1 00:00:04,160 --> 00:00:07,200 Speaker 1: Get in tech with technology with tech Stuff from how 2 00:00:07,240 --> 00:00:13,720 Speaker 1: stuff works dot com. Hey there, and welcome to tech Stuff. 3 00:00:13,800 --> 00:00:17,720 Speaker 1: I'm your host, Jonathan Strickland, senior writer with how stuff 4 00:00:17,760 --> 00:00:21,000 Speaker 1: works dot Com, and today we're going to explore the 5 00:00:21,160 --> 00:00:26,000 Speaker 1: wonderful world of authentication technology and how it's evolved and 6 00:00:26,040 --> 00:00:29,920 Speaker 1: what could be in store for us in the future. 7 00:00:30,840 --> 00:00:33,559 Speaker 1: So the reason why I picked this topic before I 8 00:00:33,640 --> 00:00:36,559 Speaker 1: jump into the whole thing, is because I feel like 9 00:00:37,159 --> 00:00:41,080 Speaker 1: security is becoming a bigger and bigger concern as it 10 00:00:41,080 --> 00:00:43,959 Speaker 1: should be for a lot of people. People are more 11 00:00:44,000 --> 00:00:46,920 Speaker 1: aware of it, I think than they were perhaps five 12 00:00:47,000 --> 00:00:50,800 Speaker 1: years ago. Not everyone is practicing good security measures. Not 13 00:00:50,880 --> 00:00:54,959 Speaker 1: everyone's practicing two factor authentication or multi factor authentication. We'll 14 00:00:55,000 --> 00:00:58,040 Speaker 1: talk about that in this episode, and if you aren't 15 00:00:58,080 --> 00:01:01,760 Speaker 1: familiar with what that's all about, that's why I wanted 16 00:01:01,800 --> 00:01:04,720 Speaker 1: to do this show, was to kind of explain what 17 00:01:04,720 --> 00:01:09,240 Speaker 1: what that actually means and why it is important. Authentication 18 00:01:10,200 --> 00:01:13,000 Speaker 1: is something that we should probably define. First of all, 19 00:01:13,120 --> 00:01:18,919 Speaker 1: it's the process or action of proving something to be true, genuine, 20 00:01:19,440 --> 00:01:23,760 Speaker 1: or valid, So that covers a broad spectrum right authentication. 21 00:01:23,800 --> 00:01:29,319 Speaker 1: You could be talking about authenticating a historical artifact, that's 22 00:01:29,360 --> 00:01:32,360 Speaker 1: a great example. You bring a historical artifact to an expert, 23 00:01:32,800 --> 00:01:37,120 Speaker 1: they authenticate that it is in fact a historical artifact 24 00:01:37,360 --> 00:01:40,200 Speaker 1: and not something that was whipped up in some sort 25 00:01:40,240 --> 00:01:43,440 Speaker 1: of souvenir shop and some out of the way place. 26 00:01:44,400 --> 00:01:48,720 Speaker 1: But authentication has a very special role in the world 27 00:01:48,760 --> 00:01:51,480 Speaker 1: of technology and the world of computers and electronics. It 28 00:01:51,520 --> 00:01:55,320 Speaker 1: gets a bit more specific. It's the process of verifying 29 00:01:55,440 --> 00:02:00,400 Speaker 1: the identity of a user or a program or process. 30 00:02:01,120 --> 00:02:03,880 Speaker 1: You want to make certain everything is authentic so that 31 00:02:04,040 --> 00:02:08,720 Speaker 1: a program or person doesn't get unauthorized access to a system. 32 00:02:08,760 --> 00:02:13,720 Speaker 1: So you're probably familiar with a lot of authentication processes, 33 00:02:13,760 --> 00:02:17,040 Speaker 1: even if you didn't call them that, because you yourself 34 00:02:17,280 --> 00:02:22,400 Speaker 1: have to employ them on a regular basis. Programs do too. 35 00:02:23,160 --> 00:02:25,840 Speaker 1: But I'm not gonna really spend a lot of time 36 00:02:25,840 --> 00:02:27,639 Speaker 1: talking about programs. In fact, I'm really not going to 37 00:02:27,760 --> 00:02:30,280 Speaker 1: dive into it at all because that gets super technical, 38 00:02:30,840 --> 00:02:33,160 Speaker 1: um and really I think it's more important to focus 39 00:02:33,160 --> 00:02:36,440 Speaker 1: on the stuff that you have a direct involvement with, unless, 40 00:02:36,480 --> 00:02:40,080 Speaker 1: of course, you're a programmer, in which case mia culpa. 