iPhone X's facial recognition: What could go wrong?

If you want your authentication to be secure:

  • Start with something you have.
  • Then, use something you know.
  • Only then should you provide something you are.

The annual Apple event is possibly one of the most anticipated technology events throughout the world. This year, the company revealed its iPhone X – one of the most advanced phones on the market, but what wasn’t so great about it? The facial recognition technology, and I’m not talking about the work Apple put in to the phone to ensure a printout of your face won’t unlock the phone. Biometrics as a first authentication factor looks cool in movies, but in actuality opens up more vulnerabilities. 

As a prior military member, I have tremendous respect for law enforcement personnel. Police usually also undergo a ton of training about conducting lawful searches and seizures. Under the constitution, there are circumstances where we have a reasonable expectation of privacy. And, while law enforcement personnel do have full authority to conduct a lawful search incident to an arrest and have full authority to confiscate your phone, they should get a warrant before searching it. However, in some circumstances, police also get access to evidence or information through unlawful searches and seizures. This could be due to aprocedural error on the part of law enforcement, or due to a myriad of other factors.

For example, law enforcement could conduct the search while you are unconscious or under the influence to such an extent that you wouldn't be able to legally consent to the search. Recently, a nurse became famous for refusing to conduct a search of a person's blood without a warrant because that person was unconscious. If that officer gained the opportunity to unlock a suspect’s phone by pointing it at a person’s face, would he pause to obtain a warrant first? Consumers should not rely on security that could involuntarily waive their rights.

iPhone X facial recognition technology opens the door to security loopholes under duress or other authentication workarounds. Imagine: Someone is mugging you, but instead of taking what is in your wallet, they hold your phone up to your face to access banking apps to do money transfers. If you store any of your banking cards on your phone, this is a concern. Typically, if the user needed to provide something they know, he or she could enter a pre- specified duress code to trigger alarms and call for help.

Credit card transactions are usually easy to report as fraud and cancel them, but with debit card transactions or bank transfers, it’s much more difficult to get your money back. This is one of my biggest concerns for mobile banking, which goes beyond biometrics. Recently, Samsung and Bank of America released an iris scanning login. It’s exciting and new, but how can financial organizations and other companies with millions of customers balance flexibility and convenience with security?

Ultimately, the simplest approach, and my real overall point, is that people should avoid using a method of securing their devices in a way that can be used against them without their consent.

In general, while biometrics make a great additional verification factor, they are terrible when used incorrectly for things like the initial identification stage of the authentication process. For that step, it should always first use something you have, then followed by something (only) you know, then possibly followed by something you are (biometrics).

Want to learn more about what authentication method you need for the most security? Connect with us.

WWPass not affected by ROCA vulnerability

According to recent findings, researchers uncovered a serious vulnerability in Infineon security chips. These chips are used in computer TPMs (Trusted Platform Modules), as well as cards used for IDs, banking and other security accessibility platforms. As a result of the Infineon vulnerability, the affected devices include the Estonian citizen ID (eID), Lenovo notebooks, Yubico authenticators and others. WWPass hardware authenticators (PassKey) do not use Infineon chips and are unaffected by the ROCA vulnerability. WWPass customers can rest easy, as our hardware tokens are based on Oberthur/NXP. If you use a non-WWPass product, you can test whether your key is affected here.

Here’s what happened at the 2017 Defense Innovation Conference

A chill ran up my spine while peering down from my window seat. It was surreal looking across the flight line at MacDill Air Force Base at a familiar building across from the rows of neatly parked cargo planes. Though it looked small from up there, I remember how impressive the Central Command Headquarters looked from the ground each time I entered the marble clad lobby on my way to work.

How HBO can fix its hacker problem. Set sail for better security.

August was not a fun month for HBO. As a quick recap, the company suffered a massive breach of its servers, where hackers swiped full episodes of unreleased shows and sensitive internal documents. As if that was not bad enough, two episodes of Game of Thrones leaked out early, and then hacker group OurMine hijacked HBO’s main Twitter account, along with those of several HBO shows. Not good.

According to Verizon’s 2017 DBIR, there is statistically an 81 percent chance that the HBO data breach was the result of weak or stolen credentials, like passwords and usernames. These are indeed the weakest link, but despite this they are used almost everywhere and are probably used in the system where HBO stores high-value data like upcoming Game of Thrones episodes.

We can think of HBO’s data storage system like a boat. Security measures, such as access management technology, are like the hull of that boat, while the content inside is like its cargo. Everywhere that people need to access that system is like a hole. On a boat, the best place for a hole is on the top, above the water level, but when access to the boat is based on passwords and usernames, they’re more like a hole in the bottom of the hull, and the usernames and passwords are like corks.

When extrapolated across many different users and many different components of that system, the boat looks more like a pasta colander than a seaworthy vessel. Even if most of the corks work most of the time, an attacker only needs to compromise one cork to create huge problems. Most companies don’t have a budget like HBO. They will sink before they can spend $7.5 million to plug a hole. No company should be sailing off with their precious cargo in a pasta colander.

