PayPal Wants You to Inject Your Username and Eat Your Password

Discussion in 'privacy technology' started by ronjor, Apr 17, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    http://blogs.wsj.com/digits/2015/04...o-inject-your-username-and-eat-your-password/
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    No thanks! It seems biblical in a prophetic sense.

    In retrospect the concept does offer convenience and protections not currently available. Still; I cannot imagine a world where I would TRUST the powers that be with the complete oversight of my "vitals". Could you imagine the control the Admins would have over any transaction at allo_O?
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    There is only one reason for this push towards biometric authentication. It is a way around the fifth amendment, once arrested they can "take" your biometric authentication from you.
     
  4. nozzle

    nozzle Registered Member

    Joined:
    Jul 3, 2012
    Posts:
    76
    Location:
    San Diego, CA
    LOL. My uncle has atrial fibrilation (AFIB) and a heartbeat password would be his undoing. Vein recognition would not work well with an amputation without changing your bio-password in time. What ever happened to good old two factor security? Bio can change but language will stick around a very long time. End of rant.
     
  5. x942

    x942 Guest

    Biometrics are powerful - For identification - when done correctly. It is just normally implemented badly. For example: Fingerprint readers. Fingerprints are the second worst biometric available (Voice is the worst). Not only do you leave them everywhere you go, but they are also not unique enough. Retina, Iris, and Heart Beat are all stronger forms.

    With that said the second issue comes into play: Biometrics don't carry enough entropy to be used as a single factor. You don't want to rely on biometrics to encrypt data for example, there just isn't enough entropy available from that source.

    How do you use biometrics properly?

    Two or Three factor authentication. For example: Data is encrypted with your password, but you need to authenticate biometrically before you can even supply the password.

    A way to implement this in a tri-factor state would be a token like the Yubikey. The yubikey uses a strong One-Time-Password for two-factor, if you added a fingerprint sensor to it you could be ensured that the person with the yubikey is the owner.

    This gives you the following: Password + OTP + Fingerprint

    • Something you know (Most important
    • Something you have (Second Most important)
    • Something you are (Least important)
    In this model, biometrics are used as a last ditch effort to avoid compromise. Someone knows your password AND has stolen your Yubikey. They still can't access your server because they need your fingerprint to authenticate with the yubikey before it will send out the OTP.

    This example uses a fingerprint reader as it is the only biometric that could fit on a device like the Yubikey. Ideally you would want something like Heart Beat or Retina scan which are far more unique.

    Ideally biometrics should only be monitored by the local device as well. There are a few interesting startups working on portable solutions, one is a Bluetooth wrist band that monitors heart beat and sends a simple "yes" or "no" to the device. There is no way to read the data from the device, it is locked inside. An app can simple ask the wrist band if the correct user is present or not. All biometrics should be done this way. In a Trust-No-One state.
     
  6. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Yes I can see it's usefulness as a supplement to a password authentication but if you read the article it is about ending the use of passwords altogether and replacing them with biometrics.
     
  7. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    this executive at Paypal is surely out of his mind, or he's really that stupid. amazing.
     
  8. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i fully believe at some point in the future this will be true. call me crazy but i believe each person will at some point have and identifier or a "bar code" or something similar where everything they do is tracked from. sort of like a futuristic ss #. and no i dont wear a tin foil hat or believe in et's but i fully do believe the world is headed that way sadly.
     
  9. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Glucose levels aren't unique. They vary depending your diet, exercise and a lot more factors. As do almost every factor in your stomach and intestine. I don't know any way how to interpret an identity from someone's glucose level. But what are the other unique internal features?

    And from another related article

     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Biometrics suffers from non-repudiation failure. So it should not be used in this context.

    To be fair, what they seemed to be majoring on was implants and things attached to you somehow, which at least have the merit of lower false-positive/false-negatives, and could in principle be repudiated by removing them.

    Paypal are part of the U2F consortium, and I believe they are looking to use the "biometrics" under that standard. But what I'd much prefer is them to offer at least an option on a normal U2F dongle, which has much better privacy characteristics than biometrics.

    What I suspect is that they want to cover themselves against financial losses, which would be easier to do if biometric. I also don't trust Paypal an inch after their behavior with Wikileaks and Protonmail.
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    From what I've been able to gather (not that much, they are being extremely guarded about details of what they are planning), Paypal seem to be wanting to use locally scanned biometrics, and mediated to the service via the Fido U2F standards (Paypal is a member of that consortium). If that were true, then at least the 2nd/3rd factor would be more under your control. I've been unhappy about not having any adequate TFA on Paypal for a while now.

    Whatever these guys do, they need to get on with it, and need to be concerted with other major organisations. They've left this way too long as it is, and we already suffer from standards Babel with TFA. At least U2F generates certificates locally.
     
  12. x942

    x942 Guest

    I understand what paypal wants to do, and it is bad IMO, but I am trying to dispel the wrongful idea that biometrics are bad. Its not that black and white. Biometrics are great for what they are. They have use cases, just not as a sole factor authenticator.

    Agreed. I currently use PayPal's CreditCard authenticator and it works, but it is clunky. They need to support either U2F or Yubikey or Google Auth. Not their out of date VeriSign crap.
     
  13. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I'm sorry, but this is not about biometrics, this is 100% stupidity.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Or, you could say that the implants themselves might even reduce the base level of stupidity! Can't get lower than 100%...
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    No thanks! It's just another way for the government to spy, and track you. There's the probability of it causing health problems. Also hackers would start hacking hardware inside peoples body then.
     
Loading...