“A reported passkey vulnerability has been walked back, and FIDO is recommended as the fix to the vulnerability of “phishable” MFA wreaking havoc on corporate networks around the world.
“The PoisonSeed attack reported by security company Expel earlier this month does not give access to protected assets, if the FIDO Cross-Device Authentication flow is properly implemented.”
Proper implementation and configuration is essential.
“Businesses are rapidly adopting biometric authentication marketing as it serves a dual purpose: enhancing security and providing a customized marketing experience.”
But does it pay? Yes.
“By integrating fingerprint recognition technology, a retail company optimized its app experience, leading to a 20% increase in online sales. In another case, a banking institution used facial recognition for secure and quick authentication, resulting in a customer service rating boost of 25%.”
There are ways other than biometrics to know who your prospects are, but knowledge based authentication (KBA) such as passwords has its weaknesses. With KBA you may not be interacting with your prospects, but with your prospect’s spouse or child.
JOE’S ALCOHOL EMPORIUM: Evelyn, what types of alcohol do you prefer?
EVELYN’S TEENAGE SON WHO KNOWS HER PASSWORD IS HIS BIRTHDATE: 200 proof, man! Let’s get wasted!
Bredemarket has created targeted, segmented content, including individualized content. Let me help you communicate with your individual prospects. Talk to me.
I’ve frequently talked about geolocation as a factor of authentication, and have also mentioned the privacy concerns that rise with the use of geolocation for identification.
But sometimes it’s not just an issue of privacy, but something more sinister.
Authentic Living Therapy is a counselor specializing in trauma, abuse, emotional abuse, anxiety, depression, self-harm, parenting, and relationship difficulties. The page recently shared an image post on Facebook with the title
“Tracking someone’s location isn’t always about care. Sometimes, it’s about control.”
If you are a tech marketer and want to share how your identity solution protects individual privacy, I can help you write the necessary content. Let’s meet. Before your competition shares ITS story and steals your prospects and revenue.
An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.
For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”
But how many factors are there?
Three factors of authentication
There are some people who argue that there are only really three authentication factors:
Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
Something you have, such as a driver’s license, passport, or hardware or software token.
Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.
Somewhat you why, or a measure of intent and reasonableness.
For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.
The person may deserve access if they are an employee and arrive at the location during working hours.
That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.
Or maybe just five factors of authentication
Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.
So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.
The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.
Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:
“Cross device authentication allows a user to sign in with their device using a QR code.
“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.
“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”
“After entering their username and password on the phishing site, the user was presented with a QR code….
“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”
Presumably the FIDO Alliance will address this soon.
If you ignore what Yves-Alexandre de Montjoye et al said about the validity of 12 fingerprint minutiae points in their 2013 study (cited in phys.org), their conclusions about cell phone locations deserve consideration.
“By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual’s approximate whereabouts at the approximate time when they’re using their cell phone) are all that’s needed to uniquely identify 95% of the individuals.”
Why?
“[T]he researchers’ data shows that just four spatio-temporal points are needed to uniquely identify the mobility trace of an individual. In other words, it’s not likely that someone else will be in the same locations as you are at four different times of day.”
And once you perform multi-factor authentication by combining geolocation with another factor, such as an address or a social media post, privacy disappears.
“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”
Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Do you believe in intentional ignorance, stupidity, and idiocy?
Let me put it another way:
Do you believe in the “death of passwords”?
The rationale behind the decades-long death of passwords movement is that passwords do not provide 99.99999% security, therefore NO ONE should EVER EVER EVER use a password, or ANY other form of knowledge (PIN, first pet, what a traffic light looks like, college GPA, favorite RGB value).
I have a different view.
Knowledge CAN be part of a robust multi-factor identity verification or authentication solution.
Just like biometrics CAN be part of a robust multi-factor identity verification or authentication solution. Oh, you think biometrics should be the SOLE (geddit?) factor? I hate to break this to you, but biometrics do not provide 99.99999% security either.
And for the simpler use cases (such as garage sale money boxes), knowledge-based authentication such as a combination lock is a viable security system.
Don’t rely on passwords alone…
…but don’t completely ban them either. Knowledge ain’t dead.
Bredemarket 