Search the Community
Showing results for tags 'authentication'.
-
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.The Intermediate Guide to Mastering Passwords with LastPass LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account. According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here. Here's Everywhere You Should Enable Two-Factor Authentication Right Now We’ve talked about what happens if LastPass gets hacked before. As it stands, it doesn’t seem that this hack resulted in any significant data losses for users. However, it’s still important to take steps necessary to protect your account as soon as you can. LastPass Hacked, Change Your Master Password Now
-
- 1
-
- account
- authentication
-
(and 3 more)
Tagged with:
-
Apple iOS 9 users will be required to use six-digit passwords instead of four-digit codes when logging in to a device. The tech giant also announced it would be using two-factor authentication for users signing into Apple services from a new device or browser. The updates will apply to all Apple devices enabled with TouchID. With the new authentication process, users will receive a verification code sent to their device after submitting their password. They will then have to enter the code in the new device or browser in order to gain access to apps and services. Apple unveiled the new features on Monday at its 2015 World Wide Developers Conference in San Francisco. The company also introduced new features including: Apple Music, Apple Car Play, Wallet and a public transit option in Apple Maps, available later this year. Source
-
- apple
- authentication
-
(and 3 more)
Tagged with:
-
The options currently available for user authentication fall within three categories: authentication through something that the user knows, such as a PIN or a password; something the user has, such as a token with random codes, a flash drive or a proximity card; and something the user is identified by through the use of biometrics or something physically unique to the individual. Today’s system security professionals speak of passwords being too weak; this means that authentication, which for years has been the most widely used tool to protect data and systems, has been often proven too easy to break or too impractical to use when systems administrators enforce long, complex and unmemorable alphanumeric passwords. Tokens and other devices have also proved not always effective due to the cost of production and distribution and the possibility of being stolen and used fraudulently. So what are the alternatives? Biometrics, for one, can be used for password replacement. This is an ideal solution for identity-based authentication of computer users as it is for securing a computer facility. The article focuses on understanding why so many people and businesses depend on biometrics to provide the highest level of security, and it will address some of the new developments in biometric science that may just help boost its acceptance and offset some of its shortcomings, as well as address where the future lies for this type of technology. The uncertainty today is whether biometrics will play an important role in the future. Biometrics Exposed: How it Works for User Authentication Biometrics is the science and technology that analyze human body characteristics. It is based on measuring and analyzing biological and behavioral data. Biometric recognition simply draws on patterns and measurements (characteristics that are unique to individuals) for authentication. Many security experts agree that user authentication by means of linking a person to his/her body part(s) to establish an identity is a preferred method to enhance security. In many cases, in fact, biometric-based personal identification/verification technology even eliminates the need for usernames or passwords. As a logical control, biometric systems can provide entry into systems; as for physical security, they come handy to control access to secure areas. Biometric progression requires two stages: “enrollment and “authentication.” The first phase comprises of a capturing and an extraction stage. A user is enrolled by having biometric data collected through a device that records distinctive physical characteristics and/or behavioral traits. Video-optical images or thermal imaging scanning are examples of what can be used for this purpose. Data are extracted from the sample and a template is created. Data are then stored in a database where each template is linked to a person for future identity matching. The second part of the process is the authentication when data extracted are compared with the stored template so the individual can be identified or verified. This phase also is comprised of two stages: comparison (the template is compared to the sample) and the match/non-match decision. Fundamentally, the course of action is detection, recognition, verification, and then validation. Examples of biometric data that can be used for identification and authentication are fingerprints, facial recognition, iris scans and even vein scanning. These biometric traits are seen as especially “unique” identifiers for recognizing humans. Most biometric techniques are implemented using a sensor, which is used to scan, identify and authenticate someone to a system or entry point, only after having compared the extracted physical or behavioral feature-set against stored templates residing in a database. In general, biometric methods are exceptionally reliable for a positive identity match. A false-positive or false-negative is rare, although possible, depending on the accuracy of the biometric systems and sensor characteristics. Although the hardware needed to implement biometric verification can be quite expensive, this type of technology has proven worth the price. As with all electronic technologies, biometric devices can be fooled by impostors, but they are still becoming more commonly used at business locations and in work centers as trusted