Authentication Tech and You

should be for a lot of people. People are more aware of it, I think than they were perhaps five years ago. Not everyone is practicing good security measures. Not everyone's practicing two factor authentication or multi factor authentication. We'll talk about that in this episode, and if you aren't familiar with what that's all about, that's why I wanted to do this show, was to kind of explain what what that actually means and why it is important. Authentication

is something that we should probably define. First of all, it's the process or action of proving something to be true, genuine, or valid, So that covers a broad spectrum right authentication. You could be talking about authenticating a historical artifact, that's a great example. You bring a historical artifact to an expert, they authenticate that it is in fact a historical artifact and not something that was whipped up in some sort of souvenir shop and some out of the way place.

But authentication has a very special role in the world of technology and the world of computers and electronics. It gets a bit more specific. It's the process of verifying the identity of a user or a program or process. You want to make certain everything is authentic so that a program or person doesn't get unauthorized access to a system. So you're probably familiar with a lot of authentication processes, even if you didn't call them that, because you yourself

have to employ them on a regular basis. Programs do too. But I'm not gonna really spend a lot of time talking about programs. In fact, I'm really not going to dive into it at all because that gets super technical, um and really I think it's more important to focus on the stuff that you have a direct involvement with, unless, of course, you're a programmer, in which case mia culpa. So I'm going to focus on authentication technology targeted at humans.

So one day, maybe I'll do a software one if there's a lot of requests for it, but I feel like that might just get a little too deep in the weeds. So I'm gonna talk about the stuff you and I encounter when we try to access or protect our technology and our data. Now, there are a ton of different ways to do this. Some of them are inherently stronger methods of authentication than others and are better

as far as you know, being more secure. And all of these authentication strategies can be divided into three broad categories. Those categories are inherence factors, knowledge factors, and ownership factors. So when you hear about two factor authentication, we're talking about a specific strategy that employs different uh different approaches belonging to different factors. Now, that doesn't really mean anything unless I expand on it. So an inherence factor relies

upon the user him or herself. In other words, it has something to do with you as a user. It has to do with either your physical traits or behavioral traits. So a very easy to understand example of this would be a fingerprint scanner. Right like you, your fingerprints are unique to you. It is something you have inherited is inherent in who you are, so it's an inherence factor. But there are lots and lots of others, and I'll talk about some of those later on this episode. Knowledge

factors are pretty self explanatory. Those are authentication strategies that rely on something that the user knows, like a password or a personal identification number otherwise known as a pen. Ownership factors are also pretty easy to understand. Those rely on something the user possesses, like a key card for

security door. That would be an ownership factor. Now, on top of those categories, you have the additional strategies to enable authentication, which includes that two factor authentication that I talked about before. And maybe you don't know exactly what that means, well, that's why here. Really. Single factor authentication relies on just one component to access a system. So, for example, a lot of smartphones require users to unlock the device with a pin or a swipe pattern or

a fingerprint scan. But that's it, right You you just have to do one of those things. You don't have to do multiple things. And once you do, whichever method you've enabled on your device, you have access to it. There's no secondary requirement. Systems that use single factor authentication are weaker than those that require more than one authentication strategy.

In general, there are some different definitions for strong authentication I'll get into and you could argue that some inherence factors are so strong as to be fine on their own, But in general, going with a single factor is less secure than going for a two factor authentication strategy, which is exactly what is like. It requires two different authentication factors. That means the system will require users to provide authentication in two of those three categories. So an example of

this is an a t M card. If you want to use an a t M card, you need to provide the card. That's an ownership factor. You have to be in possession of the card, and you have to supply the pen that's the knowledge factor. So you have an ownership factor and a knowledge factor. Those are two factors. That's two factor authentication. Possession of one factor should not be sufficient to access the respective system, nor should it

lead to the discovery of the second factor. In other words, if you get hold of the card like you get hold of someone else's card, ideally there should be no indication on the card of what the pen is because you need both of those things in order to access someone's account. And if you make sure that only one of the two things is in possession of somebody else, they still can't get your stuff. So that's why you

want the two factor authentication. You have to possess or know both of the authentication requirements independently of each other. This also applies to other factors as well. It doesn't just have to be knowledge and ownership. It could be ownership and inherence. It could be knowledge and inherence. You

get the idea. So, if you've enabled to factor authentication on various online accounts, which I urge you to do for any accounts that actually offer it, you've likely had to supply a password as well as a code sent to you in some way. For example, you might have an email account that when you try and access it using a brand new device, says all right, well, what's your password? So you typed a little password in and then says all right, well, now I'm going to send

you a code via text message. You need to put that code into this little box here, and then I'll give you access to your email. So the password part taps into that knowledge factor because you know the password and the text message taps into the ownership factor because there's a specific cell phone with a specific cell phone number associated with your email account, so you have to be an ownership of the cell phone in order to

receive the text message and complete that authentication strategy. Many two factor authentication systems will actually allow you to designate specific devices as being safe quote unquote safe, meaning that you don't have to do that every single time you log in from that specific device. That way, you don't end up waiting for a text message every time you try and check your email from your personal laptop, computer,

