At the Google I/O 2015 conference, its Advanced Technologies and Projects (ATAP) Group demonstrated Project Abacus and Project Vault that gave a glimpse into a potential future of mobile authentication as well as information security in a world of untrusted devices.
Project Abacus starts out with the premise that we all carry smart phones that contain a variety of sensors.
These sensors can measure a variety of modalities such as how we walk, our location patterns, how we talk, how we type, and our faces.
To date, none of the research done with individual modalities have been able to create a system that enables something that matches the security of a 4 digit pin.
The question that the project team sought to answer was "If the modalities were sufficiently independent, can they be combined to offer an authentication option better than fingerprints or passwords?"
They call this multi-modal authentication and took into account the following modalities:
- How you swipe
- How you move
- How you type
- How you talk
- Your face
The mobile device, using built-in sensors that measure the above modalities on an ongoing basis, generates a trust score that can be used by an application for authentication. This is not a point in time binary 'yes/no' decision, but enabling the ability to make a decision on a continuum.
The three comments made during the presentation that I found to be of particular interest were that (1) all processing was local, (2) the approach may prove to be 10 fold secure than the best fingerprint authentication and, (3) it could be enabled by a simple software update.
I am looking forward to the validation of these claims by independent researchers.
Project Vault is a micro-SD form-factor card that, when plugged into a device, makes available to the device a suite of cryptographic tools to enable hashing, signing, bulk encryption, streaming encryption as well as a strong hardware random number generator.
It is operating system agnostic, so will work with a variety of both mobile and desktop operating systems. To the OS it behaves like a proc file system without any kernel drivers, which means that developers don't have to do anything special in order to utilize it.
It enables functions ranging from encrypting data at rest to encrypting streaming end-to-end video communication. The on stage demo was to encrypt the chat session between two phones.
The algorithms in the vault are not exposed to the the host system so you can plug it into an untrusted device while being confident that the host system will not be able to corrupt the vault's crypto services.
It also comes with 4GB of isolated, sealed storage which can be used for enabling capabilities such as an immutable logging system where evidence of malicious activity cannot be covered up by tampering with the logs.
I found this highly interesting since it opens the door for some innovative design approaches and architectures, where the mechanisms used for protecting our personal information uses portable, trusted hardware that we carry with us, have control over, and have confidence in.
Once more into the breach
100,000 tax payer records were compromised.
Excuses will be made. Others will be blamed.
Capitol Hill will "demand answers" and ignore any answers that require change in behavior or long term investment.
Those affected will be offered "free credit monitoring".
"Too often, breached orgs like to stress they were targeted by 'sophisticated attackers' as if that excuses inadequate threat assessment" - Steve Wilson
"The IRS's process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called "knowledge-based authentication" (KBA) i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online" - Brian Krebs
"Recent headlines that criminals exploited identity proofing systems used at the IRS website should come as absolutely no surprise to anyone. What’s surprising to me is that anyone still relies on public PII (personally identifiable information) data when they know how widely it’s been exploited over the past few years." - Avivah Litan
This is damned frustrating! I raised the warning about this issue almost 2 years ago. We will continue to suffer as long as we refuse to learn from our own past and the experiences of others.
cyberforge: random and relevant
NIST is seeking comments on its draft NIST Internal Report 8062, Privacy Risk Management for Federal Information Systems
UK GDS updated its Digital Service Standard
The reliance on KBA/KBV in the U.S. does not bode well for the expected increase in Card Not Present (CNP) i.e. online fraud that has resulted when moving to EMV