Repping Biohackers

So I recently gained the position of Chief Security Officer of an MSP.
I’ve been writing our monthly newsletter and I’m now talking about authentication methods, 2factor, and their vulnerabilities. It’s significantly simplified since it’s for our consumer base which is largely non-technical, but felt good to rep cyborgs around.

Just an excerpt:

  • Biometrics

These are authentication methods that require your own physical body or a device embedded into your body.

This can be your fingerprint, facial image, VivoKey: Spark, and various embeddable devices from DangerousThings.

These are vulnerable to if someone gets close enough to your biometric that they can copy it. Some are harder than others to copy, such as a fingerprint.
The facial image however is vulnerable to someone who can take an accurately sized image of your face, and contort the picture to fool the depth sensor.

2 Likes

I love it. Honestly I wouldn’t be surprised if you get some high-profile bigwigs to be interested in getting one to keep their precious data safe.

Congrats on the position!

The idea of a newsletter is great and I’m all for educating everyone especially those with little technical interest/knowledge

I, personally, wouldn’t call an implanted RFID tag as biometrics since its not something unique to a persons’ biology like a fingerprint, iris scan, voice recognition or facial recognition.

I would class it as a physical 2FA mechanism that you cant forget (since its implanted). In essence the implants are no different from a typical RFID access tag/card/fob in that the implants don’t provide any increased technical ability being implanted. They can perform the same functions whether implanted or not thus a persons biology is not influencing the implant and making perform any different.

This is all my opinion and happy to discuss further.

1 Like

I actually debated on this exact thing as I wrote it.
I do have USB tokens and smartcards listed under the Physical token category.
I felt they were close enough to biometrics because the key difference in an implant and a smart card is that it’s in the body. It’s one of those, they fit in both categories kind of deals.

As I wrote my reply I also had the USB tokens in mind too.
My thoughts were that even if you implanted a USB token (dont) it wouldn’t be any different than one off the shelf. And that I think of the implant like something you have rather than something you are.

It’s one of those, they fit in both categories kind of deals.

Would definitely agree since its a odd middle ground.

Personally I believe the 3 pillars of authentication are bullshit…

  • something you know (pin, password, etc.)
  • something you have (token, crypto device, etc.)
  • something you are (biometrics)

The premise that biometrics are unequivocally “something you are” is a false obfuscation of the real facts. The real facts are that a biometric scanner is the same as a keyboard or pin pad. It converts analog data to digital data. A keyboard converts the analog action of meat stick poking keys into digital data, just as a biometric scanner converts analog information from the sensor into digital data… but the structure of that digital data is static… it is not a cryptographic challenge… it is simply a digitized representation of the analog data… and the analog data is what is being used as the authentication mechanism… so just as anyone could type your password in with their own meat sticks to impersonate you, anyone could also emulate your biometric data… either by generating a suitable analogue or by tapping the data lines from the sensor to the processor and pushing in stolen or reconstructed biometric data such that the processor believes the data came from the sensor not an interloper.

Understanding that biometric scanners are doing the same job as keyboard and other human input devices, then it stands to reason that there are not 3 pillars of authentication. In reality, there are only two;

  • static analog data (biometrics, password, pin codes, etc.)
  • digital cryptographic devices (tokens, crypto, vivokey, etc.)

I also believe that the latter should be the primary method of authentication, however the only way to make that practical is with implants. Loss and theft of tokens is all too common to make it a requirement, so it languishes in optional hell.

2 Likes

I’ve had similar thoughts though I’ve never thought much about the 3 pillars.

I’ve always envisioned security is only as good as the authorizors ability to identify without mistakes.
A perfect system would know exactly who you are, bones, blood, and mind.
Of course this is not practical or arguably literally impossible bar SciFi.

Even fingerprints, though not easy to defeat can be defeated with the right tools, time, and skill.

Even if that means holding a relay pinned out directly at the locking mechanism and pushing electricity at just the right times. Security is a race to beat convincing fakes.

1 Like

I’m glad someone else had the same thought as me on this. I had originally wrote out a big long response but deleted it because I couldn’t find a wording that I actually liked.

At a certain point, everything is just a 2FA mechanism. What’s the functional difference between a fingerprint (something that is unique to you) and an implant containing a unique UID that you use for logging in? In both cases, they’re something that’s unique to you and contain data that you don’t know off hand that help to validate that you are who you say you are. Essentially, I feel like it just boils down to semantics.

1 Like

Exactly… so a UID you can’t change is not any different from a fingerprint… a UID you can change is not any different from a password you can change… both are still firmly in the first pillar… static data. A cryptographic implant like VivoKey you can issue a challenge to is firmly in the second pillar, though the practicality and inherent safety of an implant vs a token you carry with you is fundamentally different.

1 Like

Ottomange:
What’s the functional difference between a fingerprint (something that is unique to you) and an implant containing a unique UID that you use for logging in?

amal:
both are still firmly in the first pillar… static data

I completely agree that they are similar. What I originally mentioned was that the implants aren’t biometric as they don’t have a biological influence despite being within the body thus I wouldnt class them as a biometric security mechanism akin to a fingerprint/iris scan.

I would class it as a physical 2FA mechanism

To elaborate, a physical statically assigned 2FA security mechanism that will always have the same result no matter how its challenged.

With regards to static vs cryptographic, I agree that fingerprints aren’t functionally different than a true UID. Both cant change and can be cloned/copied since they don’t change and are static.