Welcome to tech Stuff, a production from iHeartRadio. Hey Thearon, Welcome to tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with iHeartRadio. And how the tech are you? Well, it's time for another tech Stuff classic episode and this episode is titled Authentication, Tech and You. It originally published on February twenty second, twenty seventeen. Let's have a listen. I feel like security is becoming a bigger and bigger concern as it should be for a lot of people. People are more aware of it, I think than they were perhaps five years ago. Not everyone is practicing good security measures. Not everyone's practicing two factor authentication or multi factor authentication. We'll talk about that in this episode. And if you weren't familiar with what that's all about, That's why I'm wanted to do the show was to kind of explain what that actually means and why it is important. Authentication is something that we should probably define. First of all, it's the process or action of proving something to be true, genuine, or valid. So that covers a broad spectrum right authentication. You could be talking about authenticating a historical artifact. That's a great example, you bring a historical artifact to an expert, they authenticate that it is in fact a historical artifact and not something that was whipped up in some sort of souvenir shop and some out of the way place. But authentication has a very special role in the world of technology. In the world of computers and electronics, it gets a bit more specific. It's the process of verifying the identity of a user or a program or process. You want to make certain everything is authentic so that a program or person doesn't get unauthorized access to a system. So you're probably familiar with a lot of authentication processes, even if you didn't call them that, because you yourself have to employ them on a regular basis. Programs do too. But I'm not gonna really spend a lot of time talking about programs. In fact, I'm really not going to dive into it at all because that gets super technical, and really I think it's more important to focus on the stuff that you have a direct involvement with, unless, of course, you're a programmer, in which case Mia Kulpa. So I'm going to focus on authentication technology targeted at humans. So one day maybe I'll do a software one if there's a lot of requests for it. But I feel like that might just get a little too deep in the weeds. So I'm going to talk about the stuff you and I encounter when we try to access or protect our technology and our data. Now, there are a ton of different ways to do this. Some of them are inherently stronger methods of authentication than others and are better as far as being more secure, And all of these authentication strategies can be divided into three broad categories. Those categories are inherence factors, knowledge factors, and ownership factors. So when you hear about two factor authentication, we're talking about a specific strategy that employs different different approaches belonging to different factors. Now, that doesn't really mean anything unless I expand on it. So an inherence factor relies upon the user him or herself. In other words, it has something to do with you as a user. It has to do with either your physical traits or your behavioral traits. So a very easy to understand example of this would be a fingerprint scanner. Right, like your fingerprints are unique to you, It is something you have inherited, is inherent in who you are. So it's an inherence factor, But there are lots and lots of others, and I'll talk about some of those later on this episode. Knowledge factors are pretty self explanatory. Those are authentication strategies that rely on something that the user knows, like a password or a personal identification number otherwise known as a pen. Ownership factors are also pretty easy to understand. Those rely on something the user possesses, like a key card for security door. That would be an ownership factor. Now, on top of those categories, you have the additional strategies to enable authentication, which includes that two factor authentication that I talked about before. And maybe you don't know exactly what that means, well, that's why i'm here. Really, single factor authentication relies on just one component to access a system. So, for example, a lot of smartphones require users to unlock the device with a pin or a swipe pattern or a fingerprint scan. But that's it, right, You just have to do one of those things. You don't have to do multiple things, and once you do, whichever method you've enabled on your device, you have access to it. There's no secondary requirement. Systems that use single factor authentication are weaker than those that require more than one authentication strategy. In general, there are some different definitions for strong authentication I'll get into, and you could argue that some inherence factors are so strong as to be fine on their own, But in general, going with a single factor is less secure than going for a two factor authentication strategy, which is exactly what it sounds like. It requires two different authentication factors. That means the system will require users to provide authentication in two of those three categories. So an example of this is an ATM card. If you want to use an ATM card, you need to provide the card. That's an ownership factor. You have to be in possession of the card, and you have to supply the pen that's the knowledge factor. So you have an ownership factor and a knowledge factor. Those are two factors. That's two factor authentication. Possession of one factor should not be sufficient to access the respective system, nor should it lead to the discovery of the second factor. In other words, if you get hold of the card like you get hold of someone else's card, ideally there should be no indication on the card of what the pen is because you need both of those things in order to access someone's account, and if you make sure that only one of the two things is in possession of somebody else, they still can't get your stuff. So that's why you want the two factor authentication. You have to possess or know both of the authentication requirements independently of each other. This also applies to other factors as well. It doesn't just have to be knowledge and ownership. It could be ownership and inherence. It could be knowledge and inherence. You get the idea. So, if you've enabled two factor authentication on various online accounts, which I urge you to do for any accounts that actually offer it, you've likely had to supply a password as well as a code sent to you in some way. For example, you might have an email account that when you try and access it using a brand new device, says, all right, well what's your password? So you typed a little password in and then says all right, well, now I'm going to send you a code via text message. You need to put that code into this little box here, and then I'll give you access to your email. So the past this word part taps into that knowledge factor because you know the password and the text message taps into the ownership factor because there's a specific cell phone with a specific cell phone number associated with your email account, so you have to be an ownership of the cell phone in order to receive the text message and complete that authentication strategy. Many two factor authentication systems will actually allow you to designate specific devices as being safe quote unquote safe, meaning that you don't have to do that every single time you log in from that specific device. That way, you don't end up waiting for a text message every time you try and check your email from your personal laptop, computer, or smartphone. Now, there are systems that require even more forms of authentication, and we typically group these under the category multi factor authentication, indicating you've got to supply at least two methods in order to access the respective system. So technically, two factor authentication is a type of multi factor authentication. Most of the time, when I encounter it, multi factor is being used to mean more than two. I haven't personally ever encountered a system where I've had to supply more than two factors. But then again, no one trusts me with anything that's that important, so no big surprise there. Now, confusing matters somewhat. Is this term called strong authentication, which is used in a lot of different places, including the European Union. In fact, it's very prominently used in the EU. At first glance, you might think strong authentication and two factor or multi factor authentication are synonymous, that in order for it to be strong, it must be at least two factor authentication, But that's not actually the case. If a single authentication strategy is deemed secure enough, it can fall under the category of strong authentication. And so there's a lot of disagreement over what the actual definition is. It makes it pretty confusing. But let's give you an example. Let's say that there's a retinal scanner that scans the pattern of blood vessels in your eye. Now that's really difficult to replicate compared to other biometric measures such as a fingerprint, which you could, in fact, if you're very clever fake. So in the European Union, a system that looks at the blood vessels in your eye for authentication might be considered strong even though it's just a single factor. Let's say you don't have to provide any other information, it's just a quick scan of the eye and you're in If the system is robust enough, and if it's looking at something that is difficult enough to replicate, it could still count as strong authentication. It could even refer to knowledge based factors. So let's say a system requires you to answer a series of unrelated questions when you set up your account. Accessing the account at a later time requires that you replicate those answers. You've got to remember how you answered the questions when you first set it up. It's kind of like the security questions a lot of different systems use right now. Now, because these questions are unrelated and knowledge of one answer doesn't provide any of the other answers, that could be considered strong authentication. Now, personally, I find that method to be a little on the flimsy side, but I'm not the one making definitions. I'm just reporting them to you guys. Now we've got the basic definitions