or smartphone. Now, there are systems that require even more forms of authentication, and we typically group these under the category multi factor authentication, indicating you've got to supply at least two methods in order to access the respective syste them. So technically, two factor authentication is a type of multi factor authentication. Most of the time, when I encounter it, multi factor is being used to mean more than two. I haven't personally ever encountered a system where I've had

to supply more than two factors. But then again, no one trusts me with anything that's that important, so no big surprise there. Now, confusing matters somewhat is this term called strong authentication, which is used in a lot of different places, including the European Union. In fact, it's very prominently used in the EU. At first glance, you might think strong authentication and two factor or multi factor authentication are synonymous, that in order of it to be strong,

it must be at least two factor authentication. But that's not actually the case. If a single authentication strategy is deemed secure enough, it can fall under the category of strong authentication. And so there's a lot of disagreement over what the actual definition is. It makes it pretty confusing. But let's give you an example. Let's say that there's a retinal scanner that scans the pattern of blood vessels

in your eye. Now that's really difficult to replicate compared to other biometric measures such as a fingerprint, which you could, in fact, if you're very clever fake. So in the European Union, a system that looks at the blood vessels in your eye for authentication might be considered strong even

though it's just a single factor. Let's say you don't have to provide any other information, it's just a quick skin of the eye and you're in if the system is robust enough, and if it's looking at something that is difficult enough to replicate, it could still count a strong authentication. He could even refer to knowledge based factors. So let's say a system requires you to answer a series of unrelated questions when you set up your account.

Accessing the account at a later time requires that you rep like hat those answers. You've got to remember how you answered the questions when you first set it up. It's kind of like the security questions a lot of different systems used right now now, Because these questions are unrelated and knowledge of one answer doesn't provide any of the other answers, that could be considered strong authentication. Now, personally, I find that method to be a little on the

flimsy side. But I'm not the one making definitions. I'm just reporting them to you guys. Now we've got the basic definitions out of the way, let's dive into a bit of history, because you guys know, I love to talk about the history of the various technologies and processes we've developed over the years. So the concept of authentication is ancient. It predates electronics by centuries. Throughout the years, people would have to provide some sort of proof of

their identities. It might require someone else to vouchsafe for a person, or it might require a special seal belonging to a particular office or noble house place upon an official document. You may have heard that a lot of those documents would be sealed with wax, and then someone would use a signet ring in order to put a specific stamp in that wax. That was considered a form of authentication. If you saw the proper symbol, then presumably

it came from the proper place. Not that you couldn't create a fake of that if you really wanted to, but you know, that was the idea. Or you might even just have a password shared between a small group of people. So as long as there have been secrets, there have been means to identify those who should and should not have access to those secrets. And secrets pre

date the written word. But let's talk about passwords and authentication and electronics, because honestly, if I did a full episode about the history of passwords, that would not really be tech stuff. That would be an awesome, awesome episode of stuff they don't want you to know. Hint, hint.

So computer passwords actually pre d eight personal computers. Back in nineteen sixty one, m I T created a password system for authorized access to its Compatible Time Sharing System or ct s S. Ct S S allowed multiple users to access the same computational core. So imagine that you are in a room and it's filled. Uh, there's like lots of tables everywhere, and every table has a couple of different workstations. Every workstation has a screen and a keyboard,

but not a computer. They just have the keyboard in the screen, which are connected via cables to a single computer. Everyone is sharing the exact same computer. Well, way back in the day, that's how a lot of computer systems were made. They didn't have personal devices at every station. The stations were just dummy terminals that connected to a core system. Also, in those days, time sharing meant that the computer actually would divvy up when it was specifically

available to do your calculations. So let's say you're typing in something, you're programming some code, and you send it to the computer. It would be responding to each station in turn, and it's doing it so fast that it feels almost instantaneous, or close enough to it, But in fact it would be responding uh. In sequence, as people had logged into the various terminals, now obviously using the same computer for all these dummy terminals create some challenges.

How can each individual user maintain control over his or her data? How do they maintain their own private files? Because every user had a set of private files that other users should not be able to access without authorization. I mean, one person might be working on a project, someone else is working on a totally different project. You don't want those files to intermingle. You had the partition that stuff, so without a password, you really couldn't do that.

So if everyone's using a core machine as the processor and storage unit, you had to create some means of differentiating one user from another. The solution was the password. So every user would get a unique password to enter into the system, which would then allow that user to create an access private files. And it also helped control the amount of time any individual user had with the machine.

