From Open Sesame to Biometrics - Authentications have been Vulnerable
We all have come across the famous old fable of "Ali Baba and forty thieves", Ali Baba happens to come across a bunch of thieves and secretly watches the leader of the gang open the cave by uttering the words "Open Sesame", the cave opens to reveal vast treasure amassed by the thieves. With the magical phrase disclosed, Ali Baba was able to make it into the cave to strike a fortune. This probably is the oldest known instance of a situation where the password had been compromised J.
Times and characters have changed but theme remains unchanged. Today caves holding treasures have shrunken to Systems, hard drives, phones and chips and the keys to unlock them have been transformed. Oral "Magical" spells have been evolved to characters that need to be keyed in.
Passwords have been the most traditional form of Authentication for a long time which I consider nothing but "Open Sesame 2.0", where phrases or characters are to be actually keyed in to get you the access. This approach though mitigates the risk of you having to speak it loud but has its own problem of being weak in terms of being guessable or hard to remember and prone to be key logged. Being a de facto option it's been a target of most of the current innovations.
Of recently Biometrics have become a popular alternative for traditional passwords, most of recent consumer electronics products have embraced this feature. So are they really secure or to be safe, are they at least better than the traditional passwords? I doubt.
Biometrics as a password are an irony in itself due to the obvious reason that the password is quite evident. So why the hype? The only factor that makes it safe (or rather gives you that feeling) is the fact that it's unique to the user and can't be replicated by others, so do you think that's enough or worth having it? Example below will help you realize my point.
When it comes to fingerprint sensor (those found in smartphones and laptop), there might be complicated ways to imitate the fingerprints, which you can find googling, but for my little son who does not know anything about security it's much easier to break this barrier, all he does is when I am a sleep or busy with something else, he would just take my phone to contact with my finger and presto, he has access to his games, so isn't that easy as a child's game? So from security perspective your unique key is just too obvious and quite vulnerable.
Next I happen to come across Surface Pro 4, which is the latest offering from Microsoft and is equipped with state of art and innovative facial recognition, once setup, all you have to do is come in front of the Surface Pro 4 and it recognizes you and logs you in without even needing to press a single key. So that's great, right? Keep reading to find more.
With my earlier experience of my son's innovative method, I just thought for a moment and started thinking like a kid, first what I did was to take a selfie using my smartphone and showed that to the Surface cam, but that did not work. I thought the reason could be either the size or it was looking for a three dimensional image, the later one would have been difficult to mimic based on my time and resource, but the former was not an issue, next I used a Tab to take a selfie and used the picture in the tab in front of the Surface cam and presto!! It worked. Surface Pro without any issue quickly allowed me in. Now this looked like a bigger risk, unlike fingerprint sensor where a physical contact is required, in today's world of Social Media anyone can have access to photos and hence can fool facial recognition.
Say Mr. X has access to Mr. Y's device, all that Mr. X has to do is get hold of Mr. X picture load it to tab and show it to the device Cam and it's done'
The moral of the story is nothing is hundred percent secured, especially when it comes to Biometrics definitely not! So the story of Open Sesame and Ali Baba are here to stay.