out of the way, let's dive into a bit of history, because you guys know, I love to talk about the history of the various technologies and processes we've developed over the years. So the concept of authentication is ancient. It predates electronics by centuries. Throughout the years, people would have to provide some sort of proof of their identities. It might require someone else to vouchsay for a person, or it might require a special seal belonging to a particular office or noble house, placed upon an official document. You may have heard that a lot of those documents would be sealed with wax, and then someone would use a signet ring in order to put a specific stamp in that wax. That was considered a form of authentication. If you saw the proper symbol, then presumably it came from the proper place. Not that you couldn't create a fake of that if you really wanted to, but you know that was the idea. Or you might even just have a password shared between a small group of people. So as long as there have been secrets, there have been means to identify those who should and should not have access to those secrets. And secrets predate the written word. But let's talk about passwords and authentication and electronics, because honestly, if I did a full episode about the history of passwords, that would not really be tech stuff. That would be an awesome, awesome episode of stuff they don't want you to know. Hint, hint. So computer passwords actually pre date personal computers. Back in nineteen sixty one, MIT created a password system for authorized access to its Compatible Time Sharing System or CTSS. CTSS allowed multiple users to access the same computational core. So imagine that you are in a room and it's filled. There's like lots of tables everywhere, and every table has a couple different workstations. Every workstation has a screen and a keyboard, but not a computer. They just have the keyboard in the screen, which are connected via cables to a single computer. Everyone is sharing the exact same computer. Well, way back in the day, that's how a lot of computer systems were made. They didn't have personal devices at every station. The stations were just dummy terminals that connected to a core system. Also, in those days, time sharing meant that the computer actually would divvy up when it was specifically available to do your calculation. So let's say you're typing in something, you're programming some code, and you send it to the computer. It would be responding to each station in turn, and it's doing it so fast that it feels almost instantaneous, or close enough to it, but in fact it would be responding in sequence. As people had logged into the various terminals now obviously using the same computer for all these dummy terminals create some challenges. How can each individual user maintain control over his or her data? How do they maintain their own private files? Because every user had a set of private files that other users should not be able to access without authorization. I mean, one person might be working on a project, someone else is working on a totally different project. You don't want those files to intermingle. You had to partition that stuff. So without a password, you really couldn't do that. So if everyone using a core machine as the processor in storage unit, you had to create some means of differentiating one user from another. The solution was the password, So every user would get a unique password to enter into the system, which would then allow that user to create and access private files. And it also helped control the amount of time any individual user had with the machine. Because these machines they were rare. There were only a few of them in nineteen sixty one, so the time on those machines was very valuable. You know, people were hoarding time. They were trying to do their best. You know, you might only get a few hours a week, so they would end up parsioning that out through passwords. It was kind of like a controlled ticket system so that a ride doesn't get overwhelmed with a ton of people. You release a certain number of tickets per hour and you keep the traffic flowing steadily. Same sort of thing, except in this case it was with a computer access so as a way to control the point of entry into the system. We're going to take a quick break from talking about authentication tech to thank our sponsors. Now, at that time, the passwords were pretty simple, and they were not really secure at all. It was more for the matter of convenience than security really. After all, this predated the Internet, so external access to the system wasn't really a factor. If you wanted to get your hands on those sweet, sweet private files, you actually needed to have physical access to the system itself. You couldn't just hack in from across the country. So in a way, that's one factor of authentication all by itself. Ownership in this case, the ownership doesn't really refer to something that you personally owned, but rather your physical access to the system. But these weren't encrypted or stored in a particularly safe way. They were in plain text. So just a year after they debuted this password strategy, a graduate student named Alan Scherer accessed the entire list of unencrypted passwords stored on the system and printed them out. Now, the reason Shared did this was not to access private files created by other people. It was so that Share could get more time on the system because every student was allotted just four hours of access per week, and he needed more access, and he figured, well, there's all these other hours of access that are going unused from other students. That's not fair. I'll just take their hours and use them myself. The way he did this was he actually created a punch card that contained the file name and location for the password list, and it also contained a set of instructions that said take this file and send it to a printer. Didn't even have to physically look at this file at all. He just had to figure out what was the file name, where was it located on the system, and then include the instructions send to printer. By the way, if you want to know more about how punch cards work and the way that they were an integral part of early computing, you can actually listen to a classic two thousand and nine Tech Stuff episode titled Computers from the past, and Chris Palette and I talked a lot about them in that episode. So it's easy in hindsight to criticize the MIT strategy. But keep in mind this was at a time when unauthorized access to computers was exceedingly rare, because well, the computers were exceedingly rare. As computers began to proliferate throughout all areas of life, the need for more secure access strategies grew. According to Roger Needham, who was a professor of computing at Cambridge University, the Cambridge Lab came up with a concept to make passwords more secure, and that's the concept of hashing. Now, that's when you convert passwords of variable lengths into a fixed length string of characters using an algorithm for the transformation. It's a fancy way of saying, no matter how long or short a password is, you put it through a series of mathematical processes. Will you convert the password into numerals first? Then you do this series of mathematic processes, the result of which is you get a much longer string of characters and that represents the password. And it doesn't matter how long or short the original password was. All of the hashed versions of the password are the same length. So let's say the hash is eighty characters long. That means if your base password is pass or its anti disestablishmentarianism or anything else, it will end up converted into a string of eighty characters. So if someone gets hold of the hashed passwords, those are the only ones that are being stored on the system, they would still have to figure out what was the mechanism used to generate the hashes in order to guess what the root password was, because otherwise they're all going to look like they're eighty characters long. You won't know which ones were short passwords or long passwords. In order to do that, obviously, you have to decide upon what the specific sequence of mathematical operations are going to be and what seed you're using for those operations. And once you do that, then you're able to make these kind of changes. So Needham said that the system was created and implemented in the mid to late nineteen sixties, so it wasn't very long after the MIT rollout of passwords. Now later, still, computer scientists began to develop more secure hashing strategies. This includes salting passwords, which means adding characters to a password before you hash it. So a simple example of this is using a computer's claw to insert digits into the password and then hashing the new password, which makes it even harder for a hacker to figure out the root password from the hash because they need to know at what time that operation was performed on the original password, otherwise they wouldn't be able to replicate the original password. Now, this is easier to understand if I give you an example. So let's say your password has been set to let's say tech stuff. You chose tech stuff as your password. First of all, that was dumb. Don't do that. Don't pick a word that's easy to guess, even if it's a name like tech stuff, which is granted an awesome show. But you've chosen tech stuff for this example. You access the system at two thirty five in the afternoon. Let's say that the computer converts that into military time, so that gives you fourteen thirty five, and then it salts your password with those numbers, so instead of it just saying text stuff, now it says T one E four C three H five stuff. That password then gets hashed into that eighty character long version stored on the computers. By the way, that eighty characters is just an arbitrary example. It doesn't really mean anything. I just need a number for the example. Now, let's say you access the same system the following day, but this time it's one twenty three in the afternoon. Remember it was two thirty five the day before, but now it's one twenty three the next day. The salted password is going to be different because it's going to convert one to twenty three to military time, and then it's going to salt the password that way, so it would be T one E three C two H three stuff. The hashed value will end up being different as