Because these machines they were rare. There are only a few of them in nineteen sixty one, so the time on those machines was very valuable. You you know, people were hoarding time. They were trying to do their best, you know, you might only get a few hours a week, so they would end up partitioning that out through passwords. It was kind of like a controlled ticket system, so that a ride doesn't get overwhelmed with a ton of people. You have you release a certain number of tickets per hour,

and you keep the traffic flowing steadily. Same sort of thing, except in this case it was with a computer access, so it's a way to control the point of entry into the system. Now, at that time, the passwords were pretty simple, and they were not really secure at all. It was more for the matter of convenience than security really. After all, this predated the Internet, so external access to

the system wasn't really a factor. If you wanted to get your hands on those sweet sweet private files, you actually needed to have physical access to the system itself. You couldn't just hack in from across the country. So in a way, that's a one factor of authentication all by itself. Ownership in this case, the ownership doesn't really refer to something that you personally own, but rather your physical access to the system. But these passwords weren't encrypted

or stored in a particularly safe way. They were in plain text. So just a year after they debuted this password strategy, a graduate student named Alan Share accessed the entire list of unencrypted passwords stored on the system and printed them out. Now, the reason Shared did this was

not to access private files created by other people. It was so that Shared could get more time on the system because every student was allotted just four hours of access per week, and he needed more access, and he figured, well, there's all these other hours of access that are going unused from other students. That's not fair. I'll just take

their their hours and use them myself. The way he did this was he actually created a punch card that contained the file name and location for the password list, and it also contained a set of instructions that said take this file and send it to a printer. So he didn't even have to physically look at this file at all. He just had to figure out what was the file name, where was it located on the system,

and then include the instructions sent to printer. By the way, if you want to know more about how punch cards work and the way that they were an integral part of early computing, you can actually listen to a classic two thousand nine Text Stuff episode titled computers from the past, and Chris Pallette and I talked a lot about them in that episode. So it's easy in hindsight to criticize the M I T strategy. But keep in mind this was at a time when unauthorized access to computers was

exceedingly rare, because well, the computers were exceedingly rare. As computers began to proliferate throughout all areas of life, the need for more secure access strategies grew. According to Roger Needham, who was a professor of computing at Cambridge University, the Cambridge Lab came up with a concept to make passwords

more secure, and that's the concept of hashing. Now, that's when you convert passwords of variable lengths into a fixed length string of characters using an algorithm for the transformation. It's a fancy way of saying, no matter how long or short of password is, you put it through a series of mathematical processes. Will you convert the password into numerals first? Then you do this series of mathematic processes, uh, the end result of which is you get a much

longer string of characters and that represents the password. And it doesn't matter how long or short the past the original password was. All of the hashed versions of the password are the same length. So let's say the hash is e D characters long. That means if your base password is pass or it's anti disestablishmentarianism or anything else, it will end up converted into a string of e

D characters. So if someone gets hold of the hashed passwords, those are the only ones that are being stored on the system, they would still have to figure out what was the mechanism used to generate the hashes in order to guess what the root password was, because otherwise they're all going to look like they're eight characters long. You

won't know which ones were short passwords or long password words. Uh. In order to do that, obviously, you have to decide upon what the specific sequence of mathematical operations are going to be and what seed you're using for those operations. Uh. And once you do that, then you're able to make these kind of changes. So Needham said that the system was created and implemented in the mid to late nineteen sixties, so it wasn't very long after the m I T

H rollout of passwords. Now later, still, computer scientists began to develop more secure hashing strategies. This includes salting passwords, which means adding characters to a password before you hash it.

So a simple example of this is using a computer's clock to insert digits into the password and then hashing the new password, which makes it even harder for a hacker to figure out the route password from the hash because they need to know at what time that operation was performed on the original path pas word um, otherwise they wouldn't be able to replicate the original password. Now this is easier to understand if I give you an example. So let's say your password has been set to let's

say tech stuff. You chose tech stuff as your password. First of all, that was dumb. Don't do that. Don't pick a word that's easy to guess, even if it's a name like tech stuff, which is granted an awesome show. But you've chosen tech stuff for this example. You access the system at two thirty five in the afternoon. Let's say that the computer converts that into military time, so that gives you fourteen thirty five, and then it salts

your password with those numbers. So instead of it just saying text stuff, now it says T one e four C three H five stuff. That password then gets hashed into that eight character long version stored on the computers. By the way, that eighty characters is just an arbitrary example. I'm that doesn't really mean anything. I just need a number for the example. Now, let's say you access the same system the following day, but this time it's one

twenty three in the afternoon. Remember it was two thirty five the day before, but now it's one twenty three the next day. The salted password is going to be different because it's going to convert one tree to military time, and then it's going to salt the password that way, so it would be T one E three C two H three stuff. The hashed value will end up being

different as well, because it's inserted those new numbers. So that means that if the hacker gets two versions of your hashed password, they're still going to be different from each other. It's all going to be dependent upon the time you try to access the system. Now, the system itself it knows when you were accessing it, so it's able to do all of this decoding easily like that. There's no problem for the system, but it makes it difficult for a hacker to figure out what your password

was based upon the hashed value that appears inside the system. Now, of course, hackers can bypass all that and try to hack a password using brute force. That's when someone and usually it's a computer program not a person these days, submits endless guesses into a password protected account in order to gain access. There's no need to work backward from hashed values. Using this approach, you're just guessing the root

