Retina Scanner Fingerprints and Biometric Sign In

00:00

hello in this video we're going to talk

00:02

about four different types of

00:03

authentication methods that you should

00:05

consider if you're an application

00:07

developer and working on making your

00:08

apps more secure

00:10

my name is shad Schlueter I'm a

00:11

professor at Grand Canyon University I

00:14

teach computer security classes

00:15

application development and web

00:17

development with computer science in

00:19

this video we're going to talk about

00:21

authentication methods so you can see

00:23

from the pictures scattered around the

00:24

background that there are far more

00:26

methods than just a password first of

00:28

all a secure password is a good idea but

00:30

think of your biometrics you can scan

00:32

your retina you can scan your hand your

00:34

fingerprint or you could use some kind

00:36

of a two-factor authentication or even

00:38

better

00:39

two-factor with a special timestamp

00:41

using tokens and so that's what we'll

00:43

see here in the next few minutes check

00:45

out this news story from the year 2004

00:48

so Bill Gates predicts the death of the

00:52

password he says traditional password

00:54

based security is headed for extinction

00:55

it does not meet the challenges of our

00:58

more needs for our information so

01:00

obviously for a long time people have

01:02

seen the needs for something better than

01:04

just a password think about the purposes

01:06

of passwords and our usernames what's

01:09

the difference between an identity and

01:10

an authentication well if you were to

01:13

think of your username as your identity

01:15

and then your password as your

01:17

authentication you've got the right idea

01:19

and so if you put things that are like

01:21

biometrics in the play then you can have

01:24

both of these in one package

01:26

identification means can I find you are

01:29

you the person that's supposed to be

01:31

here and authentication is asking the

01:33

question do I know you

01:35

so for instance hi we just met can you

01:37

prove to me that you're the person you

01:39

say you are you say your name's John how

01:41

do I really know that can you show me

01:43

your driver's license can you show me

01:44

your identification can I get your

01:47

mother's maiden name or some kind of a

01:48

question like that a password is how we

01:51

authenticate people normally to contrast

01:53

the difference between authentication

01:55

and identification I'd like you to think

01:58

about how we would use DNA in a criminal

02:01

case so DNA can be used as evidence in

02:04

court but the question is should we use

02:07

it as to authenticate people or to

02:09

identify the criminal so look at the

02:12

difference between identity and a

02:13

indicate and then register your answer

02:16

which one is it well let's talk about

02:18

authentication first let's say if we

02:21

tried to take a person that was already

02:24

arrested for the case there was probable

02:26

cause the police found them or maybe a

02:29

video camera saw them or there was a

02:31

witness

02:32

and so the persons arrested and put on

02:34

trial then DNA that is compared from the

02:38

case that was gathered at the at the

02:40

crime scene is gathered and kind of

02:42

compared to the person that would be

02:44

trying to authenticate the person

02:46

however think of it as if we'd used a

02:48

DNA in a way to identify the person so

02:51

here's the scenario DNA is taken from

02:53

the crime scene

02:54

and then we compare it to see if there's

02:56

a match to a million different entries

02:59

of DNA that we have on file and so we

03:02

would take a million people and if there

03:05

is a 99% correlation or better then we

03:08

arrest all those people and bring them

03:10

to trial

03:10

well obviously the second case sounds

03:13

more like what they would do in China or

03:15

North Korea or somewhere where they're

03:16

more authoritarian and not so much

03:18

interested in human rights so identity

03:21

is not the way that you would try to

03:23

solve this case now back to computer

03:26

problems think of how you could make

03:28

your application more convenient and

03:30

perhaps better than just passwords so

03:33

biometrics is one solution that people

03:35

have been working on for many years so

03:38

whether you do a handprint or

03:39

fingerprint or retina scan or you might

03:42

even use your voice so let's take a look

03:44

here at an example from a movie from

03:46

1992 called sneakers

04:21

now the problem with biometrics is that

04:23

there are false positives and false

04:25

negatives so you for I've been

04:28

frustrated by your phone if you try to

04:29

press your fingerprint on it and doesn't

04:31

read it it doesn't read it it doesn't

04:32

read it anything uh the stupid thing I

04:34

would just if I had a password I could

04:36

get in

04:37

well the question is should Samsung be

04:40

100% accurate in registering your

04:42

fingerprint or should there be some

04:44

margin of error so if your fingerprint

04:48

registers all the time immediately does

04:51

that mean that your friends could also

04:53