well, because it's inserted those new numbers. So that means that if the hacker gets two versions of your hashed password, they're still going to be different from each other. It's all going to be dependent upon the time you tried to access the system. Now itself, it knows when you were accessing it, so it's able to do all of this decoding easily. There's no problem for the system, but it makes it difficult for a hacker to figure out what your password was based upon the hashed value that appears inside the system. Now, of course, hackers can bypass all that and try to hack a password using brute force. That's when someone and usually it's a computer program not a person these days, submits endless guesses into a password protected account in order to gain access. There's no need to work backward from hashed values. Using this approach, you're just guessing the root password from the get go. But it takes a lot of time, particularly if the user has created a strong password. So the longer and more complex a password, the less likely a traditional computer can hack it in a reasonable amount of time. Given enough time and enough computing power, any password and ultimately be cracked by brute force. But the more complex it is and the longer it is, the more time it requires to a point where it can approach time that last centuries, which means no one's going to bother to do it because they're not going to be around to actually see it work. Assuming you've picked a good strong password, So why you should never use real words or even names as a password. They're too easy for a computer to guess using what's called a dictionary attack, So make sure you create those really strong passwords and as always, I like to recommend using a password management program so that way you don't have to remember those strong passwords, because obviously the downside to creating a strong password is they're difficult to remember. It's really easy to remember a word like tech stuff, but that's not very secure. Unfortunately, the more secure approach is also difficult to remember, and you don't want to just write stuff down someplace because that kind of defeats the purpose of having a secret password. Having a really good password management system and then just having to remember one good master password simplifies things. So I recommend that. Well, I've got a lot more to say about authentication strategies, but before I get into it, let's take a quick break to thank our sponsor. Okay, so I think we've covered passwords pretty thoroughly. Let's talk about some other authentication strategies. One of the earliest authentication systems and electronics was the personal identification number, or PEN. And technically, yeah, if you say PEN number, you're repeating yourself, just as if you were to say ATM machine. And I still do it just like a lot of people. If someone can realistically argue that irrespective is a word, I can argue pen number is acceptable, dang it, so don't write me. The PEN debuted on the world scene in nineteen sixty seven. That's when Barclays of London introduced the first ATM system, which a man named John Shepherd barn invented Barclays to come up with a method that kept customer's finances safe. Otherwise, anyone might be able to access anyone else's money, and that does not make for a very positive banking experience. I mean it does for the person who makes off with all the cash, but for everybody else it's pretty negative. The solution was the PEN, which was a numeric code unique to the customer. The standard for pen management is actually called ISSO nine five six y four dash one ISO ninety five sixty four dash one. Technically, this standard allows for a spectrum of pen lengths. We're mostly used to four digits, but it doesn't have to just before you could go from four that's the minimum number of digits you can use, but you can use up to twelve digits. But we humans tend to have trouble remembering lots of unrelated numbers, and if you're choosing lots of related numbers, then that makes it pretty easy for people to guess your pin. So most ATMs, especially in the banking and finance industry, would require a pin of four digits in length, which dates back to the first ATM system. So why was the number four picked in the very beginning? Why just four digits? Well, that's because John Shepherd Barren, who originally was going to use a six digit pen system, found his wife Caroline, had trouble remembering anything more than four digits, so he sensed that there could be a possible problem with longer pins and decided to stick with four digits instead of six. That's why we have that now. Those early ATMs didn't accept plastic cards with a magnetic stripe on them the way modern ones do, and obviously the chip and pin system was decades away. So instead, what you would use as a check you would actually insert a check into the machine, and each check had information encoded upon it that allowed the ATM to read the information on it, for example, how much money it represented and who it was supposed to go to. You would couple this with the proper pen, and then the ATM could dispense cash at all hours of the day, which eliminated the need for people to make time to access the bank during bank hours, which we all know are the shortest hours in the world. If you'd like to learn more about ATMs and how they work, be sure to check out the classic episode of tech stuff called appropriately Enough How ATMs Work. I republished it in February twenty fifteen, so you can listen to that, but it actually dates much further than that. This is really a blast from the past with some of the stuff in this episode. Now, another strategy is to use tokens. That's very popular for authentication strategies. There's several versions of these, including tokens that have a static code that acts like a key to a system's line. Now, those are not terribly secure because if someone else gets hold of that token, they can pretty much get into the system. They represent kind of a single factor method of authentication on their own. For example, if you work in a building that requires you to tap a security card to a panel in order to unlock the door, that's a single factor approach, right. There's no other need to submit any other proof that you should have access. As long as you possess the security card, you can enter the building. It's just like having a physical key to a physical lock, you could pair that with another factor and then make the security stronger. Right, there could be some other additional information or element that you'd have to supply apart from just owning the card, and that would make it a two factor authentication approach, and that would make it a stronger secure system. Now, there are a lot of tokens that are used in two factor authentication, and one of the most common is a device with a small led screen that displays a string of seemingly random numbers when you activate it, and those seemingly random numbers change when you activate it over time. Let's say that you pull out this token in order to access a system it's asking for this code. You press a little button, the numbers light up, and you type the numbers into the system and it gives you access. And then the next day you want to access it again, you pull up the token, you press a button, a totally different set of numbers shows up, you type those into the system, you get access to it. What the heck is going on? How does that work? How does how does the token magically know what numbers to create? It's actually a pretty elegant system as it turns out. I'll give an example of one way this can happen. It's not the only way, but it's a pretty common one. So in most of these devices, the token has a low power clock which is synchronized to the system that it is related to, and it also has a serial number associated with the specific token. The token uses those two values to generate what is called a pr NG value, and pr NG stands for pseudo random number generator and it means pretty much what sounds like. It can create a string of numbers that appears to be random, though ultimately those numbers are in fact determined by an ordered series of calculations. But you have to know what those calculations are and what the two different numbers were to start off with in order to get the pseudorandom result. So when you're typing in the string of numerals into a system, the system runs the same pr NG operation using the same time stamp and the serial number for the token. Now, that obviously requires the system to quote unquote, know what your token's serial number is, so you have to have an official registered token, and if the system's results match the one that you typed in, you're authenticated. So typically these codes that you generate have a shelf life of a certain amount of time. Let's say it's thirty minutes. So you use the token, and it takes the closest time at the thirty minute mark from when you push the button. So you push the button at two thirty five. It says two thirty, and it runs the operation. It gives you some numbers. You type it into the system. The system looks at its clock. It says, oh, it's two thirty seven. Well, the closest half hour mark was two thirty, so I'll use that to start off with. I happen to know that the serial number for this particular token is such and such. I'll use that to perform the same number of operations, and it should create the exact same result. If it doesn't create the same result, it means that you've somehow spanned over that time limit and you're going to have to generate a new code and insert it again, or something has gone wrong, or you're just trying to access the system that you don't actually have a token for, which would be kind of foolish because you'd have to be incredibly lucky to just magically type in the right string of numbers in order to get access. Another great area to explore is biometrics. I love this field because, when implemented properly, it's pretty difficult to replicate biometrics. That all has to do with our physical attributes, right, It's tough for bad guys to get into a system that happens to be based on our physical traits. We did an episode called Biometrics Digital Fingerprinting back in twenty fourteen. But let me give you a quick rundown of the history of biometrics. First of all, fingerprints have long been used as a means of identification. Actually centuries before the practice was officially