Tag: fingerprint authentication
The Microsoft vulnerabilities are tied to Office 2016, its Edge browser and its Local Security Authority Subsystem Service (LSASS). First up is a critical security bulletin issued by Microsoft that is tied to a swath of bugs found in Adobe Flash Player used in its Windows 8.1 OS (64-bit, 32-bit), Windows RT 8.1, multiple versions of Windows 10 and Windows Server 2016.
Those Adobe Flash Player vulnerabilities were outlined earlier Tuesday by Adobe when it announced a bevy of patches that addressed code execution flaws in Flash, Reader and Acrobat.
Besides applying the requisite patches, Microsoft suggested disabling instances of Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010. As for the three bulletins market as important, Microsoft identified an Office (MS17-002) bug that could allow remote code execution if a user opened a specially crafted Office file.
This vulnerability was originally identified by Microsoft as critical, but it later downgrading the bulletin to important.
The flaw (CVE-2017-0003) impacts specific Office applications such as Microsoft Word 2016 (64-bit, 32-bit) as well as Microsoft SharePoint Enterprise Server 2016. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” according to the bulletin. Elevation of privilege vulnerabilities (MS17-001), rated important, were found in seven versions of Microsoft’s Edge browser and were also patched. “An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies with about:blank, which could allow an attacker to access information from one domain and inject it into another domain.
An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge,” according to Microsoft. An additional denial of service vulnerability rated important was also patched, impacting Microsoft Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (and Server Core).
The DOS vulnerability (MS17-004) exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests, said Microsoft. “An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system,” Microsoft said. Today’s Patch Tuesday, the first of 2017, marks the first monthly cycle that Microsoft is doing away with bulletins for newer products.
Instead, Microsoft patches will be delivered in one installable package. Under the new patch management regime Microsoft’s Vista operating system will still get bulletins however. Microsoft’s Patch Tuesday coincides with the release with cumulative updates for nearly all versions of Windows 10 including the Anniversary Update for PCs (Build 14393.693).
The update did not introduce new features, rather fixed several security-related features such as fingerprint authentication, App-V Connection Group and an issue that had allowed two similar input devices to work on the same machine.
So, you've installed a password manager and replaced all of your lame and duplicate passwords with strong, unguessable ones.
That's a good start. Now you need to think about what protects that treasure trove of stored passwords.
A lone master password just isn't enough. You need additional authentication factors to keep those passwords secure.
True Key by Intel Security (2017) places more emphasis on multi-factor authentication than just about any competitor, and it works across Windows, macOS, Android, and iOS.
You can install True Key and use it completely without cost, if you don't need to store more than 15 passwords. Once you hit that limit, you must pay $19.99 per year, which isn't bad.
Sticky Password costs $29.99 per year; Dashlane and LogMeOnce go for $39.99 per year.
At $12 per year, LastPass 4.0 Premium costs less than True Key, but not by a huge amount.
Anybody can go to the True Key website, download the app, and start using it immediately.
During the process, you do have to create a master password of at least eight characters. You're encouraged, but not forced, to either use all character sets or create a lengthy passphrase, with spaces permitted.
Once the app is installed, it prompts you to install browser extensions for Chrome, Internet Explorer, and (new since my last review) Firefox.
An extension for Microsoft Edge is available, but it must be installed directly from the Store.
For Chrome, Firefox, and Internet Explorer, the extension communicates with the True Key app.
Edge doesn't permit that, so the Edge extension is basically a recreation of the app itself.
True Key works hard to ease you into password management.
It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser and displays a popup explaining that all you need do is log in as usual.
Intel's app also walks you through the process of clicking a saved item to automatically revisit the site and log in.
Once you've used the product a little, it suggests that you add another authentication factor.
The PC I used for testing has a webcam, so it suggested adding facial recognition.
Basic Password Management
True Key does all of the basic password management tasks you'd expect.
It captures your credentials when you log in to secure sites, plays them back if you revisit such sites, and lets you visit and log in to a site with one click.
If you're creating a new account, it notices, and offers to generate (and save) a secure password.
By default, it creates 16-character passwords using all character types—the resulting passwords are plenty tough.
This utility doesn't just assume that every login was a success.
If its algorithm indicates a high probability that the login worked, it saves the credentials but gives you an option to never save this site, or to skip saving it once.
But if it's not sure, it instead asks you whether or not to save credentials.
It's a subtle touch, and a nice one.
Most secure websites follow the same standards for the login page, which makes the job of a password manager easier.
