The [nearly] useless 3rd factor

 

BlackBerrySIRT

My life is mobile…

PART ONE

Who are you? Are you me? Maybe you wish you were me, for a few minutes anyway. Just long enough to clean out my bank accounts. I don’t want you to do that. Nor do I want you to access my phone content, cloud file stores, email or social accounts. To protect my mobile and online life, I need to know something you don’t know. A password is one security factor. You can make it even harder to be impersonated online with:

  1. Something you know (password).
  2. Something you have (auto generated random code).

I will show some ways to use that 2nd factor in part two of this article. Right now I want to talk about a 3rd factor which Apple, Samsung and others think people want. It is a factor referred to as Something you are, or biometric. Are we not human? Yes, and as humans we have unique biological differences such as fingerprints. The problem is, using a biometric security factor does not add much security and, according to Scientific American, it adds enormous risk to our personal privacy.

Let us assume we are trying to secure stuff on our phone. We should consider who may want to access that data other than us:

  • Intimate relations (spouse, romantic partner, family, roommate, etc… ).
  • The organization you work for.
  • The government.
  • Criminals other than government.
  • Random strangers.

How does a fingerprint scanner help secure your phone from people in those categories? Other than random strangers, it does not. Here is why:

  • Intimates, by definition, could be around when you sleep. It is trivial to touch a sleeping finger to a locked phone.
  • Work. If it is their device, they should have a way to unlock it. If it is not theirs, they can use career pressure or involve police if applicable.
  • The government and criminals will simply use violence.
  • A fingerprint scanner may slow down a random stranger. However, when someone has physical access there may be a number of cracks they could utilize on iPhone or Android.

Fingerprint scanners add some convenience. Security, not so much.

What methods might BlackBerry users employ to secure the data on their phone?

  • Passphrase/password/PIN – Make it as hard to guess or as convenient as you want.
  • Picture Password (see the video below) – Trade off some security for convenience. However, the smudge pattern and shoulder surf problems seen on Android are eliminated.
  • Encryption – Extremely difficult to extract data from the physical memory chips.
  • Password protection – Limited number of times the password can be guessed wrong before the phone wipes itself. And remember, the information is what we want protected.

On my phone I have a strong password and encrypted storage. I only need to worry about criminals and government because under the threat of violence I give up the password. I don’t keep anything on my phone worth dying for.

Setup Picture Password on your BlackBerry BB10 phone:

Keep an eye out for PART TWO where I plan to show how 2-factor authentication is setup and used…

jrohland

jrohland has never been able to figure out how to use Capital letters in his name. He can't write like e.e. cummings but he word rhymes sometimes.

Top