41 00:02:40,160 --> 00:02:43,799 Speaker 1: So I'm going to focus on authentication technology targeted at humans. 42 00:02:44,600 --> 00:02:47,200 Speaker 1: So one day, maybe I'll do a software one if 43 00:02:47,200 --> 00:02:49,520 Speaker 1: there's a lot of requests for it, but I feel 44 00:02:49,520 --> 00:02:51,280 Speaker 1: like that might just get a little too deep in 45 00:02:51,320 --> 00:02:54,840 Speaker 1: the weeds. So I'm gonna talk about the stuff you 46 00:02:54,880 --> 00:02:58,119 Speaker 1: and I encounter when we try to access or protect 47 00:02:58,680 --> 00:03:02,040 Speaker 1: our technology and our data. Now, there are a ton 48 00:03:02,080 --> 00:03:04,800 Speaker 1: of different ways to do this. Some of them are 49 00:03:04,840 --> 00:03:10,799 Speaker 1: inherently stronger methods of authentication than others and are better 50 00:03:11,480 --> 00:03:16,120 Speaker 1: as far as you know, being more secure. And all 51 00:03:16,160 --> 00:03:20,600 Speaker 1: of these authentication strategies can be divided into three broad categories. 52 00:03:21,320 --> 00:03:27,840 Speaker 1: Those categories are inherence factors, knowledge factors, and ownership factors. 53 00:03:28,120 --> 00:03:31,920 Speaker 1: So when you hear about two factor authentication, we're talking 54 00:03:31,960 --> 00:03:40,920 Speaker 1: about a specific strategy that employs different uh different approaches 55 00:03:41,320 --> 00:03:46,040 Speaker 1: belonging to different factors. Now, that doesn't really mean anything 56 00:03:46,080 --> 00:03:49,240 Speaker 1: unless I expand on it. So an inherence factor relies 57 00:03:49,760 --> 00:03:53,240 Speaker 1: upon the user him or herself. In other words, it 58 00:03:53,240 --> 00:03:57,360 Speaker 1: has something to do with you as a user. It 59 00:03:57,560 --> 00:04:02,160 Speaker 1: has to do with either your physical traits or behavioral traits. 60 00:04:02,160 --> 00:04:05,320 Speaker 1: So a very easy to understand example of this would 61 00:04:05,320 --> 00:04:09,160 Speaker 1: be a fingerprint scanner. Right like you, your fingerprints are 62 00:04:09,320 --> 00:04:12,880 Speaker 1: unique to you. It is something you have inherited is 63 00:04:13,000 --> 00:04:17,400 Speaker 1: inherent in who you are, so it's an inherence factor. 64 00:04:18,000 --> 00:04:19,920 Speaker 1: But there are lots and lots of others, and I'll 65 00:04:19,920 --> 00:04:23,640 Speaker 1: talk about some of those later on this episode. Knowledge 66 00:04:23,640 --> 00:04:27,200 Speaker 1: factors are pretty self explanatory. Those are authentication strategies that 67 00:04:27,240 --> 00:04:30,960 Speaker 1: rely on something that the user knows, like a password 68 00:04:31,080 --> 00:04:34,920 Speaker 1: or a personal identification number otherwise known as a pen. 69 00:04:36,120 --> 00:04:39,919 Speaker 1: Ownership factors are also pretty easy to understand. Those rely 70 00:04:40,040 --> 00:04:43,479 Speaker 1: on something the user possesses, like a key card for 71 00:04:43,560 --> 00:04:47,560 Speaker 1: security door. That would be an ownership factor. Now, on 72 00:04:47,600 --> 00:04:50,320 Speaker 1: top of those categories, you have the additional