With Apple’s iOS 8, Your Fingerprint Can Become the Master Password

By BRIAN X. CHEN

 SEPTEMBER 24, 2014 7:00 AMSeptember 24, 2014 7:00 am

• EMAIL
• SHARE
• TWEET
• SAVE
• MORE

Photo

Craig Federighi, Apple’s senior vice president of software engineering, discussing the fingerprint sensor at the company’s developer conference in June.Credit John G. Mabanglo/European Pressphoto Agency

Passwords stink. That was the lesson learned from the recent episode in which hackers broke into the Appleaccounts of a number of celebrities.

And not only are passwords weak protection against break-ins, they are also tough to memorize when complex, and a pain to reset when you forget them.

But when I set up my new iPhone 6 earlier this week, I took a glimpse into a future without passwords. It was replaced with something no one could easily replicate, and something that was with me at all times: my fingerprint.

By following a few steps, I was able to set up my iPhone to log into websites I regularly use with a touch of my finger. No more passwords. I was relieved when I effortlessly logged in to my bank, my Facebook profile and my Amazon account.

Apple’s fingerprint sensor, called Touch ID, is hardly new. It was introduced in the iPhone 5S as a feature for logging into the phone instead of punching in a code.

But along with the new iPhone 6, Apple recently released iOS 8, its new mobile software system for mobile devices. It includes an important feature that allows third-party apps to hook directly into Apple’s native apps.

With iOS 8, Apple also opened the fingerprint sensor to work with third-party apps (whereas before it could primarily be used only to log in to the phone or buy apps through the App Store). With these tweaks, Apple only just recently unlocked the true potential of its fingerprint sensor.

One caveat: Setting up the device to accept fingerprints for entering passwords was not very simple. It required installing the free third-party app 1Password on my iPhone. Then I had to follow some steps to create a shortcut to 1Password that could be accessed inside Apple’s Safari web browser.

After that was set up, I went into the security settings of the 1Password app and enabled Touch ID to work. And on top of that, I had to use 1Password to log in to every site by typing each of my passwords — just once — to store the password inside the app.

But from there, when logging in to the websites from Safari, I could use my fingerprint to enter my user name and password. You can also set this up to use your fingerprint to enter credit card numbers for shopping online. It saves valuable time, plus it feels safe because your fingerprint becomes the master password.

No more tedious memorization or typing. Imagine if and when the fingerprint sensor makes it way into not just Apple’s iPads, but also its laptops. While it doesn’t look like the password will go away anytime soon, memorizing and typing it in could soon become a thing of the past.

Good riddance.

Next Generation Identification

The data center at the Criminal Justice Information Services Division in West Virginia is home to the Next Generation Identification system, or NGI.

FBI Announces Biometrics Suite’s Full Operational Capability

09/23/14

Agencies searching the FBI’s criminal history record database for matches to their subjects are getting faster and more accurate responses—the result of the Bureau’s 10-year effort to improve its ability to provide law enforcement partners with timely, high-quality identification.

Earlier this month, the FBI announced the Next Generation Identification system, or NGI, is now at full operational capability. The system replaced the Integrated Automated Fingerprint Identification System (IAFIS), the Bureau’s longstanding repository for fingerprints. NGI’s incremental roll-out, which began in 2010, has already seen significant improvements in accuracy rates on queries, the result of new high-tech tools and algorithms that more effectively search more than 100 million records. Fingerprint matches are now better than 99 percent accurate, and hits on latent prints (prints lifted from crime scenes, for example) have tripled from 27 percent accuracy in the old IAFIS system to more than 81 percent today.

“NGI gives us this opportunity to not only upgrade and enhance technology that we’ve been using for years, but it also lets us leverage new technology that can help us do our jobs better,” said Steve Morris, assistant director of the FBI’s Criminal Justice Information Services (CJIS) Division, which runs NGI.

Enhancements under NGI include the following:

• 	Closing the Gap The expanded capabilities of Next Generation Identification (NGI) have reduced the margin of error in identifying criminals. NGI’s biometric modalities include not only fingerprints, but also palm prints, mug shots, and scars that, when combined, can present a compelling case. Steve Morris, assistant director of CJIS, said NGI is not a new FBI authority; rather it is a tool that takes advantage of new technologies. “We’re leveraging technology that is not only increasing the accuracy of these things, but when you combine them—a fingerprint that is 99-plus percent reliable and a facial image—you are almost providing virtual certainty. “Right now people may say that 99 percent is pretty good. Why do we need better than that? Well, I guess that’s okay unless you’re that one guy in a 100 that the system made a wrong identification on. To be able to close that 1 percent gap—to 99.99 percent, because we’ve now added a photograph—the chances of the two systems misidentifying that person are exponentially less.”

