BTW: His main point is, "the best part is that clearly someone at the vast institution that is my bank—someone in a position of some authority no less—is a nerd."
His main point is not that it will be fast/secure/good.
Fingerprint, iris, and voice are identifiers not authenticators. Their perceived security comes from their perceived scarcity and difficulty in emulating their presence, barriers that are being removed as technology gets better. In the future the device will know who you are identified as by detecting these markers but you'll still need to prove you are who you are presenting yourself to be.
Fingerprints are still a better authenticator than a 4 digit passcode in practice. Nothing is infallible, it just needs to be good enough. Biometric security things can be very good at preventing 99% of the problems with 1% of the effort.
Biometric security is one of the worst things to happen to security.
Personally I hate passwords, but biometrics aren't the answer.
How do you revoke the privilege when they are compromised?
How do you give the keys to someone else?
What happens when there is a life changing event that render your biometrics obsolete?
Can you still you a gumi bear to fool a fingerprint reader?
Mac OS 9 had a voice login option. In my experience, it did not work very well because my voice when I first woke up in the morning was very different from my voice later on during the day, such that my Mac did not recognize my early morning voice when I tried to log in.
e: and yes, I believe the default phrase for the voice login option was "my voice is my passport."
I've used voice authentication with Nuance's SDK before and having a cold or gaining weight does not affect the verification process. It is based on acoustioc signatures in your voice and not necessarily a precise recreation of the original recording. This isn't a problem with this approach.
This could also be said about passwords:
I have bad memory I can't remember a long complex password.. Point being that there are issues with all forms of security. Bullet proof glass for example can be taken out by an RPG this reasoning is only detrimental to the advancement, innovation, and implementation of layers of security to protect consumers. I think it's neat and my take a way from the article is that the author felt comforted by the fact that at least someone at the bank appreciated the movie sneakers and was attempting to increase security measures through innovation.
Sneakers - one of the best computer movies when I was a kid. I used to watch it over and over again. Good times. Must go find it somewhere. That movie probably had an impact on actually getting into the business later on.
I loved this movie and I still watch it a few times a month as I am working on other things. Sometimes listening to movies provides me more focus than random music from my playlists.
I'm the same way - for me, "Bladerunner", "Barbarella" and "Flash Gordon" are on auto-repeat as my background noise for serious coding sessions. For some reason these 3 movies just work so well in that sense ..
I'm not sure biometric identification is such a great idea... with fingerprint id, it could make the bad guys have an incentive to chop fingers... Also, a fingerprint can be acquired in other ways and then replicated sintetically.
In the same fashion, voice identification doesn't seem to be so secure, since it could also be recorded... and if it were commonly used, there would probably be enough incentive to build on top of current text-to-speech and speech synthetizers, to emulate a voice, given enough sample data.
The problem is that a lot of systems perceives biometric as password, while it really is a user name. Biometric doesn't provide security when there's possibility that people can tamper with it.
Like Bruce Schneier says...
"The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system."[1]
Also, what are the chances that someone can have a similar pitch/tone/voice as the password holder? I bet someone with enough incentive could find another like it.
ie. Google Glass fiasco where you could say, 'OK Google, porn,' behind people who are wearing Google Glass.
If we assume that someone is giving the pass-phrase they've selected in their voice, then it does make the guess more expensive. Now there are two things to guess: What they sound like saying a particular thing and what that thing is.
Of course if you have a secure pass-phrase you're not gaining too much there. It's already very difficult to break. But ho-hum, it's not automatically a terrible idea.
Someone could record you saying it, but on the one hand I don't think that you're as much at risk from someone around you recording your password as you are from someone trying to guess it, and on the other this is a vulnerability that other forms of password share too - though I grant with a slightly different recording procedure.
Although the "chop a finger" tactic might be a worry in some exceptional cases... in the vast majority of cases I think "punch someone in the face until they reveal their password" is a more plausible tactic.
It also just doesn't matter for a lot of cases. A lot of the systems people often think of as super important and secure and permanent (like banking) have a fair amount of wiggle room for rollback in the event of fraud/crime/etc, and policies/processes to minimize the extent to which you can carry out irreversible transactions. Security is imperfect, so there's value in a system which is robust to security failure.
Hyperbole. Clearly, it's not a username. Touch ID has improved security for most users, precisely because it works more like a password than a username. (We all know it's not as secure as a real password.)
It's just a really long, complex, and hard to copy username. In many cases, that is much better than a username/password combination. But it's still just something you are/have and not something you know.
Readit News
His main point is not that it will be fast/secure/good.
[1] https://www.youtube.com/watch?v=G_XRqJV2zdk
Fingerprints and a password, sure, but fingerprints only is the worst idea possible.
e: and yes, I believe the default phrase for the voice login option was "my voice is my passport."
It was actually "my voice is my password" not "passport."
I have a pretty severe cold today. My voice is unrecognizable. But I can still remember a password.
All future technology has, apparently, been predicted by 1980/90s sci fi.
/off-topic
In the same fashion, voice identification doesn't seem to be so secure, since it could also be recorded... and if it were commonly used, there would probably be enough incentive to build on top of current text-to-speech and speech synthetizers, to emulate a voice, given enough sample data.
Like Bruce Schneier says... "The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system."[1]
[1] https://www.schneier.com/blog/archives/2009/01/biometrics.ht...
ie. Google Glass fiasco where you could say, 'OK Google, porn,' behind people who are wearing Google Glass.
Of course if you have a secure pass-phrase you're not gaining too much there. It's already very difficult to break. But ho-hum, it's not automatically a terrible idea.
Someone could record you saying it, but on the one hand I don't think that you're as much at risk from someone around you recording your password as you are from someone trying to guess it, and on the other this is a vulnerability that other forms of password share too - though I grant with a slightly different recording procedure.
It also just doesn't matter for a lot of cases. A lot of the systems people often think of as super important and secure and permanent (like banking) have a fair amount of wiggle room for rollback in the event of fraud/crime/etc, and policies/processes to minimize the extent to which you can carry out irreversible transactions. Security is imperfect, so there's value in a system which is robust to security failure.