recognition systems that are sustainable in the long term to control access to high-security areas and, more importantly, to prevent identity theft. Types of Biometrics: Physical and Behavioral Traits There are two main types of biometric traits used for verification: physical traits, more commonly used so far, and behavioral, solely based on measurements and data derived from an action or series of actions performed by users. Physical biometrics uses “biological properties” that can uniquely determine an identity. Behavioral biometrics is based on “characteristic traits” exhibited by a person that can lead to his or her identification. Physiological biometrics includes face recognition technology and finger- and hand-scan in addition to the measurements and data derived from patterns of the iris or retinal scan that reads the blood vessels in the back of the eyes for identification. Physiological biometrics (in particular fingerprints and DNA) is already widely used in forensics for criminal identification. Fingerprints, for one, have been used for years to prove an individual’s identity electronically based on unique biological characteristics. The method has been used to distinguish one individual from another, as no two people have the same fingerprints. Fingerprint scanners can capture the user’s finger imprint to compare the person’s identity with a created unique biometric template. A person’s fingertip has come to be the most widely used biometric data. Behavioral biometrics includes voice-scans, signature-scans and keystroke-scans. The human voice was found to be a viable authentication thanks to the possibility of being recognized through unique voiceprints. Although effective, it is less secure than other behavioral traits like a keyboard-scan, for instance, that has no user interference. Signature and keystroke scans can help recognize individuals by analyzing the way they write or by patterns in keystroking. Privacy, Concerns and Security Issues The biometric authentication technique based on “something users are” is considered the most secure method over a PIN or passwords and smart card technology for physical and logical access control. Every so often, an uncovered password has led to a compromised system, while the use of cards has made information vulnerable when lost or stolen. Biometric traits are normally unique and permanent and hard to reproduce, especially in view of advances in technology, data communication security and biometric extraction devices. According to Biometrics.gov, the central source of information on biometrics-related activities of the U.S. federal government, “most biometric systems have a high accuracy (over 95 percent and many approach 100 percent) when matching biometrics against a large database of biometrics and when matching a biometric against the originally enrolled biometric.” The advantage of biometric security over more conventional systems is that it is easier to use for authentication situations, and yet it offers improved reliability and strengthened information delivery capabilities. Despite these advantages, there are, however, open issues involved with these systems, some technical and some privacy-related. Much of the skepticism that surrounds biometric technology has to do with the privacy concerns on storage, transmission and utilization of data that are perceived as extremely personal. Users are mostly concerned, especially now that the technology has been introduced in the mobile device world, about the safety of their unique identifiers and about the efficacy or lack of laws that govern use and misuse of personal bio data. Another source of concern is the increased use of biometrics in health service facilities and government, especially when mobile biometrics technology is used to verify identities anywhere on the go. The concern regards storage of data and their transmission to mobile devices. For the most part, the fact that information on people’s body features and behavior traits are recorded has been always a concern for many people worried about their privacy. Many see the storing of data and records as an infringement of privacy and personal rights. Biometric factors that are unique to a subject could lead to the development of tracking or monitoring of somebody’s movements from that point on. Some fear biometric data be accessed and misused. Users have expressed concerns over a number of biometric-related issues and possible forgeries. Authentication based on a signature-scan that analyzes handwritten text is often seen as simple to spoof, as forgeries are possible by a simple optical scanner or a camera. That may be why digitized electronic signature generation, even if considered legally binding on documents, is not widely used, and other behavioral biometric technologies are now used in its place. A fingerprint reader that is embedded on the laptop or keyboard or added through a USB port is a good alternative. However fingerprints could also be compromised, as fingerprints can be lifted from touched items by an imposter looking to gain fraudulent access to resources. Voice biometric systems unfortunately are sometimes prone to loud ambient sounds or low-quality inputs that tend to interfere with the ability to successfully record a usable sample. A voice biometric system could also be tampered with by someone able to record another’s voice, and play it back later to gain entry. Other difficulties come from input sensors being too sensitive, for example, to aging or facial expressions. These are all valid concerns related to the use of biometrics technology. It is true that biometric traits have been spoofed; however, they are definitely more secure than many other systems of authentication because they are natural, physically or behaviorally linked to a person. Reproducing them requires sophisticated techniques and advanced technology knowledge that is not required to spoof and crack other methods (as getting hold of a token or