  Repository for Individuals of Special Concern (RISC): Deployed in 2011, it’s a searchable subset of what Morris described as the database’s “worst of the worst offenders,” including terrorists and dangerous fugitives. Using a mobile device, police can take two fingerprints from a subject and remotely query the database and get immediate results. “NGI provides a quicker mobile identification for the officer,” Morris said.
• National Palm Print System: In May 2013, NGI expanded beyond traditional finger and thumbprint capabilities to include palms. Morris said the majority of prints left at crime scenes contain hand ridges and palm prints. Just this month, one latent palm print returned a match.
• Rap Back: Entities that conduct background checks on individuals holding positions of trust (teachers, camp counselors) can receive notifications if the individual is subsequently involved in criminal activity. Launched earlier this year, Rap Back is named for the process of reporting back when a person is involved in criminal activity.
• Interstate Photo System (IPS): Launched this year, NGI’s facial recognition capability provides a way to search millions of mug shots or images associated with criminal identities for potential matches. Note that civil files (such as those in Rap Back) and criminal mug shots reside in a repository separated by identity group, so an innocent schoolteacher’s image isn’t going to appear when the system returns an array of possible candidates in a criminal query. “If law enforcement submits that photo, they’re going to get back possible candidates from the criminal file,” said Morris. “They’re not getting the ones from the civil file.”

In safeguarding privacy and protecting the public’s rights and civil liberties, NGI is subject to the same extensive security protections, access limitations, and quality control standards already in existence for IAFIS. A thorough privacy impact assessment is completed and submitted to DOJ for each enhancement under NGI.

The facial recognition system is not connected to the Internet or social networks or your local Department of Motor Vehicles. “Facial recognition doesn’t mean that we somehow now have this ability to go out and start collecting video feeds,” Morris said. “That’s not what this is about. It’s a technology that allows us to digitally compare criminal mug shot photos that we have in our database against one another.”

For more than 18,000 law enforcement agencies and partners—and their constituents—upgrading to NGI means increased accuracy and improved, faster intelligence. “Not only are we providing a better, more accurate technology, but we’re able to provide all these better services more efficiently,” Morris said.

Resources:
- Press release
- Criminal Justice Information Services Division
- Fingerprints and Other Biometrics- CJIS Digitizes Millions of Files in Modernization Push
- CJIS Link: RISC Empowers Officers on the Street (2011)

You Can Create The Perfect Password. Here's How

Are you one of those people who's still using "baseball" or your home address for all your passwords? We shouldn't have to tell you this, but having super simple login information is one of the easiest ways for hackers to get access to everything from your Netflix account to your bank account.

We rounded up some of the most useful tips for creating and keeping track of your passwords, to better protect your personal information online:

1. Avoid the obvious (just like this tip)

Believe it or not, passwords like "123456" and "password" are still the most used. Don't. Do. This. Hackers can use a simple dictionary attack, where programs create and enter dictionary word and number combinations, to easily get into your accounts.

2. Turn phrases into codes

As HuffPost blogger and online security expert Robert Sicilianorecently explained, a good way to pick a password you won't forget is to convert a phrase about yourself into an acronym. For example, you should turn a sentence like “My college roommate was from a dairy farm in Wisconsin” into “McrwfadfiWI.”

You don't have to try pronouncing them.

3. Mix up letters and numbers

Sites will often tell you to use a combination of numbers, letters, and symbols, but that doesn’t matter if you’re still using obvious words and numbers like "Password1234!" Instead, try making letters into numbers, or adding numbers in the middle of an acronym password. So to make the example password from tip 2 even better, we'd change "McrwfadfiWI" to “Mcr1444wfadfiWI.”

4. Use 12 characters or more

Any password is crackable, but longer ones are harder to figure out. Sure, there are645 trillion possible combinations for an eight-character password. But that number jumps exponentially each time you add a letter. According to researchers at Georgia Tech, it could take 17,134 years to crack a 12-character password.

5. Don’t reuse or recycle

If you've got the same password for all your logins, one breech can endanger every account you have. Make sure to change your passwords periodically, and avoid just going back and forth between a handful.

Leaks happen, so don't make it easy.

6. Personalize by site

If you insist on repeating, at least add a few extra symbols that correspond to various sites, making your logins safer if one of your accounts is compromised. So for the example password above, adding a "FBK" to the password for a Facebook login could be one way to use it more than once: “FBK.Mcr1440wfadfiWI."

7. Stay logged off

While it’s convenient to store your passwords in your browser on your computer and smartphone, that’s the easiest way for someone to get quick access to accounts and data if your device is stolen or compromised. Just uncheck the "remember me" option and take the few seconds to type in your password.

The time you spend retyping will be less stressful than being hacked.

8. Add two-step verification

Two-step verification helps protect even the strongest passwords from being hacked. The feature forces you to enter a code that's sent to your phone or email address in order to get into your account. Here’s a list of sites that support it.

9. Keep a backup

Your passwords should be easy to remember, but we all have those forgetful days. Security expert Robert Siciliano suggests keeping an Excel file in a program like Google Drive or Dropbox that is cloud-accessible and also behind two-factor authentication. He also advises storing a physical copy in a safe in case of emergency. Of course, that paper will need to be updated every time you make a change.

10. Use a password manager

LastPass will store and generate passwords for an unlimited number of sites.

The easiest way to remember and feel safe about entering your passwords across all sites is to use a password management tool. Don’t fear the cloud -- these services have strong encryption and allow you to unlock and auto-fill your passwords and other information with one master password.

We’ve tested three of the top tools., and LastPass, free on computers or $12 yearly for mobile sync, seems to be the best option.