Random links #12

Written on 12 March 2019, 09:27am

Tagged with: , ,

I believe that the Airpods success can be explained by the bandwagon effect: “the rate of uptake of […] trends increases the more that they have already been adopted by others“. They slowly made their way from mockery to status symbol.

~~~

At first sight, a bank card with a built-in fingerprint reader seems to be an excellent idea, right? You trade the PIN code (something that you know) for your fingerprint (something that you are). From an usability point of view, it’s a major step forward (PIN codes can be forgotten, misplaced, shoulder-surfed, reused, social engineered, etc). But from a privacy point of view things don’t look so good anymore. The initial plans indicate that the users still have to walk in a branch to enroll their fingerprints – which
(probably) means that the bank will get to know your biometric data. Which cannot be reset, as we all know.
A possible alternative is to ditch the bank card altogether and use something that you have with you all the time: your smartphone (see Apple Pay, Google Pay) – in addition to your biometric data which never leaves your device. But this solution is not inclusive: not everybody owns a smartphone.

~~~

The results of this study are really sad and shows that in reality, we are far, far away from secure-by-design principles. “Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext ” (via)

~~~

Read this thread in full. Brilliant

~~~

AQI data on the Apple Watch complications

Written on 18 October 2018, 10:20pm

Tagged with: , , ,

If your AQI (Air Quality Index) complication is only showing ‘–‘ instead of the real a value, then it’s probably because Apple does not have the AQI data for your selected city. See below the difference between a city that does have AQI data (Gold City) and another one that doesn’t (Brussels) – you can check it for yourself in the default iOS Weather app:

A few tips:
1. to change the default city on the Apple Watch, open the Watch app on your iPhone and go to My Watch / Weather / Default City.
2. if the default iOS Weather app does not provide AQI data for your city, there is still a chance that other apps – like Air Matters – will do. If that’s the case, you will need to install that app on your watch and use its complication to show the AQI on your watch face
3. if you are interested in the quality of your indoor air, get an air purifier and air quality monitor, like the AirVisual Pro.

FaceID: convenience and security

Written on 18 November 2017, 11:53pm

Tagged with: , , ,

Convenience

In one of the most watched reviews of the iPhone X, Marques Brownlee was showing in a side-by-side comparison that the new FaceID is still slower than the TouchID, but it will eventually get better with software improvements. I think that in the most cases, FaceID is faster: by tapping the screen or pressing the power button to unlock your iPhone, you’re actually creating an extra step when you don’t need one. If you simply pick up the phone, then swiping up will already unlock it. Definitely faster than TouchID.
But what’s even more important, FaceID represents an important milestone in the history of biometric authentication: it’s for the first time when this process is done seamlessly, without even thinking about it. Even Brownlee admits that “facial recognition on a phone is closer to secure, seamless authentication than a separate fingerprint reader will ever be“.
After using FaceID to unlock my phone for more than two weeks I can feel that it works so well that it becomes easy to forget that the authentication actually happens. The closest to this feeling is the Apple Watch authentication model: once you put it on your hand and unlock it, it’s easy to forget that you’re authenticated (by keeping it tied to your hand) and you can receive notifications on it. The fact that the FaceID authentication is now tied to something that you’re doing with the phone anyway – that is, looking at it – makes the experience feel close to magic.

This experience can be technically described as ‘continuous authentication’: you no longer have to make a conscious gesture in order to authenticate (ex. type a PIN or put your finger on the TouchID); by simply looking at the phone you are already authenticated. Some examples:
– expand notifications and show the the control center on the lock screen
– apps using FaceID for authentication, like LastPass: after opening them, you’re already authenticated (without the need to type a password or put your finger).
– Safari browser auto-filling the passwords

Face ID is the most compelling advancement in security I have seen in a very long time. It’s game-changing not merely due to the raw technology, but also because of Apple’s design and implementation. […] The real Face ID revolution: since you’re almost always looking at your iPhone while you’re using it, Face ID enables what I call “continuous authentication.”
Rich Mogull: Face ID’s Innovation: Continuous Authentication

Security

I described above the convenience of using FaceID and how it slowly moves us to a new era where we no longer realize we’re using biometric authentication. But how secure is it?
Before we dive into the main security concerns, it’s worth noting that before TouchID (that is a mere 4 years ago), most of us did not use a passcode on our smartphones. “Before Touch ID, about half of our users had a passcode set. Now, 9 out of 10 do.” (WWDC June 2016). With the introduction of TouchID and now FaceID, the number of people enjoying the security benefits of using a passcode is much higher.

Here are the main concerns related to FaceID:

– accidental in-app buy or download; accidental use of Apple Pay: not possible, you have to double tap the power button to enable the FaceID in order to download an app or to make a purchase
– false positive rate (security concern) / false negative rate (convenience concern): according to Apple, both fare better than TouchID
– somebody clones your face: still possible, and a valid concern if you have a high profile. But FaceID is more secure than TouchID: fabricating a 3D mask is arguably more complicated than a 3D finger.
– law enforcement forces you to unlock your iPhone using your face: the security level here is the same as for Touch ID. If you are concerned about this aspect, then simply don’t use FaceID/TouchID and rely on a strong passcode instead. If you are a just a little bit concerned, then know that holding the power and one of the volume buttons together (‘squeeze’ your iPhone) will immediately require the passcode to unlock
– somebody unlocks your phone while you are asleep: you can enable ‘require attention’. But if you are concerned about this, you have bigger issues that the security on your smartphone 🙂
More about these concerns here: Face ID, Touch ID, No ID, PINs and Pragmatic Security

The only valid concern for me is the following: a thief steals your iPhone, makes you look at it to unlock, then runs away with the unlocked phone.
In this scenario, FaceID is actually worse than TouchID – because it requires no physical contact between you and the thief. The only solution for this is to ‘Find your iphone’ and remotely wipe it, but this can take time during which valuable data can be extracted from your stolen phone. A better solution would be to immediately lock the iPhone from your Apple Watch.

Conclusions

There is always a trade-off between security and convenience. Sometimes compromises need to be made: security requires pragmatism. But FaceID just proved how it can address the most security concerns while providing a seamless user experience. With time, software and hardware updates, it will get even better, and we will see FaceID on other computing devices like tablets or laptops.
And from there it’s easy to imagine a keyless future. How long until you unlock your car by looking at it? Or you unlock your house by simply approaching the door and disarm your house alarm system by stepping into the hallway?
FaceID is not only an important milestone for biometric authentication, but it has the potential to change the way we interact with technology forever.