Retina Scanner Fingerprints and Biometric Sign In
Summary
TLDRIn this informative video, Professor Chad Schlueter from Grand Canyon University discusses the evolution of authentication methods beyond the traditional password. He highlights the importance of considering alternatives such as biometrics, token authentication, two-factor authentication, and single sign-on to enhance application security. The video provides insights into the practical challenges and potential of each method, urging developers to think creatively about user authentication to protect sensitive information more effectively.
Takeaways
- π Understanding various authentication methods is crucial for application developers to enhance security.
- π¨βπ« The speaker, Shad Schlueter, is a professor at Grand Canyon University, teaching computer security and development.
- π‘οΈ Secure passwords are important, but biometrics such as retina scans, fingerprints, and handprints offer more robust security options.
- π Two-factor authentication (2FA) improves security by requiring a second verification step, often with a timestamped token.
- π Bill Gates predicted in 2004 that traditional passwords would become obsolete, highlighting the need for better security measures.
- π Differentiating between identity (who you are) and authentication (proving who you are) is essential in security contexts.
- 𧬠DNA can be used to identify and authenticate individuals in criminal cases, though its application varies.
- π₯οΈ Biometric authentication can sometimes result in false positives or negatives, but technology is improving.
- π± Two-factor authentication commonly uses SMS or app-based codes to enhance security, though vulnerabilities exist.
- π Single sign-on (SSO) simplifies login processes by allowing users to authenticate via third-party services like Google or Facebook, reducing password management issues.
Q & A
What are the four different types of authentication methods discussed in the video?
-The video discusses secure passwords, biometrics (including retina, hand, fingerprint, and voice recognition), two-factor authentication, and single sign-on as authentication methods.
Who is the speaker in the video and what is his profession?
-The speaker in the video is Chad Schlueter, a professor at Grand Canyon University who teaches computer security classes, application development, and web development with computer science.
What did Bill Gates predict about the future of passwords in 2004?
-Bill Gates predicted the death of the password in 2004, stating that traditional password-based security is headed for extinction as it does not meet the challenges of our more complex needs for information security.
What is the difference between identity and authentication as explained in the video?
-Identity refers to the process of identifying or finding a person, while authentication is the process of verifying that a person is who they claim to be. For example, a username represents identity, and a password represents authentication.
How does the video illustrate the difference between using DNA for authentication and identification?
-The video uses the analogy of DNA in a criminal case to illustrate the difference. DNA used to authenticate a person already arrested for a crime is for authentication, whereas using DNA to match against a database of millions to find potential suspects is for identification.
What are some of the issues with biometric authentication as mentioned in the video?
-The video mentions issues such as false positives and false negatives, which can lead to either incorrect rejection or acceptance of an individual. It also mentions the possibility of biometric data being spoofed, as in the case of the doctor using silicone fingers to fool a biometric attendance device.
What is token authentication and how does it work?
-Token authentication is a method where a physical object, either static or dynamic, is used for logins. A static token could be an ID card, while a dynamic token like RSA SecurID changes its code every 30 seconds or 60 seconds, which is then used as a password.
How does two-factor authentication enhance security compared to a single password?
-Two-factor authentication requires not only a password but also a second form of verification, such as a code sent to a user's phone or a token device, making it more difficult for unauthorized access as both factors need to be compromised to gain entry.
What is single sign-on and what are its advantages?
-Single sign-on (SSO) is a process that allows a user to log in once and gain access to multiple systems or applications without needing to log in again for each one. The advantages include convenience for users and reduced liability for developers, as they do not need to store passwords on their service.
What are some of the security concerns with two-factor authentication using SMS texting mentioned in the video?
-The video mentions that it's possible to fake a phone and clone another phone to receive and send texts, which can undermine the security of two-factor authentication that relies on SMS texting.
What advice does Chad Schlueter give for application developers regarding authentication methods?
-Chad Schlueter advises application developers to consider authentication methods beyond just passwords, to use two-factor sign-on when possible, to explore biometrics if security concerns are high and funds allow, to implement single sign-on, and to consider the use of authentication tokens.
Outlines
π Introduction to Advanced Authentication Methods
In this introductory paragraph, Shad Schlueter, a professor at Grand Canyon University, sets the stage for a discussion on various authentication methods beyond traditional passwords. He introduces the topic by highlighting the inadequacy of passwords alone in securing applications and emphasizes the importance of exploring alternative methods. The paragraph touches on biometrics, two-factor authentication, and the distinction between identity and authentication. It also references a 2004 news story where Bill Gates predicts the end of password-based security, indicating a long-standing recognition of the need for more robust methods.