adopted by law enforcement. On ancient business transactions, merchants and customers would sometimes use fingerprint marks in clay tablets as a kind of signature. It would identify the person who had purchased a good from someone else. It wouldn't be until the late eighteen hundreds the law enforcement jumped on the fingerprint bandwagon once the establishment accepted the fact that no two sets of fingerprints were alike, which was It's something that ancient people had known for ever, but it just hadn't been accepted as a scientific fact for a very long time. A couple of people named Azizul Hawk and Edward Henry created a system for indexing and classifying fingerprints for the purposes of criminal investigation. Now. They based that partly on a classification system that was developed by another man named Sir Francis Galton, but that system was more for academic purposes right to describe fingerprints, whereas Henry wanted a system that could be used in investigations, legal investigations, criminal investigations. Mark Twain actually wrote a story in the eighteen nineties in which a character put on trial asks that his fingerprints be compared to some left at the scene of a crime in order to prove his innocence. In nineteen sixty three, the Hughes Research Laboratory published a research paper about fingerprint automation. The lab which is today known as HRL Laboratories, which I guess makes it another repetitive term, because I'm assuming HRL already stands for Hughes Research Laboratory, so the new name could be interpreted as Hughes Research Laboratory Laboratory. So stop bugging me about pen numbers, is what I'm saying. Anyway, It used to be the research and development division of Hughes Aircraft. Today it's owned by Boeing in General Motors. But back in the nineteen sixties, the Lab published a paper about automated fingerprint identification. It kind of acts as the foundation for fingerprints scanning today. It's basically automating a system that has been performed manually, which is where you take two sets of fingerprints. You have your reference set and you have your submitted set, and you want to compare those together and look for points of similarity. And if you have enough points of similarity, the likelihood of the fingerprints belonging to someone else drops to near zero. So it means someone who happens to have very similar fingerprints to the person in question, the reference happened to be in the same geographic region around the same time, and if there are enough sufficient points of similarity, this becomes increasingly unlikely. So while researchers worked on creating automated systems for fingerprint identification, others were working on similar systems for facial recognition and voice identification strategies. Essentially, any aspect of a person that would be intrinsically unique to him or her was considered an interesting value to quantify and classify for good or for ill. In nineteen seventy four, the first commercial hand geometry systems launched. Dylan, you ever have to use a hand geometry system where it measures your hand? Dylan shaking his head. No, I did. It was a regular part of the University of Georgia when I was there. So this is a scanner that looks at the hand, the shape of a person's hand, and compares it to a database and it authenticates the person based on hand geometry. So you have to set up your profile right you scan your hand for the first time, and it associates your hand geometry with you the person. Every time you scan your hand later on, it goes in references that database and says, hey, does this match with the hand that we measured that first time, And if the answer was yes, it authenticated you. So my university's food hall had one of these. If you wanted to eat, you had to stick your hand in the machine. Kind of got a little bit sort of Flash Gordon esque. You know, you sit there wondering if you're going to get your hand back after you put your hand in there. But I mean if you want tater tots, you just had to do it, or in my case, chili cheese fries, which I ate way too frequently. I digress. In nineteen seventy five, partially funded by the FBI, researchers began to develop fingerprint scanners. Now. The first of those used capacitive detection, which wasn't terribly precise in the nineteen seventies. Most smartphones these days actually use this approach. Capacitive touch screens use that. Essentially, touching the screen alters an electric field on the phone because we conduct electricity. It's a very weak electric field, but we conduct electricity. Touching a device that has an electric field running across the surface disrupts that electric field, and it actually allows a device to detect the presence and orientation of a touch, so it knows the X and y axis of where you are touching on a screen. That's why if you wear non capacitive gloves while trying to work an iPhone, nothing happens because it cannot hold that capacitance. So the screen isn't a resistive touch screen. It can't detect a touch unless that capacitance is there. Our capacitive aspect is there. Rather not capacitants. Sorry about that misspoke. Well, speaking of the iPhone, the touch ID on the iPhone five S and later models actually uses capacitive touch to authenticate a fingerprint, just like this system did in nineteen seventy five, except the days it's way more precise than the tech was capable of back in the seventies, so it's much less likely to give a either a false positive or to deny someone access to their phone. It may require you to scan a second time if you didn't get a good representation of your fingerprint when you were trying to unlock the phone, but it's not likely to deny you because it cannot identify your fingerprint now. In nineteen eighty five, two doctors Aaron Sefir and Leonard Flom proposed that irides could be unique to a person. And you might say, well, what a I rides? Well, iride is the plural for iris, so we're talking about the pigmented membrane surrounding the pupil in your eye. By nineteen eighty six, these two ophthalmologists received a patent for their approach to use irides for authentication and identification purposes. By nineteen ninety five, the first IRIS identification security systems became part of the Defense Nuclear Agency. So all those spy movies where you see someone leaning forward and getting their eye scanned, that's a real thing. Our irises or eye rides, i should say, are unique to us, and so that is a pretty tricky thing to replicate. You probably have seen at least one or two movies where someone got hold of somebody's eyeball and got access that way, or knocked a person out then forced their eye open and held their head up to the scanner, But in general not easy to replicate without access to somebody who already is authorized to enter that area. Over the next several years, advances in biometrics opened up new opportunities, not just for authentication or security. So facial recognition is a great example. It's been incorporated into dozens of technologies, probably most notably into our cameras, including the cameras and our smartphones. And sometimes it's a simple implementation which just detects a face in order to focus properly on a subject. Sometimes it's more complicated, so it might allow for automatic tagging of images because it can recognize people based on their facial features. You probably had some experience with this in some capacity. Organizations also began to form around this time to create standards for biometric implementations. This would reduce the chance of competing technologies with varying degrees of efficiency and accuracy from interfering with each other, and by two thousand and three, the US government began to formally coordinate biometric implementations. Meanwhile, the International Civil Aviation Organization created a global standard to incorporate biometric data into travel documentation like passports, and ten years later, in twenty thirteen, you could find biometric solutions built directly into personal electronics like laptops and smartphones. In fact, I had a fingerprint scanner from before twenty thirteen where you just you would actually have to slide your finger kind of like a copier against the little panel and if your fingerprint matched, it would unlock your computer for you. I actually had that one. Hear at how stuff works, I miss it sometimes. Well, I've got a lot more to say, but first let's take another quick break to think our sponsor. All right, things like fingerprint scanners are not foolproof. It is possible, although challenging, to lift a person's fingerprint from something they've handled, scan it and replicate it. A couple of different ways to do this. Some of them require access to some equipment and materials most of us don't have in our homes, so it's not like it's practical for the average person. But the point is, with the right determination and the right know how, and specifically the right materials, you can create a fake fingerprint. And you might use something like latex or even wood glue, and you could lift a fingerprint and use it to fool certain authentication systems. If the system is just looking for a particular pattern on a fingerprint, the copy could be good enough to fool the system, particularly if you can overlay the copy on top of your own finger This would provide the capacitive connections. So, in other words, let's say I've got a latex fingerprint and I need to access a phone. Well, if I just lay the latex down against the capacitive screen, it's not really gonna affect anything. If I put an actual living tissue behind it, that's a different story. So how do you defeat that sort of security vulnerability. Well, I had the opportunity to speak with doctor P who's the chief technology officer of goodex to talk about a fingerprint scanner with an additional measure of security to counteract those sort of spoofing attempts. Here's what we talked about, doctor p. Let's start off by talking about how biometrics are transforming security in the technology field, specifically for things like consumer tech, because my listeners are very interested in that, the concept of using biometrics to access various devices. I think probably the example most of them would be familiar with it would be smartphones. Uh, can you talk a little bit about how that has developed over the last few years and and why it is such a compelling component for security.