use your phone you ever tested it can

04:55

you fake your phone out and so should

04:58

some pulse false positives be allowed

05:00

and I think the answer has to be yes

05:02

because they would annoy their customers

05:04

too much if they were very very picky so

05:07

they're getting better at it obviously

05:08

they don't want to just let everybody

05:10

into the phone but they're more accurate

05:12

than they used to be speaking of

05:15

biometric authentication here's a nice

05:17

story a doctor used silicone fingers

05:20

here to sign-in for colleagues and so

05:22

the story goes like this

05:23

a Brazilian doctor is facing charges of

05:25

fraud and so he was signing in his

05:28

absent e's his friends at work using

05:32

silicone fingers that they faked

05:34

so they used prosthetic fingers to fool

05:37

the biometric attendance device well

05:39

whenever there's a foolproof solution

05:41

there's always are some pretty smart

05:43

fools biometric security sounds like

05:46

it's going to be great if we could get

05:48

it to work right all the time

05:49

then we could kill passwords but

05:51

obviously we're not quite there yet

05:53

another nice way to increase your

05:55

security is using token authentication

05:57

so you can see here we have two

05:59

different ways to take a token a

06:01

physical object and use that for logins

06:04

so a static token could be like your

06:06

company ID card or a dynamic token might

06:10

be with this RSA SecurID tag that

06:12

changes every 30 seconds and that number

06:15

that's on the tag is used to as your

06:18

password and so both of these are

06:20

physical devices that you'd have to

06:22

fake or steal if you wanted to break in

06:25

so two-factor authentication with a

06:27

secure ID looks like this you use your

06:30

login name and then your passcode has to

06:33

be entered plus a password and then this

06:35

little key chain that has a unique

06:38

random number on it every 60 seconds

06:41

also has to be used so far more secure

06:44

than just asking for a person's password

06:46

so probably more commonly you would use

06:49

two-factor identification with your cell

06:51

phone a lot of times when you sign into

06:53

a bank or some financial institution

06:56

they will send you a four digit code and

06:59

it has to come to your phone before you

07:01

can actually enter your password so

07:03

those are more secure however recently

07:06

it has been has been brought to the

07:08

attention that it's possible to fake a

07:10

phone as well you can get applications

07:12

that will clone another phone and then

07:14

you can receive and send text on their

07:16

device without ever actually stealing

07:18

their device and so two-factor

07:20

authentication it's got some

07:22

improvements to go and using

07:24

applications rather than just SMS

07:26

texting it really works even though it

07:29

slows down our logins a little bit

07:31

another great way for an application

07:34

developer to increase security is to use

07:36

a process called single sign-on we've

07:39

all seen websites that say you can

07:40

create a user account or you can just

07:43

click here to sign in with Facebook or

07:44

sign in with Google and so this allows a

07:47

third-party service to log in now the

07:50

advantage here is that it's simple for

07:52

both the programmers and the users so

07:55

for the user they don't have to remember

07:57

another password for the programmer you

07:59

don't actually have to store any

08:01

passwords on your service so in many

08:04

cases when a business is hacked the

08:07

accounts of the let's say Yahoo for

08:09

example 3 billion user accounts are

08:12

downloaded and put away into text files

08:14

and sent off to China however if there's

08:17

no passwords to be associated with those

08:20

usernames then you don't really have the

08:23

liability you kind of have to trust

08:25

Google that they're not going to get

08:27

hacked which so far they haven't but

08:30

they're probably more secure than any

08:32

small business that you've ever worked

08:34

and so security is actually improved

08:37

when we have fewer passwords to remember

08:39

so in conclusion we could say that

08:42

authentication is a weak point in many

08:44

secure systems and so think about other

08:47

things than just the password if you're

08:49

going to create an application remember

08:51

authentication is not the same as

08:53

identification use two-factor sign-on

08:55

whenever possible if you've got the

08:57

money and you have security concerns go

08:59

with biometrics single sign-on should be

09:01

a factor in when you're thinking of

09:03

building any application and also if you

09:06

have the ability to create

09:07

authentication tokens let's consider

09:09

those as well so thanks for watching

09:11

those are some ideas that you could use

09:13

for authenticating your users my name is

09:16

chad Schlueter as I told you I work at

09:18

Grand Canyon University

09:19

check out the hundreds of other videos

09:21

on my site to learn how to be a web

09:23

developer an application developer and

09:25

to become more secure in your computer

09:27

programming