ποΈ Biometric Authentication: Challenges and Potential
This paragraph delves into the realm of biometric authentication, discussing its potential and the challenges it faces. Shad Schlueter explains the concept of biometrics, such as retina scans, fingerprints, and voice recognition, and acknowledges the issues of false positives and negatives. He uses the example of a Brazilian doctor who fraudulently used silicone fingers to fool a biometric system, illustrating that while biometrics offer a high level of security, they are not without their flaws. The paragraph also raises questions about the balance between security and user convenience, suggesting that some margin of error may be necessary to avoid frustrating users.
π Token Authentication and Two-Factor Authentication
The focus shifts to token-based authentication, describing both static and dynamic tokens as physical devices that add an extra layer of security. Shad Schlueter explains how a dynamic token, such as an RSA SecurID, generates a new number every 30 seconds to be used as a password, making it difficult for unauthorized access. The paragraph also covers the common practice of two-factor authentication using cell phones, where a code is sent to the user's device before they can enter their password. However, Schlueter points out that even this method is not foolproof, as demonstrated by the possibility of cloning phones to intercept authentication codes.
π Single Sign-On and Its Benefits for Security and Convenience
In the final paragraph, Shad Schlueter discusses the concept of single sign-on (SSO), where users can log in to applications using their existing accounts from third-party services like Facebook or Google. He outlines the benefits of SSO for both users, who don't need to remember additional passwords, and developers, who avoid storing passwords on their services. Schlueter also touches on the security implications of SSO, noting that it reduces the liability in case of a data breach, as no passwords are stored. The paragraph concludes with a summary of the various authentication methods discussed and a call to action for developers to consider these methods when building secure applications.
Mindmap
Keywords
π‘Authentication
π‘Biometrics
π‘Two-factor authentication (2FA)
π‘Single sign-on (SSO)
π‘Password
π‘Token authentication
π‘False positives and false negatives
π‘Identity
π‘Secure password
π‘Dynamic token
Highlights
Introduction of four different types of authentication methods for application developers to enhance app security.
Biometrics as an alternative to traditional passwords, including retina, hand, and fingerprint scanning.
The distinction between identity and authentication, with examples of how they function.
The concept of two-factor authentication and its implementation with special timestamps using tokens.
Bill Gates' 2004 prediction of the death of the password and the evolution towards more secure methods.
Discussion on the accuracy and margin of error in biometric authentication systems.
A real-world case of biometric fraud involving silicone fingers to fool attendance systems.
Token authentication as a secure method, with examples of static and dynamic tokens.
The security benefits of two-factor authentication, especially when combined with physical tokens.
The vulnerability of SMS-based two-factor authentication and the rise of application-based alternatives.
Single sign-on as a convenient and secure method for user authentication.
The advantages of using third-party services for login, reducing the need for multiple passwords.
The security implications of storing passwords on services and the trust placed in large providers.
The importance of considering authentication methods beyond passwords in application development.
The potential of biometrics for high-security applications, despite current limitations.
The role of single sign-on in improving security by reducing the number of passwords users need to remember.
The consideration of authentication tokens as a secure option for application developers.
Conclusion emphasizing the importance of strong authentication in secure systems and various methods to achieve it.
Transcripts
hello in this video we're going to talk
about four different types of
authentication methods that you should
consider if you're an application
developer and working on making your
apps more secure
my name is shad Schlueter I'm a
professor at Grand Canyon University I
teach computer security classes
application development and web
development with computer science in
this video we're going to talk about
authentication methods so you can see
from the pictures scattered around the
background that there are far more
methods than just a password first of
all a secure password is a good idea but
think of your biometrics you can scan
your retina you can scan your hand your
fingerprint or you could use some kind
of a two-factor authentication or even
better
two-factor with a special timestamp
using tokens and so that's what we'll
see here in the next few minutes check
out this news story from the year 2004
so Bill Gates predicts the death of the
password he says traditional password
based security is headed for extinction
it does not meet the challenges of our
more needs for our information so
obviously for a long time people have
seen the needs for something better than
just a password think about the purposes
of passwords and our usernames what's
the difference between an identity and
an authentication well if you were to
think of your username as your identity
and then your password as your
authentication you've got the right idea
and so if you put things that are like
biometrics in the play then you can have
both of these in one package
identification means can I find you are
you the person that's supposed to be
here and authentication is asking the
question do I know you
so for instance hi we just met can you
prove to me that you're the person you
say you are you say your name's John how
do I really know that can you show me
your driver's license can you show me
your identification can I get your
mother's maiden name or some kind of a
question like that a password is how we
authenticate people normally to contrast
the difference between authentication
and identification I'd like you to think
about how we would use DNA in a criminal
case so DNA can be used as evidence in
court but the question is should we use
it as to authenticate people or to
identify the criminal so look at the
difference between identity and a