So, what does HBO need consider to protect data from leaking in the future? The most obvious measure HBO or any company can take to prevent these kinds of breaches in the future, is to completely eliminate the use of passwords and usernames in the authentication process for their sensitive information systems. If 81 percent of breaches are the result of compromised passwords and usernames, then eliminating them in the authentication process mitigates this risk by 81 percent. Back to the boat analogy - the real solution isn’t to get more corks, or better corks, or teach everyone better ways to insert the corks into all the holes. The real solution is a stop at the dry-dock to upgrade the hull and eliminate all the holes. This is easy to do just by switching to a modern access management system.

Eliminating usernames and passwords isn’t just about security. Whether we’re an employee, a system administrator, or a customer, usernames and passwords frustrate all of us. Offering a very convenient alternative to logging in with passwords and usernames is a massive improvement for any information system, whether it’s protecting high value data or allowing access to a user account. Moreover, while most people are fretting over a $7.5 million ransom note, not many consider the much larger value HBO regularly loses. That is, a login method that unpaying freeloaders can easily share. This self-induced, “tragedy of the commons” scenario is mathematically certain to generate undesirable results for everyone (both HBO and its paying customers) but it doesn’t have to be this way. A switch to a password-less login would not only improve the user experience for paying subscribers, it would prevent revenue loss to those who “borrow” passwords to avoid paying for the entertainment they enjoy.

Aside from ditching passwords and usernames, there are other things that HBO could have done to protect its data. In most cloud architectures, the data is stored all in one place, encrypted, and the encryption key is essentially stored in the same location. If a hacker can access the encrypted data, they can often access the encryption key as well. Ideally, valuable data should be stored in a secure, distributed data storage system. With this kind of system, the data isn’t all stored in one location.

First, the data is encrypted, then it is broken down into many parts, across different data centers with different service providers. The encryption key itself isn’t stored in this system at all. Rather, it’s in the physical possession of the person or people authorized to access the data. When the data is needed, only half of the parts are required to completely re-assemble the data. These parts are retrieved and then decrypted using the key held only by the person or people authorized to access it. This secure distributed data storage system protects not just against unauthorized access, but also against natural disasters, geopolitical events, and ransomware.

Don’t let your business become a victim of hackers. Companies like Netflix and Amazon Prime are used by so many – and no one is safe. You want to set sail in an iron-clad boat, not a pasta colander, right? I imagine you would probably get a little further. Get a free demo and let WWPass be your skipper.

Single Sign On Solutions and How They Make You Vulnerable

Single sign-on could be the closest thing we have to an authoritative and universal passport, both for your local device and the internet in general. But authentication that excludes intruders and also proves the user's identity is still an area that stops most SSO solutions from ever getting it completely right.

Topics: authentication PassKey SSO single sign-on

How We All Pay The Price for Identity Theft

We can thank identity theft for sixteen billion dollars going missing in 2016. Digital identity theft is a lucrative and sinister business where perpetrators rarely get caught, and recovered funds are even rarer. Merchants and card companies usually fight over liability while the victim has to pick up the pieces, and in some rare cases, get the bill too.

Topics: authentication data breach identity theft

Once More Into the Breach: Log In Safer to Stop the Data Leaks

Late-breaking news: Company X unintentionally exposed X million customers in latest breach. If you’re not used to that headline already, you probably should. Fool me once, shame on you. Fool me roughly 250 times, and well, we’re beyond shame at this point. It’s time for an authentication overhaul. Now the headline should be: “Company X got hacked. Your passwords should be changed, but they’ll work this time. Honest.”

Topics: authentication data breach

To protect access to proprietary code, Solared Security chooses WWPass authentication


In today’s world, computer code represents one of the mostvaluable IP assets. When submitted for static analysis, either to an on-premises system or a cloud service, owners of the code must be confident that neither the code itself nor the results of their analyses could fall into the wrong hands.To ensure peace of mind for its customers, Solared Security protected access to its software for cloud-based and on-premises installations with the WWPass authentication mechanism. Access to the code under test and analysis results is only possible for authorized users who possess either WWPass PassKey Lite applications on their smartphones or, for the most secure environments, an original WWPass PassKey (USB/NFC dongle -- see 


Topics: authentication

Is HBO Missing a Royal(ty) Opportunity with Game of Thrones?

The Lannisters always pay their debts...until the commoners discover that they can cut the cord and use borrowed credentials to short-change the crown on cable taxes.

Topics: authentication usernames and passwords authentication solutions

Do Hulu, HBO, and Netflix Hate Money?

Changing authentication methods could save streaming apps and services a ton of money from freeloaders. A recent Reuters article suggests that password sharing for major streaming services Netflix and Hulu will be a major issue soon. In an analysis performed by Parks Associates, they estimate streaming providers will lose $550 million in 2019 from password sharing.

But there are potentially billions of dollars in losses from shared credentials. From illegitimate users borrowing accounts to cheating on free trial periods, letting these potential customers continue to stream freely is starting to make everyone sweat a little.