Some, though, go wildly off-standard. LastPass and Sticky Password Premium handle weird logins by letting you enter all the data and then capture every field on the page. LogMeOnce works from a catalog of almost 4,500 known websites.
True Key handles oddball logins in its own way.
If it can't properly capture login credentials, it sends a report to its masters at Intel for analysis.
They aim to update True Key to handle that site (both for you and for all other users) within 24 hours.
You can also import passwords stored insecurely in your browsers.
If you choose to do so, True Key clears them from the browser and turns off the browser's password capture facility.
There's also an option to import from LastPass or Dashlane 4. New since my last review, you can export True Key's data in the JSON data exchange format.
There aren't a lot of settings to worry about, but you'll definitely want to change one of them. Like Zoho Vault, RoboForm Everywhere 7, and most other password managers, True Key logs you out after a period of inactivity.
But unlike most others, the default for this period is a full week! I strongly recommend setting it to no more than 30 minutes.
Furthermore, you should note that this is a per-device setting, not global to your account.
You can save any number of free-form color-coded secure notes.
There's also a Wallet feature that lets you save address, credit card, driver's license, membership, passport, and social security number data, with appropriate data fields for each type. You can create as many of these as you want, and color-code them. However, you can't use them to fill in Web forms the way you can with LastPass, Password Boss Premium, and most for-pay password managers.
True Key sticks to the basics.
It doesn't have the actionable password strength report or automated password changing ability you find in LastPass, Dashlane, and LogMeOnce Password Management Suite Ultimate.
The company tells me that this feature is planned for the next edition. You can't categorize, group, or tag your saved logins.
There's no secure sharing of passwords, or password inheritance, either.
But what it does do, True Key does well.
True Key's real strength lies in its ability to use multiple factors for authentication. Right from the start, you can require both the master password and a trusted device.
Any attempt to log in from another device requires additional authentication.
For example, when I installed it on an Android device, it asked to verify using facial recognition.
You can add other factors on the My Factors page. Your trusted email account is automatically available for verification.
If you wish, you can enhance facial recognition so it requires you to turn your head from side to side.
That's so that nobody can log in using a photo of your face.
And you can require authentication using a second device, typically a mobile device.
The second device receives a request for authentication, and you simply respond by swiping, much like the Keeper DNA feature in Keeper Password Manager & Digital Vault 8.
At the default Basic security level, you choose from a subset of these possibilities. You can't deselect Trusted Device; that's a given.
To that, you add either master password or face-based authentication.
If you raise the security level to Advanced, it adds the option to use a second device.
At this level, you must choose exactly two factors besides the trusted device.
I tried choosing all three and was baffled when it wouldn't let me save my settings.
The security level and authentication choices are specific to the device you're using.
If you want to always use Advanced authentication, remember to change that setting on each new device.
If you've gone out without your second device, or if it's too dark for face recognition, never fear. You can choose to use a different factor, such as email verification. On iOS devices you can use Touch ID as a factor. New in this edition, fingerprint verification is available for certain Android devices, but only those whose fingerprint readers meet Intel's criteria for accuracy.
When you use the Edge extension, you get another option for authentication, Windows Hello.
This is the same feature that lets you log into your Windows account using face recognition, fingerprint authentication, or a PIN on a trusted device. Which of these are available depends on the capabilities of your PC. My very new but low-end Windows 10 all-in-one has a lovely camera, but not lovely enough for Windows Hello to use it.
New since my last review, True Key can use a PC-installed fingerprint reader for authentication.
It also supports Intel's RealSense camera technology, and can protect its data using Intel's SGX (Software Guard Extensions) on CPUs that support it. (Being part of Intel pays off.)
True Key doesn't attempt to pull in every possible authentication factor.
Dashlane, LastPass, and Keeper support Google Authenticator. Keeper, LogMeOnce, and Zoho Vault can send a one-time password via SMS. LastPass, LogMeOnce, and Sticky Password can modify a USB drive so it serves as an authentication factor.
But really, True Key's choices for multi-factor authentication are well thought out, and work well together.
Kill the Password!
LogMeOnce lets you create your account without ever defining a master password, using a variety of other factors instead. With oneID, you can't create a master password even if you want to; it relies strictly on authentication using a trusted device.
True Key requires a master password to get started, but you can go passwordless quite easily.
At the Basic security level, you can authenticate using your face, not a master password.
If you wisely choose Advanced, you can authenticate with face recognition and a second device.
Password managers that do rely on a master password usually offer a warning that if you forget that password, they can't help you. (That also means they can't be compelled to unlock your account for the NSA, which is a plus.) Intel can't unlock your account, or tell you the master password you forgot, but as long as you've defined enough other factors, True Key lets you authenticate with those and thereby reset the master.