stealing passwords is a much simpler feat in comparison). In biometrics, what is stored is not an exact image of what has been scanned (the fingerprint, the retina, etc.) but a collection of binary numbers created when scanning; this extra passage is devised to prevent malicious hackers from reproducing exactly the image from which the numbers were extrapolated. Knowing humans are often the weakest link in the security chain, password-based security mechanisms (that can be cracked, reset, and socially engineered) might be substituted by biometrics that can be a natural, effortless, and much more accurate way to authenticate. The Future Biometrics is often seen today as an additional layer of protection to add to other, more traditional, authentication systems like passwords and PINs. Using a second (or even a third) authentication mechanism may provide a much higher level of security to verify the identity of a user. What the future might hold is a shift from multi-type secure authentication to simply using synergistic multiple biometric systems. Unimodal biometric systems are based on identification through only one trait. This is obviously not as accurate as we could wish and might not be adequate to all applications and uses. Also, if collection of that single data is affected in any way (for example by cream on hands that are fingerprint identified or by noise when collecting voice), accuracy would be limited. In addition, collecting only one type of data could exclude part of the users population when particular disabilities are present. The possibility of spoofing a single biometric data is higher than that of compromising more. This is why a multimodal biometric system that uses more than one trait for identification can be more reliable and resolve ambiguities and accuracy concerns. Advances in behavioral-based (dynamic) biometrics are also giving new life to this technology and are providing better and more accurate ways to authenticate users. Finger writing is a good example. This is a recognition verification system based on gesture movement, comprised of a system able to learn a user’s unique way of writing by collecting data through subsequent logins. The user is asked to handwrite four characters using their fingertip or pointing device, and the software is able to extrapolate the unique way these letters and numbers are written (length, speed, angle, height). Tests on this system have shown it is actually one of the most accurate systems of recognition available. A research by Tolly Group, a testing and third party verification provider, for example, has found a confidence rating of 99.97% and 27 times greater accuracy than keystroke analysis. In terms of use, the future of biometrics could be in mobile devices and applications for eGovernment, eHealth and eBanking. Through biometric mobile scanning devices, authentication and identification can be brought to the field. It is easy to imagine the possible uses for such systems for other professions, like law enforcement, borders control, medical and emergency services, or even to secure access to government or financial services. The trend is (in order to ensure less possibility of spoofing, replication of physical traits and privacy concerns) to base biometrics systems on the collection of non-physical, dynamic traits. For example, the US military is developing a “cognitive fingerprints” system that might be able to replace the use of faces, fingers and irises as an identification trait. In West Point, in fact, an algorithm is being developed that allows identification through the way individuals interact with their computers; it considers behavioral-based information such as typing speed, writing rhythm and even common spelling mistakes. The algorithm is able to create a unique fingerprint for each user by putting together multiple behavioral and stylometric information that, collectively, are very difficult to reproduce. Once fully implemented, this solution could transfer from military use to civilian, more mundane applications in e-banking, access to services and to secure devices. Will the privacy concern be solved? Not really, as many believe collection of this type of data could easily be embedded in applications commonly used by users and create concerns for widespread classification of users. Privacy vs. Security will be the battle to be fought for these systems’ implementation. Nevertheless, biometric technology could soon become mainstream thanks to the growth of the mobile devices market. Biometrics Research Group, Inc. estimates that the sale of smartphones, in the U.S. only, will grow to 121 million in 2018. Due to this proliferation and to the increased functionalities they offer their users, their analysts believe there will be a strong push toward the integration of biometric technology to replace traditional authentication via pin and password. Biometrics Research Group, Inc. predicted that already in 2014 over 90 million smartphones would be shipped with biometric technology, while Goode Intelligence has forecasted that by 2019 the number of mobile and wearable biometric technology users in the world will reach 5.5 billion. Conclusion Today, biometrics matter more than ever before. In this digital-driven era, more users will come to rely on biometrics as an answer to problems concerning systems security and authorization matters. Although privacy, security and accuracy concerns are still valid, biometrics is still a system that promises the security and ease of use necessary for modern users needing access (even on-the-go) to sensitive data. Biometrics is already hard to forge or spoof, and new advances in technology and new trends like multimodal can really ensure the highest security that sophisticated authentication can give to facilities and computer networks. As scanning devices are made less prone to mistakes and less subjected to sensor error, it will even become easier and faster to implement a biometric security