Welcome to tech Stuff, a production from iHeartRadio. Hey Thearon, Welcome to tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with iHeartRadio. And how the tech are you? Well, it's time for another tech Stuff classic episode and this episode is titled Authentication, Tech and You. It originally published on February twenty second, twenty seventeen. Let's have a listen. I feel like security is becoming a bigger and bigger concern as it should be for a lot of people. People are more aware of it, I think than they were perhaps five years ago. Not everyone is practicing good security measures. Not everyone's practicing two factor authentication or multi factor authentication. We'll talk about that in this episode. And if you weren't familiar with what that's all about, That's why I'm wanted to do the show was to kind of explain what that actually means and why it is important. Authentication is something that we should probably define. First of all, it's the process or action of proving something to be true, genuine, or valid. So that covers a broad spectrum right authentication. You could be talking about authenticating a historical artifact. That's a great example, you bring a historical artifact to an expert, they authenticate that it is in fact a historical artifact and not something that was whipped up in some sort of souvenir shop and some out of the way place. But authentication has a very special role in the world of technology. In the world of computers and electronics, it gets a bit more specific. It's the process of verifying the identity of a user or a program or process. You want to make certain everything is authentic so that a program or person doesn't get unauthorized access to a system. So you're probably familiar with a lot of authentication processes, even if you didn't call them that, because you yourself have to employ them on a regular basis. Programs do too. But I'm not gonna really spend a lot of time talking about programs. In fact, I'm really not going to dive into it at all because that gets super technical, and really I think it's more important to focus on the stuff that you have a direct involvement with, unless, of course, you're a programmer, in which case Mia Kulpa. So I'm going to focus on authentication technology targeted at humans. So one day maybe I'll do a software one if there's a lot of requests for it. But I feel like that might just get a little too deep in the weeds. So I'm going to talk about the stuff you and I encounter when we try to access or protect our technology and our data. Now, there are a ton of different ways to do this. Some of them are inherently stronger methods of authentication than others and are better as far as being more secure, And all of these authentication strategies can be divided into three broad categories. Those categories are inherence factors, knowledge factors, and ownership factors. So when you hear about two factor authentication, we're talking about a specific strategy that employs different different approaches belonging to different factors. Now, that doesn't really mean anything unless I expand on it. So an inherence factor relies upon the user him or herself. In other words, it has something to do with you as a user. It has to do with either your physical traits or your behavioral traits. So a very easy to understand example of this would be a fingerprint scanner. Right, like your fingerprints are unique to you, It is something you have inherited, is inherent in who you are. So it's an inherence factor, But there are lots and lots of others, and I'll talk about some of those later on this episode. Knowledge factors are pretty self explanatory. Those are authentication strategies that rely on something that the user knows, like a password or a personal identification number otherwise known as a pen. Ownership factors are also pretty easy to understand. Those rely on something the user possesses, like a key card for security door. That would be an ownership factor. Now, on top of those categories, you have the additional strategies to enable authentication, which includes that two factor authentication that I talked about before. And maybe you don't know exactly what that means, well, that's why i'm here. Really, single factor authentication relies on just one component to access a system. So, for example, a lot of smartphones require users to unlock the device with a pin or a swipe pattern or a fingerprint scan. But that's it, right, You just have to do one of those things. You don't have to do multiple things, and once you do, whichever method you've enabled on your device, you have access to it. There's no secondary requirement. Systems that use single factor authentication are weaker than those that require more than one authentication strategy. In general, there are some different definitions for strong authentication I'll get into, and you could argue that some inherence factors are so strong as to be fine on their own, But in general, going with a single factor is less secure than going for a two factor authentication strategy, which is exactly what it sounds like. It requires two different authentication factors. That means the system will require users to provide authentication in two of those three categories. So an example of this is an ATM card. If you want to use an ATM card, you need to provide the card. That's an ownership factor. You have to be in possession of the card, and you have to supply the pen that's the knowledge factor. So you have an ownership factor and a knowledge factor. Those are two factors. That's two factor authentication. Possession of one factor should not be sufficient to access the respective system, nor should it lead to the discovery of the second factor. In other words, if you get hold of the card like you get hold of someone else's card, ideally there should be no indication on the card of what the pen is because you need both of those things in order to access someone's account, and if you make sure that only one of the two things is in possession of somebody else, they still can't get your stuff. So that's why you want the two factor authentication. You have to possess or know both of the authentication requirements independently of each other. This also applies to other factors as well. It doesn't just have to be knowledge and ownership. It could be ownership and inherence. It could be knowledge and inherence. You get the idea. So, if you've enabled two factor authentication on various online accounts, which I urge you to do for any accounts that actually offer it, you've likely had to supply a password as well as a code sent to you in some way. For example, you might have an email account that when you try and access it using a brand new device, says, all right, well what's your password? So you typed a little password in and then says all right, well, now I'm going to send you a code via text message. You need to put that code into this little box here, and then I'll give you access to your email. So the past this word part taps into that knowledge factor because you know the password and the text message taps into the ownership factor because there's a specific cell phone with a specific cell phone number associated with your email account, so you have to be an ownership of the cell phone in order to receive the text message and complete that authentication strategy. Many two factor authentication systems will actually allow you to designate specific devices as being safe quote unquote safe, meaning that you don't have to do that every single time you log in from that specific device. That way, you don't end up waiting for a text message every time you try and check your email from your personal laptop, computer, or smartphone. Now, there are systems that require even more forms of authentication, and we typically group these under the category multi factor authentication, indicating you've got to supply at least two methods in order to access the respective system. So technically, two factor authentication is a type of multi factor authentication. Most of the time, when I encounter it, multi factor is being used to mean more than two. I haven't personally ever encountered a system where I've had to supply more than two factors. But then again, no one trusts me with anything that's that important, so no big surprise there. Now, confusing matters somewhat. Is this term called strong authentication, which is used in a lot of different places, including the European Union. In fact, it's very prominently used in the EU. At first glance, you might think strong authentication and two factor or multi factor authentication are synonymous, that in order for it to be strong, it must be at least two factor authentication, But that's not actually the case. If a single authentication strategy is deemed secure enough, it can fall under the category of strong authentication. And so there's a lot of disagreement over what the actual definition is. It makes it pretty confusing. But let's give you an example. Let's say that there's a retinal scanner that scans the pattern of blood vessels in your eye. Now that's really difficult to replicate compared to other biometric measures such as a fingerprint, which you could, in fact, if you're very clever fake. So in the European Union, a system that looks at the blood vessels in your eye for authentication might be considered strong even though it's just a single factor. Let's say you don't have to provide any other information, it's just a quick scan of the eye and you're in If the system is robust enough, and if it's looking at something that is difficult enough to replicate, it could still count as strong authentication. It could even refer to knowledge based factors. So let's say a system requires you to answer a series of unrelated questions when you set up your account. Accessing the account at a later time requires that you replicate those answers. You've got to remember how you answered the questions when you first set it up. It's kind of like the security questions a lot of different systems use right now. Now, because these questions are unrelated and knowledge of one answer doesn't provide any of the other answers, that could be considered strong authentication. Now, personally, I find that method to be a little on the flimsy side, but I'm not the one making definitions. I'm just reporting them to you guys. Now we've got the basic definitions out of the way, let's dive into a bit of history, because you guys know, I love to talk about the history of the various technologies and processes we've developed over the years. So the concept of authentication is ancient. It predates electronics by centuries. Throughout the years, people would have to provide some sort of proof of their identities. It might require someone else to vouchsay for a person, or it might require a special seal belonging to a particular office or noble house, placed upon an official document. You may have heard that a lot of those documents would be sealed with wax, and then someone would use a signet ring in order to put a specific stamp in that wax. That was considered a form of authentication. If you saw the proper symbol, then presumably it came from the proper place. Not that you couldn't create a fake of that if you really wanted to, but you know that was the idea. Or you might even just have a password shared between a small group of people. So as long as there have been secrets, there have been means to identify those who should and should not have access to those secrets. And secrets predate the written word. But let's talk about passwords and authentication and electronics, because honestly, if I did a full episode about the history of passwords, that would not really be tech stuff. That would be an awesome, awesome episode of stuff they don't want you to know. Hint, hint. So computer passwords actually pre date personal