If someone else tries to reset the master password, you get an email alert, with an option to lock password recovery for a day.
Three failed tries triggers that lock automatically.
I did my desktop testing on Windows, but True Key is equally at home on a Mac. You won't get the option to log in with Windows Hello, of course, but other than that the experience should be almost the same.
All of the same features and abilities are available in the Android and iOS apps, but laid out appropriately for the mobile form factor. New with this edition, you can configure mobile devices to use three authentication factors. On iOS, True Key installs as a Safari share-box extension, just as LastPass and Dashlane do. On Android, it offers instant login for Opera and the native browser.
You're not likely to lose a desktop computer, but it's awfully easy to misplace a mobile device.
If someone else gets hold of your device, the multi-factor authentication system should be able prevent them from accessing it.
To make it even tougher for a thief, you can remotely remove the device from the trusted list.
Every successful modern password manager syncs passwords across all your devices.
True Key by Intel Security goes a step further, involving those devices and your biometric data in the authentication process.
It's easy to set up, easy to use, and attractive.
If only it also had the advanced features that grace its competitors, it would be even better.
LogMeOnce Password Management Suite Ultimate also offers many different authentication factors, but just two at a time.
It's even more feature-packed than long-time favorite LastPass 4.0 Premium. With Dashlane 4 you get all your password management needs in a slick package that's as attractive as True Key's.
These three are our Editors' Choice commercial password manager.
But if your main concern is multi-factor authentication, True Key has them all beat.
PCMag may earn affiliate commissions from the shopping links included on this page.
These commissions do not affect how we test, rate or review products.
For the rest of us freeloading, the gratis edition has added a “Security Challenge” that looks for weak and duplicated passwords, then suggests you change them. ® Sponsored: Customer Identity and Access Management
Security firms view the development as another sign of the mainstream availability of biometric authentication, comparing it to the introduction of TouchID fingerprint authentication technology in the iPhone. Javvad Malik, security advocate at enterprise security tools firm AlienVault, said that “selfie pay” is seemingly an attempt to bridge the gap between a fully authenticated method, such as chip and PIN – and unauthenticated payments methods such as contactless. “The use of a selfie as an authentication mechanism may seem like something that a millennial cooked up whilst browsing Instagram one night,” Malik said, “however, payments have always been about risk management.
Banks have typically been good about walking the line between convenience and security.” He added: “From a security viewpoint, financial fraud will never be completely eradicated, and increasing security too much will inconvenience users - so for banks it’s a fool’s errand. Rather, the controls needed should be sufficient to keep fraud within tolerances whilst providing customers with a convenient experience,” he added. Robert Page, lead penetration tester at Redscan struck a more cautious note. “User passwords are typically the easiest point of attack in computer systems and this is driving increased adoption of biometric authentication systems,” Page said. “These systems, whilst typically more secure, can pose their own set of issues however.
For instance, if biometric information is captured and used by an attacker, it's not possible for a user to change his or her imprint as they would a password.” Mastercard’s implementation of facial recognition requiring a user to blink appears to be a novel solution to prevent others from taking a picture of a user.
The effectiveness of its implementation is yet to stand the test of time, however,” he added.
David Meyer, VP of product at OneLogin, said that facial recognition offers the potential to finally displace passwords as an authentication technology in enterprises. Biometrics have been an interest for enterprise IT for some time,” Meyer said. “They haven't become mainstream yet, lacking both reliability and ubiquity.
For example, options like fingerprints are not available on all devices, and even fewer computers, without additional hardware.
Voice recognition has the benefit of near-ubiquity in some companies, where the majority of people have a phone, but has proven unreliable, unable to authenticate when there is background noise. “Passwords remain very common because they always work, but of course can be stolen or discovered.
For this reason most enterprises imply multiple factors of authentication, perhaps a password together with a single-use code,” he added. Meyer argued that facial recognition technologies could finally spearhead the widespread use of biometric technologies in the enterprises. “Over the coming years we will see biometrics become more common in the enterprise and facial recognition is the likely core, seeing as cameras are becoming ubiquitous and the recognition software is becoming very reliable. Our customers are already discussing these biometric factors with us and how they can be best applied.” “Multiple passive factors can be combined for added security. Phone apps can detect your heart rate by the pulsing flush of your skin; keyboard clacking patterns can distinguish you just like your fingerprint. Combined with whether your location is 'typical' or changes too quickly, identity systems can flag suspicious behaviour and prevent unwarranted access while it is happening,” he concluded. ®
The move is the latest in an industry that for years has said the traditional password system for verifying a user's identity has been riddled with problems, from being a weak security measure to forcing users to remember huge numbers of different passwords for signing into their systems and onto websites.Biometrics methods—such as fingerprints or facial or voice recognition—offer ways of securing systems, websites and online payments more easily while freeing users from having to type in an array of disparate passwords as they move across the internet.Technologies enabling this transformation are becoming more mainstream, and each company in the partnership brings with it particular capabilities.