system on a larger scale. This, coupled with its use on mobile devices, will ensure the technology is used for a wide variety of new scopes, including border and law enforcement controls. Although biometrics may be susceptible to false matches, possibly due to scanning and sensor errors, there are ways to minimize this, currently, by utilizing multi-factor options like a password or smartcard combined with biometrics to add an extra layer of security towards authentication. If used together, and not alternatively, the systems are significantly stronger than when used individually. Two-factor authentication is not a new concept. Newest trends, however, see multi-biometrics (the use of different sets of biometric data simultaneously) as a good alternative to increase matching accuracy for identification and verification. Multimodal biometrics systems, which use multiple sensors for data acquisition, offer multiple recognition algorithms and take advantage of each biometric technology while overcoming the limitations of a single technology. Advances in algorithms considering dynamic biometrics that are less linked to physical characteristics but more to behavioral traits is where civilian and military researchers are concentrating their efforts in trying to devise a security system that is, at the same time, foolproof, reliable and quick to use. The call for quicker and more secure authentication systems for mobile devices will also boost the adoption of biometric technology. As biometric devices become more secure and error-free as well as more affordable, the extra security that they can provide, ultimately, will outweigh any shortcoming of this technology as well as problems and concerns on privacy and safety. We might be closer to the end of passwords. References Brecht, D. (2011, January 4). Biometric Devices: They Provide IT Security. Retrieved from Biometrics in IT Security: Questions, Options and Solutions Duncan, G. (2013, March 9). Why haven’t biometrics replaced passwords yet? Retrieved from Why haven't biometrics replaced passwords yet? | Digital Trends FRMC. (2014, September 11). Biometric Signature Authentication: The New Modality of Choice for Safe Guarding EMR Access. Retrieved from Biometric Signature Authentication: The New Modality of Choice for Safe Guarding EMR Access | First Report Managed Care ID Control. (n.d.). Biometric Authentication method Pro’s and Con’s. Retrieved from Biometric Authentication method Pro's and Con's - Keystroke Biometrics - Strong authentication with One Time Password, PKI and Keystroke Recognition Mayhew, S. (2014, August). Special Report: Mobile Biometric Authentication. Retrieved from Special Report: Mobile Biometric Authentication | BiometricUpdate Memon, S. (2014, February 28). Use of Mobile Biometrics Systems for ID Management in eServices. Retrieved from http://www.researchgate.net/profile/Sander_Khowaja/publication/260079452_Use_of_Mobile_Biometrics_Systems_for_ID_Management_in_eServices/links/00b7d5348eed55220b000000.pdf PYMNTS. (2015, January 29). Next in ID Verification: Behavioral Biometrics. Retrieved from http://www.pymnts.com/news/2015/next-in-id-verification-behavioral-biometrics/#.VO8RT010yUl Seals, T. (2015, January 29). US Military to Replace Passwords with “Cognitive Fingerprints”. Retrieved from http://www.infosecurity-magazine.com/news/us-military-passwords-with/ Shahnewaz, M. (2014, December 14). How Mobile Biometrics is Fundamentally Changing Human Identification. Retrieved from http://www.infosecurity-magazine.com/opinions/how-mobile-biometrics-is-changing/ Trader, J. (2014, August 1). The Top 5 Reasons to Deploy Multimodal Biometrics. Retrieved from http://blog.m2sys.com/important-biometric-terms-to-know/top-5-reasons-deploy-multimodal-biometrics/ Source
-
- authentication
- biometric
-
(and 3 more)
Tagged with:
-
Nearly half of people aged 16 to 24 foresee the end of passwords and pin numbers by 2020 as biometric security takes over, according to research by Visa. The research of 2,000 people revealed that 69 percent of respondents aged between 16 and 24 - dubbed 'Generation Z' - believe it will be easier and faster to use biometric identification than remembering passwords and pin numbers. This age group is also keen to adopt biometric security. Some 76 percent feel comfortable with the concept of making payments using biometric data. Jonathan Vaux, executive director at Visa Europe, told V3 that the use of biometric authentication in smartphones as seen in Apple's latest iPhones will help drive demand for the technology. "Fingerprint biometrics in particular are entering the mainstream as a security measure, with the likes of Apple and Samsung relying on biometric security to enter their phones, and more recently the launch of Touch ID and Apple Pay," he said. Generation Z also favours fingerprint scanning over other forms of biometric identification, the research revealed. Nearly 70 percent expressed a desire to use fingerprints rather than passwords, while 39 percent favour retina scans and 27 percent favour face recognition. Vaux explained that biometrics technology will continue to evolve, offering more secure identification by scanning vein patterns in fingers rather than fingerprint systems which can be hacked. This evolution of biometrics and increased demand from consumers will break down the scepticism and criticism that some consumers show for the technology. "We mustn't discount biometrics as a viable form of security. When passwords were first introduced consumers needed to be educated on how to be safe and secure when using them," said Vaux. However, Vaux does not believe that passwords will disappear completely, but will become a secondary layer of security to further reduce the risk of fraud. "There are some concerns surrounding biometric security measures, such as whether fingerprints can be reproduced. Biometric security could be coupled with password or Pin authentication to maintain higher levels of security," he said. "In the future there may not be one security measure, but a combination of several - the biometric equivalent of two-step authentication." Biometric security is undoubtedly becoming more widespread. Apple added its TouchID fingerprint scanner to the latest range of iPads and iPhones, and Barclays has introduced a tool that scans the vein patterns in a finger. Source