computers. Back in nineteen sixty one, MIT created a password system for authorized access to its Compatible Time Sharing System or CTSS. CTSS allowed multiple users to access the same computational core. So imagine that you are in a room and it's filled. There's like lots of tables everywhere, and every table has a couple different workstations. Every workstation has a screen and a keyboard, but not a computer. They just have the keyboard in the screen, which are connected via cables to a single computer. Everyone is sharing the exact same computer. Well, way back in the day, that's how a lot of computer systems were made. They didn't have personal devices at every station. The stations were just dummy terminals that connected to a core system. Also, in those days, time sharing meant that the computer actually would divvy up when it was specifically available to do your calculation. So let's say you're typing in something, you're programming some code, and you send it to the computer. It would be responding to each station in turn, and it's doing it so fast that it feels almost instantaneous, or close enough to it, but in fact it would be responding in sequence. As people had logged into the various terminals now obviously using the same computer for all these dummy terminals create some challenges. How can each individual user maintain control over his or her data? How do they maintain their own private files? Because every user had a set of private files that other users should not be able to access without authorization. I mean, one person might be working on a project, someone else is working on a totally different project. You don't want those files to intermingle. You had to partition that stuff. So without a password, you really couldn't do that. So if everyone using a core machine as the processor in storage unit, you had to create some means of differentiating one user from another. The solution was the password, So every user would get a unique password to enter into the system, which would then allow that user to create and access private files. And it also helped control the amount of time any individual user had with the machine. Because these machines they were rare. There were only a few of them in nineteen sixty one, so the time on those machines was very valuable. You know, people were hoarding time. They were trying to do their best. You know, you might only get a few hours a week, so they would end up parsioning that out through passwords. It was kind of like a controlled ticket system so that a ride doesn't get overwhelmed with a ton of people. You release a certain number of tickets per hour and you keep the traffic flowing steadily. Same sort of thing, except in this case it was with a computer access so as a way to control the point of entry into the system. We're going to take a quick break from talking about authentication tech to thank our sponsors. Now, at that time, the passwords were pretty simple, and they were not really secure at all. It was more for the matter of convenience than security really. After all, this predated the Internet, so external access to the system wasn't really a factor. If you wanted to get your hands on those sweet, sweet private files, you actually needed to have physical access to the system itself. You couldn't just hack in from across the country. So in a way, that's one factor of authentication all by itself. Ownership in this case, the ownership doesn't really refer to something that you personally owned, but rather your physical access to the system. But these weren't encrypted or stored in a particularly safe way. They were in plain text. So just a year after they debuted this password strategy, a graduate student named Alan Scherer accessed the entire list of unencrypted passwords stored on the system and printed them out. Now, the reason Shared did this was not to access private files created by other people. It was so that Share could get more time on the system because every student was allotted just four hours of access per week, and he needed more access, and he figured, well, there's all these other hours of access that are going unused from other students. That's not fair. I'll just take their hours and use them myself. The way he did this was he actually created a punch card that contained the file name and location for the password list, and it also contained a set of instructions that said take this file and send it to a printer. Didn't even have to physically look at this file at all. He just had to figure out what was the file name, where was it located on the system, and then include the instructions send to printer. By the way, if you want to know more about how punch cards work and the way that they were an integral part of early computing, you can actually listen to a classic two thousand and nine Tech Stuff episode titled Computers from the past, and Chris Palette and I talked a lot about them in that episode. So it's easy in hindsight to criticize the MIT strategy. But keep in mind this was at a time when unauthorized access to computers was exceedingly rare, because well, the computers were exceedingly rare. As computers began to proliferate throughout all areas of life, the need for more secure access strategies grew. According to Roger Needham, who was a professor of computing at Cambridge University, the Cambridge Lab came up with a concept to make passwords more secure, and that's the concept of hashing. Now, that's when you convert passwords of variable lengths into a fixed length string of characters using an algorithm for the transformation. It's a fancy way of saying, no matter how long or short a password is, you put it through a series of mathematical processes. Will you convert the password into numerals first? Then you do this series of mathematic processes, the result of which is you get a much longer string of characters and that represents the password. And it doesn't matter how long or short the original password was. All of the hashed versions of the password are the same length. So let's say the hash is eighty characters long. That means if your base password is pass or its anti disestablishmentarianism or anything else, it will end up converted into a string of eighty characters. So if someone gets hold of the hashed passwords, those are the only ones that are being stored on the system, they would still have to figure out what was the mechanism used to generate the hashes in order to guess what the root password was, because otherwise they're all going to look like they're eighty characters long. You won't know which ones were short passwords or long passwords. In order to do that, obviously, you have to decide upon what the specific sequence of mathematical operations are going to be and what seed you're using for those operations. And once you do that, then you're able to make these kind of changes. So Needham said that the system was created and implemented in the mid to late nineteen sixties, so it wasn't very long after the MIT rollout of passwords. Now later, still, computer scientists began to develop more secure hashing strategies. This includes salting passwords, which means adding characters to a password before you hash it. So a simple example of this is using a computer's claw to insert digits into the password and then hashing the new password, which makes it even harder for a hacker to figure out the root password from the hash because they need to know at what time that operation was performed on the original password, otherwise they wouldn't be able to replicate the original password. Now, this is easier to understand if I give you an example. So let's say your password has been set to let's say tech stuff. You chose tech stuff as your password. First of all, that was dumb. Don't do that. Don't pick a word that's easy to guess, even if it's a name like tech stuff, which is granted an awesome show. But you've chosen tech stuff for this example. You access the system at two thirty five in the afternoon. Let's say that the computer converts that into military time, so that gives you fourteen thirty five, and then it salts your password with those numbers, so instead of it just saying text stuff, now it says T one E four C three H five stuff. That password then gets hashed into that eighty character long version stored on the computers. By the way, that eighty characters is just an arbitrary example. It doesn't really mean anything. I just need a number for the example. Now, let's say you access the same system the following day, but this time it's one twenty three in the afternoon. Remember it was two thirty five the day before, but now it's one twenty three the next day. The salted password is going to be different because it's going to convert one to twenty three to military time, and then it's going to salt the password that way, so it would be T one E three C two H three stuff. The hashed value will end up being different as well, because it's inserted those new numbers. So that means that if the hacker gets two versions of your hashed password, they're still going to be different from each other. It's all going to be dependent upon the time you tried to access the system. Now itself, it knows when you were accessing it, so it's able to do all of this decoding easily. There's no problem for the system, but it makes it difficult for a hacker to figure out what your password was based upon the hashed value that appears inside the system. Now, of course, hackers can bypass all that and try to hack a password using brute force. That's when someone and usually it's a computer program not a person these days, submits endless guesses into a password protected account in order to gain access. There's no need to work backward from hashed values. Using this approach, you're just guessing the root password from the get go. But it takes a lot of time, particularly if the user has created a strong password. So the longer and more complex a password, the less likely a traditional computer can hack it in a reasonable amount of time. Given enough time and enough computing power, any password and ultimately be cracked by brute force. But the more complex it is and the longer it is, the more time it requires to a point where it can approach time that last centuries, which means no one's going to bother to do it because they're not going to be around to actually see it work. Assuming you've picked a good strong password, So why you should never use real words or even names as a password. They're too easy for a computer to guess using what's called a dictionary attack, So make sure you create those really strong passwords and as always, I like to recommend using a password management program so that way you don't have to remember those strong passwords, because obviously the downside to creating a strong password is they're difficult to remember. It's really easy to remember a word like tech stuff, but that's not very secure. Unfortunately, the more secure approach is also difficult to remember, and you don't want to just write stuff down someplace because that kind of defeats the purpose of having a secret password. Having a really good password management system and then just having to remember one good master password simplifies things. So I recommend that. Well, I've got a lot more to say about authentication strategies, but before I get into it, let's take a quick break to thank our sponsor. Okay, so I think we've covered passwords pretty thoroughly. Let's talk about some other authentication strategies. One of the earliest authentication systems and electronics was the personal identification number, or PEN. And technically, yeah, if you say PEN number, you're repeating yourself, just as if you were to say ATM machine. And I still do it just like a lot of people. If someone can realistically argue that irrespective is a word, I can argue pen number is acceptable, dang