password from the get go. But it takes a lot of time, particularly if the user has created a strong password. So the longer and more complex a password, the less likely and traditional computer can hack it in a reasonable amount of time. Given enough time and enough computing power,

any password can ultimately be cracked by brute force. But the more complex it is and the longer it is, the more time it requires to a point where it can approach time that last centuries, which means no one's going to bother to do it because they're not going to be around to actually see it work. Assuming you've picked a good strong password. That's why you should never use real words or even names as a password. They're too easy for a computer to guess using what's called

a dictionary attack. So make sure you create those really strong passwords, and as always, I like to recommend using a password management program so that way you don't have to remember those strong passwords, because obviously the downside to creating a strong password is there difficult to remember. It's really easy to remember a word like tech stuff, but that's not very secure. Unfortunately, the more secure approach is

also difficult to remember. And you don't want to just write stuff down someplace because that kind of defeats the purpose of having a secret password. Having a really good password management system and then just having to remember one good master password simplifies things. So I recommend that I've got a lot more to say about authentication strategy, but before I get into it, let's take a quick break to thank our sponsor. Okay, so I think we've covered

passwords pretty thoroughly. Let's talk about some other authentication strategies. One of the earliest authentication systems in electronics was the personal identification number, or PEN. And technically, yeah, if you say PEN number, you're repeating yourself, just as if you were to say a t M machine. And I still do it just like a lot of people. If someone can realistically argue that irrespective is a word, I can argue pen number is acceptable. Dang it, so don't write me.

The PEN debuted on the world scene in nineteen sixty seven. That's when Barclay's of London introduced the first a t M system, which a man named John Shepherd Barron invented Barkley's to come up with a method that kept customers finances safe. Otherwise, anyone might be able to access anyone else's money, and that does not make for a very positive banking experience. I mean it does for the person who makes off with all the cash, but for everybody

else it's pretty negative. The solution was the PEN, which was a numeric code unique to the customer. The standard for pen management is actually called I s O nine five six four DASH one is DASH one. Technically, the standard allows for a spectrum of pen lengths. We're mostly used to four digits, but it doesn't have to just before you could go from four that's the minimum number of digits you can use, but you can use up

to twelve digits. But we humans tend to have trouble remembering lots of unrelated numbers, and if you're choosing lots of related numbers, and that makes it pretty easy for people to guess your pen. So most A t M s, especially in the banking and finance industry, would require a pen of four digits in length, which dates back to the first A t M system. So why why were why was the number four picked in the very beginning?

Why just four digits? Well, that's because John Shepherd Barron, who originally was going to use a six digit pen system, found his wife Caroline, had trouble remembering anything more than four digits, so he sensed that there could be a possible problem with longer pens and decided to stick with four digits instead of six. That's why we have that Now.

Those early A t M s didn't accept plastic cards with a magnetic stripe on them the way modern ones do, and obviously the chip and pin system was decades away. So instead, what you would use as a check, you would actually insert a check into the machine, and each check had information encoded upon it that allowed the A t M to read the information on it, for example, how much money it represented and who it was supposed

to go to. You would couple this with the proper pen and then the a t M could dispense cash at all hours of the day, which eliminated the need for people to make time to access the bank during bank hours, which we all know are the shortest hours in the world. If you'd like to learn more about a t t m s and how they work, be sure to check out the classic episode of tech Stuff called appropriately Enough, How a t M S Work. I republished it in February two fifteen, so you can listen to that,

but it actually dates much further than that. Uh, this is really a blast from the past with some of the stuff in this episode. Now, another strategy is to use tokens. That's very popular for authentication strategies. There's several versions of these, including tokens that have a static code that acts like a key to a system's lock. Now, those are not terribly secure because if someone else gets hold of that token, they can pretty much get into

the system. They represent kind of a single factor method of authentication on their own. For example, if you work in a building that requires you to tap a security card to a panel in order to unlock the door, that's a single factor approach, right, There's no other need to submit any other proof that you should have access. As long as you possess the security card, you can enter the building. It's just like having a physical key to a physical lock. Uh. You could pair that with

another factor and then make the security stronger. Right, there could be some other additional information or element that you'd have to supply apart from just owning the card, and that would make it a two factor authentication approach, and

that would make it a stronger secure system. Now, there are a lot of tokens that are used in two factor authentication, and one of the most common is a device with a small led screen that displays a string of seemingly random numbers when you activate it, and those seemingly random numbers change when you activate it over time. Let's say that you you to pull out this token in order to access a system. It's asking for this code.