- 9 replies
-
- authentication
- authorization
-
(and 4 more)
Tagged with:
-
SAN FRANCISCO — A team of European and American mathematicians and cryptographers have discovered an unexpected weakness in the encryption system widely used worldwide for online shopping, banking, e-mail and other Internet services intended to remain private and secure. The flaw — which involves a small but measurable number of cases — has to do with the way the system generates random numbers, which are used to make it practically impossible for an attacker to unscramble digital messages. While it can affect the transactions of individual Internet users, there is nothing an individual can do about it. The operators of large Web sites will need to make changes to ensure the security of their systems, the researchers said. The potential danger of the flaw is that even though the number of users affected by the flaw may be small, confidence in the security of Web transactions is reduced, the authors said. The system requires that a user first create and publish the product of two large prime numbers, in addition to another number, to generate a public “key.” The original numbers are kept secret. To encrypt a message, a second person employs a formula that contains the public number. In practice, only someone with knowledge of the original prime numbers can decode that message. For the system to provide security, however, it is essential that the secret prime numbers be generated randomly. The researchers discovered that in a small but significant number of cases, the random number generation system failed to work correctly. The importance in ensuring that encryption systems do not have undetected flaws cannot be overstated. The modern world’s online commerce system rests entirely on the secrecy afforded by the public key cryptographic infrastructure. The researchers described their work in a paper that the authors have submitted for publication at a cryptography conference to be held in Santa Barbara, Calif., in August. They made their findings public Tuesday because they believe the issue is of immediate concern to the operators of Web servers that rely on the public key cryptography system. “This comes as an unwelcome warning that underscores the difficulty of key generation in the real world,” said James P. Hughes, an independent Silicon Valley cryptanalyst who worked with a group of researchers led by Arjen K. Lenstra, a widely respected Dutch mathematician who is a professor at the École Polytechnique Fédérale de Lausanne in Switzerland. “Some people may say that 99.8 percent security is fine,” he added. That still means that approximately as many as two out of every thousand keys would not be secure. The researchers examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges. The researchers employed the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, to examine those public key numbers. They were able to produce evidence that a small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key. They said they “stumbled upon” almost 27,000 different keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work,” they wrote. To prevent this, one of the organizations that had collected the public keys has removed the information from the Internet and taken steps to protect it from theft. To perform their study, the researchers used several databases of public keys, including one at the Massachusetts Institute of Technology and another created by the Electronic Frontier Foundation, a Internet privacy rights group. The foundation’s database results from a project, known as the SSL Observatory, originally intended to investigate the security of the digital certificates that are used to protect encrypted data transmitted between Internet users and Web sites. “We were very careful: we did not intercept any traffic, we did not sniff any networks,” Mr. Hughes said. “We went to databases that contained public information and downloaded public keys.” Source: http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=0
-
- authentication
- encrypt
-
(and 3 more)
Tagged with:
-
hwk is an easy-to-use wireless authentication and de-authentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types. /******************************************************************************* * ____ _ __ * * ___ __ __/ / /__ ___ ______ ______(_) /___ __ * * / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / * * /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / * * /___/ team * * * * README * * * * DATE * * 8/03/2013 * * * * AUTHOR * * atzeton - http://www.nullsecurity.net/ * * * * LICENSE * * GNU GPLv2, see COPYING * * * ******************************************************************************/ What is hwk? =============== hwk is a collection of packet crafting/network flooding tools: - hawk for flooding the air with preconfigured or non-interactivly gained information - eagle for RADIOTAP WLAN MGT and LLC header packet crafting. It also supports appending random 'payload' WARNING: This is an BETA release since it hasn't been tested sufficiently. Dependencies: ============= - libpcap How to install? =============== make (as root) make install make clean INFO: CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_ADMIN (ioctls) capabilities are automatically set during installation. Usage ===== See --help or the man files of hawk/eagle or man files! Bugs ===== If you find any bugs, feel free to drop me a line! Stay tuned ========== * http://nullsecurity.net/ Download HWK Wireless Auditing Tool 0.4 ? Packet Storm
-
- authentication
- fuzzing
-
(and 2 more)
Tagged with: