled, after you enter your ID and password, you're prompted to enter a code that has been sent to your phone via text. The extra step can be a hassle, but use of a second device ensures that your data is safe even if someone gets hold of your password. Unfortunately, the method doesn't protect against a breach of the service's own servers. (Nor does any other client-side security measure, for that matter.)
Yahoo recently announced a way to access your account by entering a one-time password that the service sends to your phone in a text message. Tech Crunch's Jon Russell explains in a March 16, 2015, post that security experts criticize the approach because if you lose your phone, the person who finds it (or who stole it) can access your account by entering the password in the text message. Since the message displays on the welcome screen, the person doesn't even need to enter the phone's passcode.
The wait for access via biometric identification may not be long. Dan Miller reports in a February 25, 2015, article on Find Biometrics that financial-services company USAA has begun a trial program offering its customers a mobile app that provides authentication via facial recognition or voice recognition. The financial industry and government are driving adoption of biometrics, according to a report from Research and Markets cited in a March 23, 2015, article on Find Biometrics.
For instance, the British bank Halifax is using the Nymi Band wrist-based sensor that measures your heartbeat to identify you. Danny Palmer explains in a March 16, 2015, article on Computing that the bank wants to make its services as convenient a possible for its customers.
In fact, customer dissatisfaction with password security is a major factor in the push to implement biometric authentication. Tech Radar's Jamie Carter writes in a March 10, 2015, article that 16- to 24-year-olds are most anxious to use biometrics for secure sign-ons. The so-called Generation Z is also most likely to share passwords and PINs, according to a recent report issued by Visa Europe.
The perils of purloined biometric information
Despite the promising outlook for biometric authentication, privacy advocates are concerned about the potential downside of collecting such personal information. What if your facial profile, fingerprint, iris, heartbeat, keystroke pace, or other unique biological identifier were misused, lost, or stolen?
CSO's Bob Violino writes in a March 3, 2015, article that if your password is compromised, you can simply enter a new one. But if the digital version of your unique physical characteristics falls into the wrong hands, you can't merely generate a replacement. Other concerns are the cost of collecting the biometric information for each user, and the lack of 100-percent accuracy in authenticating users biometrically. Tech Radar's Carter quotes 451 Research's Garret Bekker stating that fingerprint, face, and voice recognition can only hope for 95 percent or perhaps 99 percent accuracy, which may not be sufficient for some critical applications.
In addition, Internet crooks have figured out how to outwit biometric authentication systems. In a March 10, 2015, article, Bloomberg's Olga Kharif describes how researchers for German company Security Research Labs were able to fool a facial-recognition system by holding up a photograph of the person's face and waving a pen in front of it to mimic the blinking required by the system to authenticate the user as human.
Likewise, hackers have defeated fingerprint scanners by lifting the fingerprints off photographs, and more than a decade ago Yokohama National University cryptographer Tsutomu Matsumoto and his team demonstrated how to use gelatin to lift fingerprints off surfaces and use them to fool fingerprint scanners. In a January 13, 2015, article, the Christian Science Monitor's Joe Uchill describes these and other methods for spoofing biometric authentication.
Get ready for tiers of data security
Passwords have been so popular for so long because they're cheap and they work well enough to protect most of your data, most of the time. But the hassle quotient of passwords is going nowhere but up: we've got more accounts than ever, and they hold more -- and more sensitive -- data than ever. Also, criminals are finding ever new ways to breach password-based security systems. Biometric devices hold the promise of reducing user aggravation while making it much more difficult for hackers to breach our data.
The most likely data-security scenario is one that locks our most-sensitive data behind a combination of biometric sensor and password, while protecting less-sensitive information with either biometrics or a password (or an authentication method we haven't even thought of yet). Even though biometric authentication introduces some new problems -- high startup costs, protection of the biometric data itself -- it has to be better than today's patently unsafe and inconvenient passwords.