You press the little button, the numbers light up, and you type the numbers into the system and it gives you access. And then the next day you want to access it again, you pull up the token, you press a button, a totally different set of numbers shows up, you type those into the system, you get access to it. What the heck is going on how does that work? How does how does how does the token magically know what numbers to create? It's actually a pretty elegant system,

as it turns out. I'll give an example of one way this can happen. It's not the only way, but it's a pretty common one. So in most of these devices, the token has a low power clock which is synchronized to the system that it is related to, and it also has a serial number associated with the specific token. The token uses those two values to generate what is called a p r n G value, and p r n G stands for pseudo random number generator and it

means pretty much what sounds like. It can create a string of numbers that appears to be random, though ultimately those numbers are in fact determined by an ordered series of calculations. But you have to know what those calculations are and what the two different numbers were to start off with in order to get the pseudo random result. So when you're typing in the string of numerals into a system, the system runs the same pr n G operation using the same time stamp and the serial number

for the token. Now, that obviously requires the system to quote unquote know what your tokens serial number is, So you have to have an official registered token, and if the system's results match the one that you typed in, you're authenticated. So typically these codes that you generate have a shelf life of a certain amount of time. Let's say it's thirty minutes. So you use the token and it takes the closest time at the thirty minute mark from when you push the button. So you push the

button at two thirty five. It says to thirty and it runs the operation. It gives you some some numbers. You type it into the system. The system looks at it's clock. It says, oh, it's to thirty seven. Well, the closest half hour mark was too thirty, So I'll use that to start off with. I happen to know that the serial number for this particular token is such and such. I'll use that to perform the same number of operations and it should create the exact same result.

If it doesn't create the same result, it means that you've somehow spanned over that time limit and you're gonna have to generate a new code and insert it again, or something has gone wrong, or you're just trying to access the system that you don't actually have a token for, which would be kind of foolish because you have to be incredibly lucky to just magically type in the right string of numbers in order to get access. Another great area to explore is biometrics. I love this field because

when implemented properly, it's pretty difficult to replicate biometrics. That all has to do with our physical attributes, right, It's tough for bad guys to get into a system that are it happens to be based on our physical traits. We did an episode called Biometrics Digital Fingerprinting back in two thousand fourteen. But let me give you a quick rundown of the history of biometrics. First of all, fingerprints

have long been used as a means of identification. Actually, centuries before the practice was officially adopted by law enforcement. On ancient business transactions, merchants and customers would sometimes use fingerprint marks in clay tablets as a kind of signature. It would identify the person who had purchased a good from someone else. It wouldn't be until the late eighteen

hundreds the law enforcement jumped on the fingerprint bandwagon. Once the establishment accepted the fact that no two sets of fingerprints were alike, which was something that ancient people had known forever, but it just hadn't been accepted as a scientific fact for a very long time. A couple of people named as a Zul Hawk and Edward Henry created a system for indexing and classifying fingerprints for the purposes

of criminal investigation. Now. They based that partly on a classification system that was developed by another man named Sir Francis Galton, but that system was more for academic purposes right to to describe fingerprints, whereas Henry wanted a system that could be used in investigations, legal investigations, criminal investigations. Mark Twain actually wrote a story in the eighteen nineties in which a character put on trial asks that his fingerprints be compared to some left at the scene of

a crime in order to prove his innocence. In nineteen sixty three, the Hughes Research Laboratory published a research paper about fingerprint automation. The lab which is today known as hr L Laboratories, which I guess makes it another repetitive term, because I'm assuming HRL already stands for Hughes Research Laboratory, so the new name could be interpreted as Hughes Research Laboratory Laboratory. So stop bugging me about pen numbers, is what I'm saying. Anyway. It used to be the search

and Development division of Hughes Aircraft. Today it's owned by Boeing in General Motors. But back in the nineteen sixties, the lab published a paper about automated fingerprint identification. It kind of acts as the foundation for fingerprints scanning today. It's basically automating a system that has been performed manually, which is where you take two sets of fingerprints. You have your reference set and you have your submitted set, and you want to compare those together and look for

points of similar similarity. And if you have enough points of similarity, the likelihood of the fingerprints belonging to someone else drops to near zero. So it means someone who happens to have very similar fingerprints to the person in question, the reference happened to be in the same geographic region around the same time, and if there are enough sufficient points of similarity, this becomes increasingly unlikely. So while researchers

worked on creating automated systems for fingerprint identification. Others were working on similar systems for facial recognition and voice identification strategies. Essentially, any aspect of a person that would be intrinsically unique to him or her was considered an interesting value to quantify and classify for good or for ill. In nine, the first commercial hand geometry systems launched. Dylan, you ever have to use a hand geometry system where it measures

your hand? Dylan shaking his head. No, I did. I It was a regular part of the University of Georgia when I was there. So this is a scanner that looks at the hand, the shape of a person's hand, and compares it to a database and it authenticates the person based on hand geometry. So you have to set up your profile right you you scan your hand for the first time, and it associates your hand geometry with

you the person. Every time you scan your hand later on, it goes and references that database and says, hey, does this match with the hand that we measured that first time, And if the answer was yes, it authenticated you. So my university's food hall had one of these. If you wanted to eat, you had to stick your hand in the machine. Uh. Kind of got a little bit sort of flash gordon esque. You know, you sit there wondering if you're gonna get your hand back after you put

