Will 2017 be the Final Year of the Password?

Passwords have become a necessary evil and many users complain about the burden of coming up with complex passwords, and the even bigger challenge of remembering those passwords.

Qualcomm has a fingerprint ID technology that uses ultrasound

Qualcomm has developed its own fingerprint sensor for smartphones with the aim of tapping the increasing demand for biometric security on phones. Qualcomm’s Snapdragon Sense ID, announced on Monday at Mobile World Congress, isn’t the usual capacitive touch pad we’ve become accustomed to seeing on high-end smartphones. Instead Qualcomm is using ultrasonic waves to scan all of the ridges and wrinkles of your digits.

Why ultrasound? [company]Qualcomm[/company] says it can do a far deeper analysis than the 2D image created by a fingerprint mashed up against a capacitive sensor. It can look beyond the grime and sweat on your grubby fingers and even penetrate beneath the surface of your skin to identify unique 3D characteristics of your print. It’s the same biometric technology developed for government security applications, Qualcomm claimed.

The technology could also change the way that fingerprint scanners are implemented on devices. Since ultrasonic waves go through glass, aluminum, steel and plastic housings of any phone, it doesn’t need a dedicated touch pad or button to work. While the sensor itself is a separate element, it’s designed to work closely with Qualcomm’s Snapdragon processor line where all of the fingerprint data analysis is performed.

Qualcomm says it is already sampling the technology with device makers and expect it to debut in the first commercial handsets later this year.

MWC-2015-ticker

New Samsung fingerprint scanners may be more like Apple Touch ID

Samsung has been including fingerprint scanners inside the home button on its high-end devices since the Galaxy S5 launched, but there’s been one major difference between the Samsung scanners and Apple’s Touch ID: On a Samsung phone, you’ve got to swipe your finger over the reader, as opposed to Apple’s implementation in which users simply place their finger on the home button.

Samsung is looking to upgrade its fingerprint sensor on the forthcoming Galaxy S6 — and presumably on other fingerprint-equipped handsets after that, according to new information from SamMobile. The new sensor is reportedly touch-based as opposed to swipe-based, so users will simply need to place their fingerprint on the home key.

samsung swipe anandtech

Samsung’s fingerprint technology will probably continue to center around a touch-based capacitive reader, the way Apple’s Touch ID does.

Of course, Samsung’s current home button may be a little too skinny to get a good look at your fingerprint. SamMobile cites sources who believe Samsung will make its home button slightly bigger to accommodate the new sensor.

I’ve used Samsung’s fingerprint scanner on devices like the Galaxy Note 4. Personally, I’ve found the current implementation to be more trouble than it’s worth. In addition to understandable (and common) fingerprint reading failures, there’s an ergonomics issue: When holding a big device in your right hand, Samsung’s current fingerprint scanner simply isn’t great at reading your thumbprint at a horizontal angle. It worked more reliably with my index finger, but that requires two hands to hold the device.

A more reliable fingerprint scanner won’t just make [company]Samsung[/company] smartphones more secure; it could do a lot for Samsung’s mobile payment ambitions. A key part of Apple Pay’s success is that Touch ID biometric authentication is reliable and quick, so you’re not standing at a cash register trying to get your iPhone to recognize your finger.

Samsung is developing mobile payment software with Paypal and biometric verification firm Synaptics. A mobile payment system based around an effective fingerprint reader is much more likely to be successful than the rumored LoopPay case that would emulate soon-to-be-obsolete magnetic credit card swipes.

More ideas for payments security

There’s been plenty of hand wringing, nail biting, and finger pointing since the massive Target credit card data breach. Retailers, banks, and payment processors have variously lamented the state of U.S. card-based payments security. Proposed solutions abound.
While several of the suggested solutions will likely find adoption, none will be perfect. The security/threat dance will continue. Still, there was a particularly notable announcement on the week that has broader implications than most fixes that have been suggested.
Where the U.S. has lagged in technology
The first, obvious accusations flew over the U.S. lagging much of the rest of the world by up to a decade in its implementation of the EMV (Europay-Mastercard-Visa) smart-card standard. That American providers still use magnetic stripe cards is seen as primitive in comparison to the smart cards used elsewhere that combine chip and PIN technology. Smart cards tend to be more secure, but in markets where they’ve been adopted, thieves have focused on other vulnerabilities in the payments ecosystem, such as online purchases, to perpetrate their fraud—and theft has not necessarily been reduced.
Since the Target breach, the card associations have firmed up their plans to force conversion to EMV as early as October, 2015 (for retailers), and as late as October, 2017 (for gas stations) for retailers and banks to avoid liability in the case of fraud.
The quest for better identity verification
Attention has also turned to the usual search for more personal and secure means of verifying identity. Two of several biometrics solutions being floated include a system of point-of-sale (POS) wrist-vein recognition proposed by the startup PulseWallet and a voice recognition system from Nuance Communications being tested by U.S. Bank, the fifth largest bank in the U.S. With such biometrics as fingerprint identification being adopted more generally, it is not a stretch to expect some form of biometrics to soon reach the retail card payments system.
The move to watch is Payco’s token authorization system
But the move to watch is the endorsement by Payco (The Clearing House Payments Company) of a token authorization system. In forming an alliance, or ‘partnership‘ with major retail and financial trade associations, PayCo has expanded upon its considerable industry heft. While this system is no safer than the encryption it is based on, it removes the need for actual customer account information to be stored on retail systems, while fitting with the formats of current retail technology. More critically, it addresses security beyond retail POS terminals to broader online and advanced payment options. HSBC Bank USA this week became the latest bank to announce a trial of token-authorization technology.
NIST announcement is a reminder that payments security is still a broader issue
NIST this week also announced its framework for critical infrastructure cybersecurity. Essentially an articulation of middle-of-the-road best practices in security, the NIST framework will maintain credibility as long as it keeps current with the evolving concerns and solutions for keeping the broader realm of corporate data and interactions secure. Computerworld has enumerated six failures that led to the success of the Target attack, and today American Banker is reporting that Target security staff had urged a review of its payments security two months before the attack began.
The likely best solution
The best and imperfect answer to credit card and broader payment fraud will likely include the widespread adoption of EMV POS technology, a token authorization standard, and some form of biometrics. That is, some form of all of the above.
Some say that adopting EMV technology at this late date is investing in yesterday’s technology. Token authorization for payment accounts is the new element in the mix but Payco this week provided critical leadership on the technology. And biometrics, though finding increased application, are still evolving.
However quickly new technologies are adopted, widely established old technologies—such as credit card use in retail stores—are generally slow to fade. Yet a technology that only addresses POS processes is already inadequate to cover the scope of modern payments. Retailers will not like the cost of upgrading to EMV compatibility, but they will not want to turn away traditional credit card customers within the decade.
In short, all participants in the payment system should prepare for an all-of-the-above solution.
 

The government drone is on its way: UAE plans to use biometric quadcopters for ID card delivery

The government of the United Arab Emirates hopes to deliver official documents such as ID cards and driving licenses via drone, Reuters reported on Monday. The quadcopters will apparently carry fingerprint and retina recognition systems in order to ensure the cargo ends up in the right hands. A 6-month trial will be used to assess how the small unmanned vehicles cope with Gulf heat and sand, and if all goes well the system could start rolling out within a year. This is the first case of a government revealing plans to use drones for logistics, as companies such as DHL and Amazon(s amzn) also hope to do.