Eight ways to breach cell-phone etiquette at work
If you want to get ahead in the workaday world, you have to know how not to tick off your coworkers. One of the easiest ways to get on your officemates' bad side is to misuse your cell phone in your shared space.
In a March 23, 2015, article, Forbes' Kate Ashford lists the eight most common smart phone faux pas in the workplace. Ashford cites a Kessler International survey that found "untimely and inappropriate use of cell phones" is the number one employee etiquette breach.
According to an expert on office decorum, you risk alienating your coworkers if you check your phone during client meetings, you use your phone during networking events, you have your phone in view at work or during a business meal, you talk too loudly, you take personal calls in your cubicle, or you have an obnoxious ringtone.
Not on Ashford's list of inappropriate cell-phone behavior is absenting yourself to take a personal call during work hours; quietly playing games or otherwise recreating on the device; capturing unsuspecting coworkers in photographs, videos, or audio recordings; and blasting music through the headphones so loudly they can hear it two floors up. The safest course is to hide the existence of your phone from coworkers entirely.
"She had a cell phone? Who knew? But she's going to do great as our new CEO."
How to beat a patent troll: Fight back with all you've got
So-called non-practicing entities are companies that own patents solely (or principally) for the purpose of exacting payments from other companies they accuse of infringing on the patents. The standard response to receiving a demand letter from so-called patent trolls is to pay them off to make the problem go away.
As a long-term solution to misuse of patents, this approach is the equivalent of trying to get rid of cockroaches by feeding them to death. Life360 CEO Chris Hulls took a different tack when a company called AGIS accused his firm of patent infringement. As Ars Technica's Joe Mullin explains in a March 23, 2015, post, Hulls took the offensive, calling out the law firm representing the plaintiff, open-sourcing the prior art it found on AGIS's patents, and refusing to settle at all costs.
Not only did Life360 win the case, Hulls has proposed his strategy as a blueprint for other companies facing threats from patent trolls. Step one is to "go nuclear" by using any legal means to discredit the plaintiff's claims. Step two is to share your information in defense of the charges with other potential defendants. Step three is to take a hard line and stick with it to the end.
Mullin notes that AGIS doesn't fit the textbook definition of a patent troll because it has released a legitimate product, but Hulls points out that AGIS's behavior in the case was straight out of the patent-troll playbook. In particular, AGIS never competed directly with Life360.
Was AGIS a "bully" as Hulls claims, or simply an ordinary business living up to its fiduciary duty to maximize the profitability of its assets? The fact that AGIS lost the case indicates that maybe it didn't have the strongest case to begin with. There's also no indication about the validity of the patent at issue. Still, you can't argue with the positive results of Life360's take-no-prisoners response to AGIS's patent claims.
Target's class-action data-breach settlement is a boon for the defendant
When Target agreed to create a $10 million cash fund to be paid to members of the class of consumers damaged by its massive data breach in late 2013, the company executives likely threw themselves a little celebration. Kevin McGinty explains in a March 23, 2015, post on the JD Supra Business Advisor site that the typical award in a class-action data-breach case not involving medical records is $1 or less per class member.
Why? Because it's difficult for class members to prove monetary damages directly related to the data breach. Considering that there were potentially 110 million class members in the Target suit, per-member awards may fall far short of the average in such cases.
Two other figures jump out of the proposed settlement agreement: $6.7 million (the amount the plaintiffs' lawyers will collect from the settlement), and $252 million (the overall cost to Target in responding to the breach). Not included in the settlement are claims against Target by the class of credit-card issuers, who are on the hook for the bogus charges that resulted from the retailer's massive data loss.
It can be argued that Target's customers don't have a claim against the company because few suffered any direct monetary damage due to the breach. However, no one can state unequivocally that consumers won't ultimately be the ones footing the bill for the multi-million-dollar loss, if only indirectly via higher credit-card and bank charges.
The lawyers did okay, as usual, so it's not all bad news (wink, wink).