your hand in there. But I mean, if you want tater tots, you just had to do it, or in my case, chili cheese fries, which I ate way too frequently. I digress. In Partially funded by the FBI, researchers began to develop fingerprints scanners. Now. The first of those used capacity of detection, which wasn't terribly precise in the nineteen seventies. Most smartphones these days actually use this approach. Capacity of touch. Screens use that Essentially, touching the screen alters an electric

field on the phone because we conduct electricity. It's a very weak electric field, but we conduct electricity. Touching a device that has an electric field running across the surface disrupts that electric field, and it actually allows a device to detect the presence and orientation of a touch, so it knows, you know, the X and y axis of

where you are touching on a screen. That's why if you wear non capacitive gloves while trying to work an iPhone, nothing happens because it cannot hold that capacitance, So the screen isn't a resistive touch screen. It can't detect a touch unless that capacitance is there. Our capacitive aspect is there,

rather not capacity inse Sorry about that misspoke. Well, speaking of the iPhone, the touch i D on the iPhone five S and later models actually uses capacitive touch to authenticate a fingerprint, just like this system did in nine except these days it's way more precise than the tech was capable of back in the seventies, so it's much less likely to give a either a false positive or

to deny someone access to their phone. It may require you to scan a second time if you and get a good representation of your fingerprint when you were trying to unlock the phone, but it's not likely to deny you because it cannot identify your fingerprint now. In nineteen two doctors Erin Sepia and Leonard Flam proposed that I rides could be unique to a person. And you might say, well,

what are I rides? Well, I ride is the plural for iris, so we're talking about the pigmented membranes surrounding the pupil in your eye. By six, these two ophthalmologists received a patent for their approach to use I rides for authentication and identification purposes. By the first IRIS identification security systems became part of the Defense Nuclear Agency. So all those spy movies where you see someone leaning forward

and getting their eyes scanned, that's a real thing. Our irises or I rides, i should say, are unique to us, and so that is a pretty tricky thing to replicate. You probably have seen at least one or two movies where someone got hold of somebody's eyeball and got access that way, or knocked a person out then force their eye open and held their head up to the scanner. But in general not easy to replicate without access to somebody who already you know, is authorized to enter that area.

Over the next several years, advances in biometrics opened up new opportunities, not just for authentication or security. So facial recognition is a great example. It's been incorporated into dozens of technologies, probably most notably into our cameras, including the cameras on our smartphones. And sometimes it's a simple implementation which just detects a face in order to focus properly

on a subject. Uh, sometimes it's more complicated, so it might allow for automatic tagging of images because it can recognize people based on their facial features. You probably had some experience with this, and some capacity organizations also began to form around this time to create standards for biometric implementations.

This would reduce the chance of competing technologies with varying degrees of efficiency and accuracy from interfering with each other, and by two thousand three, the US government began to

formally coordinate biometric implementations. Meanwhile, the International Civil Aviation Organization created a global standard to incorporate biometric data into travel documentation like passports, and ten years later you could find biometric solutions built directly into personal electronics like laptops and smartphones.

In fact, I had a fingerprint scanner from before, or you just you would actually have to slide your finger kind of like a copier against the little panel and if your fingerprint matched, it would unlock your computer for you. I actually had that one. Here at how stuff works. I miss it sometimes. Well. I got a lot more to say, but first let's take another quick break to think our sponsor. All right, things like fingerprint scanners are

not foolproof. It is possible, although challenging, to lift a person's fingerprint from something they've handled, scan it, and replicate it. A couple of different ways to do this, Some of them require access to some equipment and materials most of us don't have in our homes, so it's not like it's practical for the average person. But the point is, with the right determination and the right know how, and specifically the right materials, you can create a fake fingerprint.

And you might use something like latex or even wood glue, and you could lift a fingerprint and use it to fool certain authentication systems. If the system is just looking for a particular pattern on a fingerprint, the copy could be good enough to fool the system, particularly if you can overlay the copy on top of your own finger This would provide the capacity of connections. So in other words, let's say I've got a latex finger print and I

need to access a phone. Well, if I just lay the latex down against the capacity screen, it's not really gonna affect anything. If I put an actual, living, living tissue behind it, that's a different story. So how do you defeat that sort of security vulnerability? Well, I had the opportunity to speak with Dr P, who is the Chief Technology officer of good X, to talk about a fingerprint scanner with an additional measure of of of security

to counteract those sort of spoofing attempts. Here's what we talked about, Dr P. Let's start off by talking about how biometrics are transforming security in the technology field, specifically for things like consumer tech. Because my listeners are very interested in that, the concept of of using biometrics to access various devices. I think probably the example most of

them would be familiar with it would be smartphones. Uh, can you talk a little bit about how that has developed over the last few years and and why it is such a a compelling component for security. Well, I think one of the story I actually met, which is a part of my experience too, is uh summing up really well, is the since the more and more phone has a fingerprint, uh said, more and more people using it.