indicate and then register your answer
which one is it well let's talk about
authentication first let's say if we
tried to take a person that was already
arrested for the case there was probable
cause the police found them or maybe a
video camera saw them or there was a
witness
and so the persons arrested and put on
trial then DNA that is compared from the
case that was gathered at the at the
crime scene is gathered and kind of
compared to the person that would be
trying to authenticate the person
however think of it as if we'd used a
DNA in a way to identify the person so
here's the scenario DNA is taken from
the crime scene
and then we compare it to see if there's
a match to a million different entries
of DNA that we have on file and so we
would take a million people and if there
is a 99% correlation or better then we
arrest all those people and bring them
to trial
well obviously the second case sounds
more like what they would do in China or
North Korea or somewhere where they're
more authoritarian and not so much
interested in human rights so identity
is not the way that you would try to
solve this case now back to computer
problems think of how you could make
your application more convenient and
perhaps better than just passwords so
biometrics is one solution that people
have been working on for many years so
whether you do a handprint or
fingerprint or retina scan or you might
even use your voice so let's take a look
here at an example from a movie from
1992 called sneakers
now the problem with biometrics is that
there are false positives and false
negatives so you for I've been
frustrated by your phone if you try to
press your fingerprint on it and doesn't
read it it doesn't read it it doesn't
read it anything uh the stupid thing I
would just if I had a password I could
get in
well the question is should Samsung be
100% accurate in registering your
fingerprint or should there be some
margin of error so if your fingerprint
registers all the time immediately does
that mean that your friends could also
use your phone you ever tested it can
you fake your phone out and so should
some pulse false positives be allowed
and I think the answer has to be yes
because they would annoy their customers
too much if they were very very picky so
they're getting better at it obviously
they don't want to just let everybody
into the phone but they're more accurate
than they used to be speaking of
biometric authentication here's a nice
story a doctor used silicone fingers
here to sign-in for colleagues and so
the story goes like this
a Brazilian doctor is facing charges of
fraud and so he was signing in his
absent e's his friends at work using
silicone fingers that they faked
so they used prosthetic fingers to fool
the biometric attendance device well
whenever there's a foolproof solution
there's always are some pretty smart
fools biometric security sounds like
it's going to be great if we could get
it to work right all the time
then we could kill passwords but
obviously we're not quite there yet
another nice way to increase your
security is using token authentication
so you can see here we have two
different ways to take a token a
physical object and use that for logins
so a static token could be like your
company ID card or a dynamic token might
be with this RSA SecurID tag that
changes every 30 seconds and that number
that's on the tag is used to as your
password and so both of these are
physical devices that you'd have to
fake or steal if you wanted to break in
so two-factor authentication with a
secure ID looks like this you use your
login name and then your passcode has to
be entered plus a password and then this
little key chain that has a unique
random number on it every 60 seconds
also has to be used so far more secure
than just asking for a person's password
so probably more commonly you would use
two-factor identification with your cell
phone a lot of times when you sign into
a bank or some financial institution
they will send you a four digit code and
it has to come to your phone before you
can actually enter your password so
those are more secure however recently
it has been has been brought to the
attention that it's possible to fake a
phone as well you can get applications
that will clone another phone and then
you can receive and send text on their
device without ever actually stealing
their device and so two-factor
authentication it's got some
improvements to go and using
applications rather than just SMS
texting it really works even though it
slows down our logins a little bit
another great way for an application
developer to increase security is to use
a process called single sign-on we've
all seen websites that say you can
create a user account or you can just
click here to sign in with Facebook or
sign in with Google and so this allows a
third-party service to log in now the
advantage here is that it's simple for
both the programmers and the users so
for the user they don't have to remember
another password for the programmer you
don't actually have to store any
passwords on your service so in many
cases when a business is hacked the
accounts of the let's say Yahoo for
example 3 billion user accounts are
downloaded and put away into text files
and sent off to China however if there's
no passwords to be associated with those
usernames then you don't really have the
liability you kind of have to trust
Google that they're not going to get
hacked which so far they haven't but
they're probably more secure than any
small business that you've ever worked
and so security is actually improved
when we have fewer passwords to remember
so in conclusion we could say that
authentication is a weak point in many
secure systems and so think about other
things than just the password if you're
going to create an application remember
authentication is not the same as
identification use two-factor sign-on
whenever possible if you've got the
money and you have security concerns go
with biometrics single sign-on should be
a factor in when you're thinking of
building any application and also if you
have the ability to create
authentication tokens let's consider
those as well so thanks for watching
those are some ideas that you could use
for authenticating your users my name is
chad Schlueter as I told you I work at
Grand Canyon University
check out the hundreds of other videos
on my site to learn how to be a web
developer an application developer and
to become more secure in your computer
programming
Browse More Related Video
5.0 / 5 (0 votes)