it, so don't write me. The PEN debuted on the world scene in nineteen sixty seven. That's when Barclays of London introduced the first ATM system, which a man named John Shepherd barn invented Barclays to come up with a method that kept customer's finances safe. Otherwise, anyone might be able to access anyone else's money, and that does not make for a very positive banking experience. I mean it does for the person who makes off with all the cash, but for everybody else it's pretty negative. The solution was the PEN, which was a numeric code unique to the customer. The standard for pen management is actually called ISSO nine five six y four dash one ISO ninety five sixty four dash one. Technically, this standard allows for a spectrum of pen lengths. We're mostly used to four digits, but it doesn't have to just before you could go from four that's the minimum number of digits you can use, but you can use up to twelve digits. But we humans tend to have trouble remembering lots of unrelated numbers, and if you're choosing lots of related numbers, then that makes it pretty easy for people to guess your pin. So most ATMs, especially in the banking and finance industry, would require a pin of four digits in length, which dates back to the first ATM system. So why was the number four picked in the very beginning? Why just four digits? Well, that's because John Shepherd Barren, who originally was going to use a six digit pen system, found his wife Caroline, had trouble remembering anything more than four digits, so he sensed that there could be a possible problem with longer pins and decided to stick with four digits instead of six. That's why we have that now. Those early ATMs didn't accept plastic cards with a magnetic stripe on them the way modern ones do, and obviously the chip and pin system was decades away. So instead, what you would use as a check you would actually insert a check into the machine, and each check had information encoded upon it that allowed the ATM to read the information on it, for example, how much money it represented and who it was supposed to go to. You would couple this with the proper pen, and then the ATM could dispense cash at all hours of the day, which eliminated the need for people to make time to access the bank during bank hours, which we all know are the shortest hours in the world. If you'd like to learn more about ATMs and how they work, be sure to check out the classic episode of tech stuff called appropriately Enough How ATMs Work. I republished it in February twenty fifteen, so you can listen to that, but it actually dates much further than that. This is really a blast from the past with some of the stuff in this episode. Now, another strategy is to use tokens. That's very popular for authentication strategies. There's several versions of these, including tokens that have a static code that acts like a key to a system's line. Now, those are not terribly secure because if someone else gets hold of that token, they can pretty much get into the system. They represent kind of a single factor method of authentication on their own. For example, if you work in a building that requires you to tap a security card to a panel in order to unlock the door, that's a single factor approach, right. There's no other need to submit any other proof that you should have access. As long as you possess the security card, you can enter the building. It's just like having a physical key to a physical lock, you could pair that with another factor and then make the security stronger. Right, there could be some other additional information or element that you'd have to supply apart from just owning the card, and that would make it a two factor authentication approach, and that would make it a stronger secure system. Now, there are a lot of tokens that are used in two factor authentication, and one of the most common is a device with a small led screen that displays a string of seemingly random numbers when you activate it, and those seemingly random numbers change when you activate it over time. Let's say that you pull out this token in order to access a system it's asking for this code. You press a little button, the numbers light up, and you type the numbers into the system and it gives you access. And then the next day you want to access it again, you pull up the token, you press a button, a totally different set of numbers shows up, you type those into the system, you get access to it. What the heck is going on? How does that work? How does how does the token magically know what numbers to create? It's actually a pretty elegant system as it turns out. I'll give an example of one way this can happen. It's not the only way, but it's a pretty common one. So in most of these devices, the token has a low power clock which is synchronized to the system that it is related to, and it also has a serial number associated with the specific token. The token uses those two values to generate what is called a pr NG value, and pr NG stands for pseudo random number generator and it means pretty much what sounds like. It can create a string of numbers that appears to be random, though ultimately those numbers are in fact determined by an ordered series of calculations. But you have to know what those calculations are and what the two different numbers were to start off with in order to get the pseudorandom result. So when you're typing in the string of numerals into a system, the system runs the same pr NG operation using the same time stamp and the serial number for the token. Now, that obviously requires the system to quote unquote, know what your token's serial number is, so you have to have an official registered token, and if the system's results match the one that you typed in, you're authenticated. So typically these codes that you generate have a shelf life of a certain amount of time. Let's say it's thirty minutes. So you use the token, and it takes the closest time at the thirty minute mark from when you push the button. So you push the button at two thirty five. It says two thirty, and it runs the operation. It gives you some numbers. You type it into the system. The system looks at its clock. It says, oh, it's two thirty seven. Well, the closest half hour mark was two thirty, so I'll use that to start off with. I happen to know that the serial number for this particular token is such and such. I'll use that to perform the same number of operations, and it should create the exact same result. If it doesn't create the same result, it means that you've somehow spanned over that time limit and you're going to have to generate a new code and insert it again, or something has gone wrong, or you're just trying to access the system that you don't actually have a token for, which would be kind of foolish because you'd have to be incredibly lucky to just magically type in the right string of numbers in order to get access. Another great area to explore is biometrics. I love this field because, when implemented properly, it's pretty difficult to replicate biometrics. That all has to do with our physical attributes, right, It's tough for bad guys to get into a system that happens to be based on our physical traits. We did an episode called Biometrics Digital Fingerprinting back in twenty fourteen. But let me give you a quick rundown of the history of biometrics. First of all, fingerprints have long been used as a means of identification. Actually centuries before the practice was officially adopted by law enforcement. On ancient business transactions, merchants and customers would sometimes use fingerprint marks in clay tablets as a kind of signature. It would identify the person who had purchased a good from someone else. It wouldn't be until the late eighteen hundreds the law enforcement jumped on the fingerprint bandwagon once the establishment accepted the fact that no two sets of fingerprints were alike, which was It's something that ancient people had known for ever, but it just hadn't been accepted as a scientific fact for a very long time. A couple of people named Azizul Hawk and Edward Henry created a system for indexing and classifying fingerprints for the purposes of criminal investigation. Now. They based that partly on a classification system that was developed by another man named Sir Francis Galton, but that system was more for academic purposes right to describe fingerprints, whereas Henry wanted a system that could be used in investigations, legal investigations, criminal investigations. Mark Twain actually wrote a story in the eighteen nineties in which a character put on trial asks that his fingerprints be compared to some left at the scene of a crime in order to prove his innocence. In nineteen sixty three, the Hughes Research Laboratory published a research paper about fingerprint automation. The lab which is today known as HRL Laboratories, which I guess makes it another repetitive term, because I'm assuming HRL already stands for Hughes Research Laboratory, so the new name could be interpreted as Hughes Research Laboratory Laboratory. So stop bugging me about pen numbers, is what I'm saying. Anyway, It used to be the research and development division of Hughes Aircraft. Today it's owned by Boeing in General Motors. But back in the nineteen sixties, the Lab published a paper about automated fingerprint identification. It kind of acts as the foundation for fingerprints scanning today. It's basically automating a system that has been performed manually, which is where you take two sets of fingerprints. You have your reference set and you have your submitted set, and you want to compare those together and look for points of similarity. And if you have enough points of similarity, the likelihood of the fingerprints belonging to someone else drops to near zero. So it means someone who happens to have very similar fingerprints to the person in question, the reference happened to be in the same geographic region around the same time, and if there are enough sufficient points of similarity, this becomes increasingly unlikely. So while researchers worked on creating automated systems for fingerprint identification, others were working on similar systems for facial recognition and voice identification strategies. Essentially, any aspect of a person that would be intrinsically unique to him or her was considered an interesting value to quantify and classify for good or for ill. In nineteen seventy four, the first commercial hand geometry systems launched. Dylan, you ever have to use a hand geometry system where it measures your hand? Dylan shaking his head. No, I did. It was a regular part of the University of Georgia when I was there. So this is a scanner that looks at the hand, the shape of a person's hand, and compares it to a database and it authenticates the person based on hand geometry. So you have to set up your profile right you scan your hand for the first time, and it associates your hand geometry with you the person. Every time you scan your hand later on, it goes in references that database and says, hey, does this match with the hand that we measured that first time, And if the answer was yes, it authenticated you. So my university's food hall had one of these. If you wanted to eat, you had to stick your hand in the machine. Kind of got a little bit sort of Flash Gordon esque. You know, you sit there wondering if you're going to get your hand back after you put your hand in there. But I mean if you want tater tots, you just had to do it, or in my case, chili cheese fries, which I ate way too frequently. I digress. In nineteen seventy five, partially funded by the FBI, researchers began to develop fingerprint scanners. Now. The first of those used capacitive detection, which wasn't terribly precise in the nineteen seventies. Most smartphones these days actually use this approach. Capacitive touch screens use that. Essentially, touching