Is the one guy, an over friend of my agency, totally forgot the pass code now is using fingerprints on the phone all the time. And one of my point I don't use the officer also I forgot the pass code as well. So it is a kind of tells you the consumer behavior doesn't changed and so much. Yeah, they used to obviously everyone have a pass code, and nowadays they do, but they they don't use it anymore. They think of printing. That is certainly take over a

majority of the authentication. And then the other thing was the in the case of like in China market where a lot of mobile payment. Now, if you were in China, you could literally live without It's like a critic, right, you can live without a cash but that you in China, you can live without critic car and the cash. You can use your phone and mobile payment literally do everything from convenience store to buying ticket to hotel payment everything.

It's quite uh, but all that things obviously going through think of your in the authentication right, and so the authentication part is obviously really important. You want to make certain that the person who is utilizing a device, particularly one that can be used as a means of commerce, a means of purchase. You want to make sure that the the identity of the person holding the phone is in fact the person authorized to use that device for

that purpose. And that kind of comes in with the the sensors that you've been working on in the recent past where it's not just looking for the pattern of a fingerprint, which, as some people have pointed out, is something that is uh possible to spoof. If you go and you have the right scanners and you have the right you know, even three D printer technology, you could potentially create a fake fingerprint and access sensors that are

only capable of detecting the fingerprint layout. You are working on technology that goes a step further than that. Can you talk about that a little bit? Yes? Uh, yeah, this is the one technology we recently released to the market. Is uh. You at the same time when you scan recording as snit is a thinker frame pattern, you're also detecting the dynamic bluff flow in your fingerchieps. So that enabled the sensor tells this thinker print pattern is from a a life person versus h a mark up spoof.

So that further enhanced the security level of thinkerprint authentication because the most of the spoof measure we know obviously is uh it's not a life object. So this basically enabled the security level one level up from so I think it will block out the most if not order protect show. Right, So people who would be you know, people who would normally rely on something like a a

fake fingerprint made from say silicone or rubber. That wouldn't work on this particular type of device or this particular sensor, I should say that will be incorporated into other devices, whether it's a phone or a secure entry point or whatever it may be, because it will lack that blood flow, and without the blood flow, the the device quote unquote knows it is not a valid authentication. Am I getting

that correct? Correct? Right? You're absolutely correct, wonderful. So let's talk a little bit about how this how this sensor actually does detect that blood flow. What are you using in order for the technology to to quote unquote know that blood is flowing behind that fingerprint? Yeah, so what we I think we're using this technology, uh injury the a obstacle sense in the same area as a finger

train setor and so. And we also put in a small led emitter emitting an infrared light through the sentor glass cover, so that sending the light in to your fingerchip, and then the optical center detected the scatter line of your fingertip, so the blood blow itself well, changing the scatter lize the intensity. So this is a very common technique to use. Like in the hospital, they are pometer we use all the time. You know, it's you're in

the hospital bed, the putout your fingertips. There's the same principle, except that in this case we just use it to detected the blood blows of a detecting the host. Give that right. So in some ways you could even argue this is this is a a simpler use of a technology that's been put to use specifically for those monitoring devices and hospitals where you know you need to have

more specific information. It's not like your smartphone necessarily is going to tell you what the oxygen levels are in your blood, although I guess you could technically develop sensors that could do that. You're right. But on the other hand, obviously is that fontify everything I got? That boy is one level up? Right? You also need a longer time, you mean, not something average you that we're waiting to wait? Right,

So why wait? We do providing a simple way to also provide a heartbeat the heart great on the it's a sensor, so user could just to leave the bigative on the sensor for you that kind as that will report the heart great. But there is a kind of side benefit of this technology, right, and so one potential

application for being able to detect heart rate. Obviously you have medical applications, but you also have applications within the health and fitness sector where people might be using their smartphone while out on say a jog, and they want to make sure that they're keeping their heart rate within a specific target zone. That could be something that you would use that sort of sensor technology for beyond its

authentication capabilities. So it's really interesting to me that we're looking at a technology that for a long time people thought of as sort of science fiction. You know, you saw you would see in movies that someone would put their finger down and get a scan and that would give them access to stuff. And now we're realizing that's convenient because you unless something terrible has happened, you always

have your finger with you. But but as well as we've discussed, it's it's not full proof unless you have this second day dairy layer of protection and uh in this case, that detection of blood flow. Uh So what sort of devices might we see this incorporated into. I mean again, smartphones are are an obvious example. Are there others that uh that you either have your eye on

or you could see as being a potential in the future. Yeah, the other uh we not the mobile device then you're looking at it maybe save the same for example, I people using UH code and see. But at the same time you could even in the codett could implement the press camera, right and so not only you use the code, you also on top of that you can use think of right now there over so that will add you know,

actual layer of security. Yeah, and your your doors. So many times people you know now they're wireless, they control a door become more and more popular and you may enable a scan there for people to do that. There's a lot of us Like the car, right they the atom is the same way people steal your key today can just drive away with your car. But if you have one different scanner in the car or on the key,

that will obviously they protect your car better. You can stock you can lose your key, but the people still kind of drive away with your car. So there's a way of using is the one benefit of the mobile application is uh it's really driving their cars and the side and the power way done imagine is a biting devisorshipping every year, so they scale the economy make it costs coming down so much so you enable all those other applications. Yeah, you hit upon something really interesting there,