For its part, the FIDO Alliance was launched in 2012 by Lenovo, PayPal and others to encourage the development of authentication methods that are easier and more secure than passwords.
It now has more than 250 members, including many top-tier tech vendors like Google, Microsoft, Intel, ARM, Qualcomm, Samsung, Dell, Lenovo and eBay, and other organizations in such areas as financial services and telecommunications. "The average user has to remember passwords for many different accounts, from PC log-in, email to online shopping," Johnson Jia, senior vice president of Lenovo's PC and Smart Device Business Group, said in a statement. "We wanted to help change that by freeing users from the burden of remembering complex passwords by providing a simple authentication solution." Brett McDowell, executive director of the FIDO Alliance, said in a statement that "passwords are a universal problem that is not limited to mobile devices.
Every internet-connected device needs the ability to upgrade to simpler, stronger FIDO authentication."Lenovo officials did not say when systems with the new fingerprint authentication technology will hit the market, but Jia said Lenovo—the world's top PC vendor—will bring the new technology to its laptops beginning with the Yoga 910 convertible PC.Key to strong authentication systems that don't require passwords is having the technology based on the hardware, according to Lenovo officials.
In this case, it includes Intel's 7th Generation Core chips that include the processor maker's Software Guard Extensions (SGX) technology and Synaptics' Natural ID fingerprint sensor, which comes with enterprise-level security via TLS 1.2 encryption.
The combination of the technologies not only can securely capture encrypted user credentials, but also store them in the hardware, making them less open to malware attacks.The Natural ID Fingerprint Solution is secured by such SentryPoint features as TLS 1.2 encryption and anti-spoofing algorithms, and is technology PayPal uses to help make payments in the system more secure."Today's notebook and PC users want solutions that are safer and more convenient for online transactions," Godfrey Cheng, vice president of marketing at Synaptics' Human Interface Systems Division, said in a statement.The desire to find authentication methods that don't require password comes amid continuing reports of breaches that expose personal information about users. Most recently, officials with online giant Yahoo announced yesterday that the company had just discovered a breach that occurred in 2014, with hackers stealing account information—such as names, telephone numbers, email addresses and encrypted passwords—from at least 500 million users. Yahoo officials said the attack was carried out by "state-sponsored" hackers, though they didn't say from what country.
The growth in fingerprint authentication for mobile payments via Apple’s Touch ID technology and the like is driving increased acceptance of the technology. Consumers favour fingerprint authentication (88 per cent) as the most secure form of payment ahead of other biometric authentication options such as iris-scanning (83 per cent) and facial recognition (65 per cent). When asked whom they would trust to offer biometrics authentication as a service to confirm identity, the largest percentage selected banks (85 per cent) and payment networks (81 per cent) ahead of global online brands (70 per cent), and smartphone companies (64 per cent).
This level of trust in banks has grown significantly in the past two years, up by 20 percentage points from 65 per cent in 2014, when the Visa Biometric Payments study was first conducted. Only one in three thought government agencies could look after the data and do the job properly. “Visa is already supporting a number of institutions in the development of emerging forms of authentication,” said Kevin Jenkins, UK & Ireland managing director at Visa. “We will continue our role as an enabler of payments and will remain tech agnostic when working with banking partners to ensure that new and emerging forms of payment authentication take place securely, conveniently and discreetly.” Robert Capps, VP of business development at NuData Security, warned that physical biometrics such as fingerprints, selfies and voice authentication are far from foolproof. “Unlike passwords, physical biometrics can’t be changed.
It’s the lasting and permanent nature of physical biometric data that may have more negative impacts than passwords since, as in the OPM Breach, once these have been released into the wild, they pose a risk for the lifetime of the victim who can do nothing to change this core data,” Capps cautioned. Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en-masse.
As stolen data is often traded and consolidated into larger, more accurate profiles that can be re-used for a number of nefarious purposes from espionage, to identity theft, and financial fraud.
Selfies and voice biometrics have contextual issues, like, it may not always be appropriate to take a selfie or provide a voice sample to authorise an online transaction,” he added. ®