Synaptics IronVeil and the future of authentication

Anyone with a recent iPhone, Galaxy, or Nexus device already knows the benefits of a fast, readily-available fingerprint sensor. I love my iPhone 6S Plus if only for the fact that I no longer have to waste precious time typing in a PIN to unlock the device. Touch ID also makes buying apps on the App Store and buying groceries with Apple Pay a one-touch process.

Move back to PCs, though, and authentication turns into a nightmarish problem. In an ideal world, we’d all use password managers with unique, complex credentials for every one of our online accounts. The reality is far less than ideal. Many sites still place unsafe restrictions on the length and contents of passwords. Instead of password managers, people use Post-Its or text files on a USB drive. Every year, the most popular passwords revealed in data breaches include laughably weak phrases like “1234567” or “password.” Phishing attacks can still catch the uninformed off-guard.

The FIDO Alliance (from Fast IDentity Online) is proposing a couple ways forward from the quagmire of plain old usernames and passwords. FIDO is a growing standards organization that already counts heavyweights like Microsoft, Lenovo, PayPal, Samsung, Visa, MasterCard, and Bank of America among its members.

Synaptics is also a member of FIDO, and it’s providing one solution for collecting that biometric information in the first place. If you’re using a Windows laptop with a touchpad, chances are you’re already familiar with Synaptics products. A couple weeks ago, we met with the company at CES and got an early look at IronVeil, the company’s fingerprint-sensing solution for the desktop.

The hardware

IronVeil is a 4-mm by 10-mm sensor that could conceivably be incorporated into a range of devices. Our first look at the sensor comes by way of a pre-production Thermaltake Black V2 gaming mouse. Synaptics says the sensor completes the data acquisition and matching process in under 200 milliseconds, but all that really matters is that it feels as fast as Touch ID in use. Put your thumb on the sensor and Windows Hello logs you in with only the slightest delay. I found it far easier to use the Black V2 than typing my complex password from memory. 

That little black strip is the IronVeil sensor

While putting the fingerprint sensor on a mouse is certainly a natural place to start, I hope Synaptics will work with peripheral manufacturers to encourage broader adoption of the technology on other devices, like keyboards. The company had a Corsair K70 on display at its CES booth with a similar fingerprint sensor built in, and that feels like a more natural place for this technology.

Gamers are already particular about the weight and balance of their mice, and despite its many benefits, a fingerprint sensor is extra weight that has to be pushed around. The mouse may be the most natural place for the thumb to rest, but if a user wants to register extra fingers, it’s a bit awkward to press the bottom of an index finger to the side of the mouse.

Synaptics thinks gamers will benefit from having a fingerprint sensor on board the mouse, though. The company envisions a future where common e-sports titles and online multiplayer games will use the sensor as a tool to verify that the player behind the screen is, in fact, the owner of the account. That prevents “smurfing,” where a player signs in on an account that’s not their own. It also makes e-sports betting more trustworthy by ensuring that a match isn’t somehow rigged.

For folks who want to get on board the IronVeil train, a version of the Black V2 we tested will be available in the first half of the year for about $60.

Windows 10, FIDO, and Passport

The foundation of FIDO on Windows is a Windows 10 feature called Passport. Passport can be used to implement multi-factor, password-free authentication with Active Directory, Azure Active Directory, Microsoft Accounts, or FIDO. If you’ve used Windows Hello to set up a PIN or other biometric factors like fingerprint recognition, that information is being stored with Passport.

The two main FIDO protocols are the Universal Authentication Framework (UAF) and Universal Second Factor (U2F). Put briefly, UAF provides a password-free experience like Touch ID with biometric devices, while U2F can use a number of inputs as a second factor alongside traditional usernames and passwords. A biometric signature like a user’s face or fingerprint can serve as one of those second factors.

There’s reason to hope that FIDO and Passport will become widely adopted. These technologies make large-scale thefts of user credentials from corporate information systems less appealing by doing away with passwords entirely (in the case of FIDO UAF and Passport) or making them less useful (in the case of FIDO U2F).

While client systems are, in theory, more vulnerable to attack, no images or raw biometric information are stored on the client side with either framework, and derived biometric signatures are kept encrypted on a Trusted Platform Module or in software.

FIDO and Passport also don’t exchange credentials over the network. When a user needs to authenticate with services like Active Directory, for example, these protocols rely on asymmetric cryptographic methods and tokens rather than user credentials. FIDO uses a similar principle for its information exchange. All verification is performed on the client side, making man-in-the-middle attacks more difficult.

Passport can be implemented within a business more or less at a system administrator’s discretion, but FIDO still seems like it has a ways to go before it’s widely adopted. Windows Hello and Passport are important pieces of the puzzle, though, and browsers like Google Chrome already have support for FIDO U2F built-in.

If manufacturers begin incorporating IronVeil (and other biometrics tech) into their peripherals, however, more consumer-facing organizations will likely begin building the necessary back-end infrastructure needed to make the FIDO protocol work. Let’s hope these are the first steps to a less password-reliant future.

Comments closed
    • spugm1r3
    • 4 years ago

    I think this in a keyboard, with a two camera system to minimize spoofing facial recognition with a photo (this doesn’t exist yet), could make for a pretty decent authentication scheme. For most people, security is only as effective as it is easy to use. Being able to sit down at your desk and have your system automatically recognize you would be pretty damn convenient.

      • satchmobob
      • 4 years ago

      Facial recognition has been around in the consumer space for quite a while now. Not sure if it still does but Dell used to ship it with its Alienware laptops at least. I believe it was called Aliensense.
      Still, if all this software and devices just fill in your normal Windows credentials, it’s pretty pointless if the attacker has physical access to the machine.