because we've seen that. We've seen the smartphone and cell phone technologies drive a lot of development in what you might think initially are unrelated technology simply because as you say, the economies of scale provide this this economic imperative. It's not even an incentive, it's an imperative to develop uh, smaller,

more efficient, more economic sensors and other technologies. So, for example, beyond this fingerprint sensing technology that could be used in multiple applications, a lot of the development we've seen in the virtual reality space, in in just gaming in general,

and a lot of technologies. The reason why it's possible is because the smartphone has acted as a platform that people have been developing for for years to increase, increase the number of features, increase its security, increase its applicability for lots of different uh possible uses, and we end up seeing that spill over into seemingly unrelated uses. And UH, I think that's a great story in general, just that it illustrates that work in one particular platform benefits in

ways that you can't necessarily anticipate from the beginning. And uh, and certainly when it comes to things like authentication and security, you want to see those benefits being applied to a broader spectrum of uses because we're getting to a world. In fact, we're already there. We're in a world where more and more of our devices are interconnected in ways where if you are able to get unauthorized access to them, you could potentially cause a great deal of mischief and harm.

Um So where do you see the future going? If you had to put on your prognosticator hat, what do you think the next big step in authentication is going to be? Well, are they already happening? The I R S scan on the phone? Right? That the same song as the donkey already there is also incremented, and I

think it would become more goal popular. And they the next level of people already talking is a fingerprints scan and will getting into the display area as I think rumor is the d I phone may have this function. And uh, then I think you're going beyond. You're going to see more and more maybe medical reading, right because they the mobile device is so powerful and with us all the time, you can really use as a platform for monitoring your house because it's wheezy all the time.

So we see a lot of those censor well happened, and so I think, I think that is uh, that's a kind of next a few years it we're going to be more and more those things to the interesting. Well, sir, thank you so much for joining our show and answering my questions. This has been a fascinating conversation, and I know that my listeners are always really interested to learn not just about how technology works, but but why those applications are so important. I think I think you've done

a great job at doing that. So thank you very much for joining me today. My presure, thank you. As for the future, what if you could authenticate your identity just through thinking? Researchers over at Binghampton University developed a process in which they could identify or at least they claim they can identify a person based on their brain wave activity alone. So here's what they did. They took

a sample of fifty people. It's not a big sample size, but it's interesting fifty people, fitted each person with an electro and cephalogram or e G headset. Then they showed each person a series of five images, and those images prompted various emotional and cognitive responses. Now, those responses are

unique to each individual. So let's say that you and I are looking at the same photo, and just for argument's sake, it's a picture of my adorable dog, Tibolt, and both of us just think he's accused a little dog in the world because he is. I mean, come on, Well, the way your brain manifests that information and the way my brain manifests that information, even if we both feel

the same way, is going to be different. So theoretically, once you record responses from people, these brain responses to these images, and assign each of those responses to the respective identity, you can authenticate a person's identity just by showing him or her the same series of images and looking for matches. If there's no match, then the person you're looking at isn't who you think they are, and

they're likely a pod person. Maybe I should add that no one I know of is actually talking about using brain waves for authentication just yet. The study said that the researchers had a success rate identifying subjects based on brain waves, and it came out in so in other words, they put these fifty people through the test of recording

all of these responses. Then I assume they used a blind method where somebody would end up looking at the responses that were coming in from an unknown subject and they would be able to match that person's responses to one that was already in the database, thus saying, Oh, that's Jill, because when Jelsey is a picture of tibaled, her heart grows three sizes that day. We've got to stop showing those pictures. She's having heart trouble. Trouble. It's terrible.

Tile is just so cute. Anyway, I should add that. Uh. Also, if you wanted to use this as an authentication strategy, it would be pretty tricky because it requires an e G headset. It's not exactly the most convenient authentication technology around now. If we ever develop a less cumbersome method for measuring measuring brainwave activity with precision, that's important, that

could become an authentication technology of the future. It's literally the way you think, and that would be much much more difficult, if not impossible, to replicate unless you had some sort of recording of a person's brain waves and you could somehow you know, push those out to cover up your own brainwave activity. I think I might have just written a science fiction novel accidentally. Anyway, that wraps

it up for this episode. If you want to know more about authentication, or biometrics or anything else, really just check out how stuff works dot com. Our site is pretty awesome, you guys, and it can teach you pretty much how anything works. And if we don't have what you're looking for, you can actually let us know, and there's a good chance that someone will create a new writing assignment. It will go out to a writer, they will research it and they'll write it, and we'll create

a new article and then you'll have your answer. Also, remember you can get in touch with me with any suggestions you might have for future episodes, guests I should have on the show, or really anything else. The email address for the show is tech stuff at how stuff works dot com, or you can drop me a line on Facebook or Twitter. The show's handle at both is tech Stuff H s W. And I'll talk to you again really soon. For more on this and thousands of other topics. Is it how stuff works dot com. Whe