the screen alters an electric field on the phone because we conduct electricity. It's a very weak electric field, but we conduct electricity. Touching a device that has an electric field running across the surface disrupts that electric field, and it actually allows a device to detect the presence and orientation of a touch, so it knows the X and y axis of where you are touching on a screen. That's why if you wear non capacitive gloves while trying to work an iPhone, nothing happens because it cannot hold that capacitance. So the screen isn't a resistive touch screen. It can't detect a touch unless that capacitance is there. Our capacitive aspect is there. Rather not capacitants. Sorry about that misspoke. Well, speaking of the iPhone, the touch ID on the iPhone five S and later models actually uses capacitive touch to authenticate a fingerprint, just like this system did in nineteen seventy five, except the days it's way more precise than the tech was capable of back in the seventies, so it's much less likely to give a either a false positive or to deny someone access to their phone. It may require you to scan a second time if you didn't get a good representation of your fingerprint when you were trying to unlock the phone, but it's not likely to deny you because it cannot identify your fingerprint now. In nineteen eighty five, two doctors Aaron Sefir and Leonard Flom proposed that irides could be unique to a person. And you might say, well, what a I rides? Well, iride is the plural for iris, so we're talking about the pigmented membrane surrounding the pupil in your eye. By nineteen eighty six, these two ophthalmologists received a patent for their approach to use irides for authentication and identification purposes. By nineteen ninety five, the first IRIS identification security systems became part of the Defense Nuclear Agency. So all those spy movies where you see someone leaning forward and getting their eye scanned, that's a real thing. Our irises or eye rides, i should say, are unique to us, and so that is a pretty tricky thing to replicate. You probably have seen at least one or two movies where someone got hold of somebody's eyeball and got access that way, or knocked a person out then forced their eye open and held their head up to the scanner, But in general not easy to replicate without access to somebody who already is authorized to enter that area. Over the next several years, advances in biometrics opened up new opportunities, not just for authentication or security. So facial recognition is a great example. It's been incorporated into dozens of technologies, probably most notably into our cameras, including the cameras and our smartphones. And sometimes it's a simple implementation which just detects a face in order to focus properly on a subject. Sometimes it's more complicated, so it might allow for automatic tagging of images because it can recognize people based on their facial features. You probably had some experience with this in some capacity. Organizations also began to form around this time to create standards for biometric implementations. This would reduce the chance of competing technologies with varying degrees of efficiency and accuracy from interfering with each other, and by two thousand and three, the US government began to formally coordinate biometric implementations. Meanwhile, the International Civil Aviation Organization created a global standard to incorporate biometric data into travel documentation like passports, and ten years later, in twenty thirteen, you could find biometric solutions built directly into personal electronics like laptops and smartphones. In fact, I had a fingerprint scanner from before twenty thirteen where you just you would actually have to slide your finger kind of like a copier against the little panel and if your fingerprint matched, it would unlock your computer for you. I actually had that one. Hear at how stuff works, I miss it sometimes. Well, I've got a lot more to say, but first let's take another quick break to think our sponsor. All right, things like fingerprint scanners are not foolproof. It is possible, although challenging, to lift a person's fingerprint from something they've handled, scan it and replicate it. A couple of different ways to do this. Some of them require access to some equipment and materials most of us don't have in our homes, so it's not like it's practical for the average person. But the point is, with the right determination and the right know how, and specifically the right materials, you can create a fake fingerprint. And you might use something like latex or even wood glue, and you could lift a fingerprint and use it to fool certain authentication systems. If the system is just looking for a particular pattern on a fingerprint, the copy could be good enough to fool the system, particularly if you can overlay the copy on top of your own finger This would provide the capacitive connections. So, in other words, let's say I've got a latex fingerprint and I need to access a phone. Well, if I just lay the latex down against the capacitive screen, it's not really gonna affect anything. If I put an actual living tissue behind it, that's a different story. So how do you defeat that sort of security vulnerability. Well, I had the opportunity to speak with doctor P who's the chief technology officer of goodex to talk about a fingerprint scanner with an additional measure of security to counteract those sort of spoofing attempts. Here's what we talked about, doctor p. Let's start off by talking about how biometrics are transforming security in the technology field, specifically for things like consumer tech, because my listeners are very interested in that, the concept of using biometrics to access various devices. I think probably the example most of them would be familiar with it would be smartphones. Uh, can you talk a little bit about how that has developed over the last few years and and why it is such a compelling component for security.

Well, I think one of the story I actually met, which is a part of my experience too, is some is out really well is the since the more and more phone has a fingerprint, Uh thanks, more and more people using it? Is one guy and Agen say, totally forgot the past code. Now he's using fingerprints on the phone all the time, and one on my phone. I don't use offering also I forgot the past code as well, So it is a kind of Chelsea. The consumer behavior has changed so much. Yeah, they used to obviously everyone have a pass code and Uh, nowadays they do, but they didn't use it anymore. They think of present. That is certainly take over majority of the authentication meant And then the other thing was the in the case of like in China market where a lot of mobile payment. Now, if you were in China you could literally live without it's like a critical you can live without a catch. But in China you can live without critic and the catch you can use your phone and mobile payment literally do everything from convenience store to buying ticket to hotel payment everything. It's quite a but all that is obviously going through thinkation.

Well, I think one of the story I actually met, which is a part of my experience too, is some is out really well is the since the more and more phone has a fingerprint, Uh thanks, more and more people using it? Is one guy and Agen say, totally forgot the past code. Now he's using fingerprints on the phone all the time, and one on my phone. I don't use offering also I forgot the past code as well, So it is a kind of Chelsea. The consumer behavior has changed so much. Yeah, they used to obviously everyone have a pass code and Uh, nowadays they do, but they didn't use it anymore. They think of present. That is certainly take over majority of the authentication meant And then the other thing was the in the case of like in China market where a lot of mobile payment. Now, if you were in China you could literally live without it's like a critical you can live without a catch. But in China you can live without critic and the catch you can use your phone and mobile payment literally do everything from convenience store to buying ticket to hotel payment everything. It's quite a but all that is obviously going through thinkation.

Right, and so the authentication part is obviously really important. You want to make certain that the person who is utilizing a device, particularly one that can be used as a means of commerce, a means of purchase. You want to make sure that the identity of the person holding the phone is in fact the person authorized to use that device for that purpose. And that kind of comes in with the sensors that you've been working on in the recent past, where it's not just looking for the pattern of a fingerprint, which, as some people have pointed out, is something that is possible to spoof if you go and you have the right scanners and you have the right you know, even three D printer technology, you could potentially create a fake fingerprint and access US sensors that are only capable of detecting the fingerprint layout. You are working on technology that goes a step further than that. Can you talk about that a little bit?

Right, and so the authentication part is obviously really important. You want to make certain that the person who is utilizing a device, particularly one that can be used as a means of commerce, a means of purchase. You want to make sure that the identity of the person holding the phone is in fact the person authorized to use that device for that purpose. And that kind of comes in with the sensors that you've been working on in the recent past, where it's not just looking for the pattern of a fingerprint, which, as some people have pointed out, is something that is possible to spoof if you go and you have the right scanners and you have the right you know, even three D printer technology, you could potentially create a fake fingerprint and access US sensors that are only capable of detecting the fingerprint layout. You are working on technology that goes a step further than that. Can you talk about that a little bit?

Yes, this is the one new technology we recently released to the market. Is you at the same time when you scan, recording or setting it in the fingerprint pattern, you're also detecting the dynamic bluff flow in your fingerchap. So that enable the sensor tells this fingerprint pattern it's from a life person versus a mackup spoof. So that further you enhanced the security level of the fingerprint authentication, right because the most of the spoof method we know obviously is UH, it's not by life object. So this basically enables the security level one level up from UH. So I think it will block the most, if not all, the potential spoof master.

Yes, this is the one new technology we recently released to the market. Is you at the same time when you scan, recording or setting it in the fingerprint pattern, you're also detecting the dynamic bluff flow in your fingerchap. So that enable the sensor tells this fingerprint pattern it's from a life person versus a mackup spoof. So that further you enhanced the security level of the fingerprint authentication, right because the most of the spoof method we know obviously is UH, it's not by life object. So this basically enables the security level one level up from UH. So I think it will block the most, if not all, the potential spoof master.

Right, So, people who would be you know, people who would normally rely on something like a fake fingerprint made from say silicone or rubber, that wouldn't work on this particular type of device or this particular sensor, I should say that will be incorporated into other devices, whether it's a phone or a secure entry point or whatever it may be, because it will lack that blood flow, and without the blood flow, the device quote unquote knows it is not a valid authentication. Am I getting that correct?