    • Krogoth
    • 4 years ago

    This is a bit silly.

    If you cannot secure physical access to your computer then all bets are off.

      • Prospero424
      • 4 years ago

      Physical security is about buying time. Anything is crackable with enough time, but an attacker’s time (and/or skill) is often limited.

        • Waco
        • 4 years ago

        Really? How is a mouse going to stop someone who can physically access your server/desktop?

        In *nix it’s trivial even without external tools. I don’t believe Windows is all that impervious to any number of USB recovery tools either.

        This wouldn’t even be a consideration if I was breaking into a system…

    • BIF
    • 4 years ago

    By the way, except for the color and absence of the namesake snake, that mouse looks like [url=http://www.razerzone.com/gaming-mice/razer-ouroboros<]this one[/url<].

    • ludi
    • 4 years ago

    Anyone else remember the Mythbusters episode where they defeated a fingerprint scanner in a door lock using pretty much anything and everything that could hold a print transfer?

      • ikjadoon
      • 4 years ago

      That’s scary.

      Touch ID (from Apple) seems much stronger, requiring a silicone mold:

      [url<]https://www.youtube.com/watch?v=2u4ZLGsw1zo[/url<]

    • Forge
    • 4 years ago

    I too will pass, but because I doubt Synaptics is bothering to support anything but Windows.

    Beyond that, as noted by others, a biometric can be compelled by law, a password cannot.

    Correct horse battery staple!

      • BIF
      • 4 years ago

      Some systems, such as iOS, will require a password/pin code after so much time of not being used; something like 48 hours away from the device. Maybe if this interval were customizable to within a couple of hours, it would help with this concern because courts typically don’t move very fast.

      It would not help for a case where a cop demands you unlock your device at a traffic stop, but then it would not matter anyway because whether it is secured by password or fingerprint; the cop is the guy pointing the gun at you.

        • BIF
        • 4 years ago

        So I wish whomever downthumbed my comment would have accompanied it with a comment of their own. My comment was not meant as a joke or insult; it was genuine. So I would like to know where I went wrong (I’m assuming you think I went wrong), but I can’t know that if you don’t communicate with me. 🙂

    • Godel
    • 4 years ago

    Maybe someone should make a mouse with a Yubico built in.

    • lmc5b
    • 4 years ago

    I think instead of a single fingerprint you should use a sequence of prints. Like a PIN with fingers, that way if someone gets your fingerprint they need not only the other fingers but to guess the order you use them in.

    • orik
    • 4 years ago

    This offers nice security through obscurity where other people won’t be able to find your finger print scanner.

    • DoomGuy64
    • 4 years ago

    A fingerprint is a user id, not a password. Using it as both is a security hazard.

      • Waco
      • 4 years ago

      Authentication, not authorization.

      Sadly, they’re the same thing to many.

    • ozzuneoj
    • 4 years ago

    As someone who frequently gets cuts and scrapes on the hands and fingers at work, I just pictured not being able to log into my favorite game because I have a bandaid covering a gaping wound on my thumb.

    … Mostly joking… but sadly, it’s a situation I’d likely run into.

    • Freon
    • 4 years ago

    Fingerprints should not be considered as passwords, but usernames.

    You cannot change your fingerprint if something goes wrong with the tech or your fingerprint gets scanned and posted online. You can always change a password.

    They’ve already been demonstrated to be hackable in the physical space.

    No thanks. I’m not going to be using any fingerprint biometrics for anything I care about.

    • anotherengineer
    • 4 years ago

    “I love my iPhone 6S Plus”

    Thought you were my wife for a sec. Loving inanimate material objects 😉

      • morphine
      • 4 years ago

      You’re saying you’re an inanimate material object? 🙂

        • anotherengineer
        • 4 years ago

        No, they get more attention than I do.

    • Srsly_Bro
    • 4 years ago

    I’ll stick with passwords. Let’s all keep in mind fingerprints and other biometrics used for authentication are not covered under the 5th Amendment.

      • Froz
      • 4 years ago

      Umm, so your fingerprints cannot decline answers about themselves in a criminal case? Or what exactly do you mean? I’m not American, your law always seemed a little wierd and funny to me.

        • Freon
        • 4 years ago

        You can be compelled to unlock a biometric system, but not divulge a password. 5th amendment has been ruled upon in the courts to apply to the later but not the former.

          • Froz
          • 4 years ago

          Ah, thanks. So, if I’m in US and I lock a weapon you used to kill someone, better lock it with password and not my fingerprint, got it :D.

        • Srsly_Bro
        • 4 years ago

        It has to do with testimony. The password comes from your mind, your fingerprint does not. A major case dealt with a person being forced to give up a key to a safe, but if the safe had a password, he would not have to divulge the password. The key and code both unlock the safe. Only one of those come from his “mind.”

        I hope that helps to explain the issue.

      • DragonDaddyBear
      • 4 years ago

      That’s why I’m interested in Yubico. They, too, are a member of FIDO. One of their U2FA options is a USB device that houses a key and has NFC capabilities for the phone. [url<]http://www.amazon.com/Yubico-Y-072-YubiKey-NEO/dp/B00LX8KZZ8/ref=sr_1_3?ie=UTF8&qid=1453307915&sr=8-3&keywords=yubikey+4[/url<] If U2FA was more popular I'd buy one.

      • trackerben
      • 4 years ago

      Your word is your bond, except when your finger is?

      • anotherengineer
      • 4 years ago

      I wonder how good it works if your a tradesperson, beat up finger prints, cuts, burns, grease.

      ??

        • dodozoid
        • 4 years ago

        Grammar natzis are coming for ya bro… Enjoy the train trip.

Pin It on Pinterest

Share This