strategies to 73 00:04:50,440 --> 00:04:54,960 Speaker 1: enable authentication, which includes that two factor authentication that I 74 00:04:55,040 --> 00:04:58,560 Speaker 1: talked about before. And maybe you don't know exactly what 75 00:04:58,600 --> 00:05:03,160 Speaker 1: that means, well, that's why here. Really. Single factor authentication 76 00:05:03,160 --> 00:05:07,040 Speaker 1: relies on just one component to access a system. So, 77 00:05:07,120 --> 00:05:10,200 Speaker 1: for example, a lot of smartphones require users to unlock 78 00:05:10,320 --> 00:05:13,919 Speaker 1: the device with a pin or a swipe pattern or 79 00:05:14,160 --> 00:05:18,080 Speaker 1: a fingerprint scan. But that's it, right You you just 80 00:05:18,120 --> 00:05:21,120 Speaker 1: have to do one of those things. You don't have 81 00:05:21,160 --> 00:05:24,760 Speaker 1: to do multiple things. And once you do, whichever method 82 00:05:24,839 --> 00:05:27,840 Speaker 1: you've enabled on your device, you have access to it. 83 00:05:28,080 --> 00:05:32,640 Speaker 1: There's no secondary requirement. Systems that use single factor authentication 84 00:05:32,720 --> 00:05:38,280 Speaker 1: are weaker than those that require more than one authentication strategy. 85 00:05:38,440 --> 00:05:43,360 Speaker 1: In general, there are some different definitions for strong authentication 86 00:05:43,360 --> 00:05:47,560 Speaker 1: I'll get into and you could argue that some inherence 87 00:05:47,880 --> 00:05:51,520 Speaker 1: factors are so strong as to be fine on their own, 88 00:05:52,279 --> 00:05:55,880 Speaker 1: But in general, going with a single factor is less 89 00:05:55,880 --> 00:05:59,120 Speaker 1: secure than going for a two factor authentication strategy, which 90 00:05:59,120 --> 00:06:04,120 Speaker 1: is exactly what is like. It requires two different authentication factors. 91 00:06:05,200 --> 00:06:08,200 Speaker 1: That means the system will require users to provide authentication 92 00:06:08,640 --> 00:06:12,640 Speaker 1: in two of those three categories. So an example of 93 00:06:12,640 --> 00:06:15,360 Speaker 1: this is an a t M card. If you want 94 00:06:15,360 --> 00:06:17,800 Speaker 1: to use an a t M card, you need to 95 00:06:17,880 --> 00:06:21,000 Speaker 1: provide the card. That's an ownership factor. You have to 96 00:06:21,040 --> 00:06:23,400 Speaker 1: be in possession of the card, and you have to 97 00:06:23,400 --> 00:06:28,479 Speaker 1: supply the pen that's the knowledge factor. So you have 98 00:06:28,640 --> 00:06:32,360 Speaker 1: an ownership factor and a knowledge factor. Those are two factors. 99 00:06:32,360 --> 00:06:36,000 Speaker 1: That's two factor authentication. Possession of one factor should not 100 00:06:36,080 --> 00:06:40,640 Speaker 1: be sufficient to access the respective system, nor should it 101 00:06:40,760 --> 00:06:44,359 Speaker 1: lead to the discovery of the second factor. In other words, 102 00:06:44,920 --> 00:06:46,880 Speaker 1: if you get hold of the card like you get 103 00:06:46,920 --> 00:06:50,680 Speaker 1: hold of someone else's card, ideally there should be no 104 00:06:50,760 --> 00:06:55,520 Speaker 1: indication on the card of what the pen is because 105 00:06:55,600 --> 00:06:57,400 Speaker 1: you need both of those things in order to access 106 00:06:57,400 --> 00:07:00,800 Speaker 1: someone's account. And if you make sure that only one 107 00:07:00,839 --> 00:07:03,159 Speaker 1: of the two things is in possession of somebody else, 108 00:07:03,400 --> 00:07:06,840 Speaker 1: they still can't get your stuff. So that's why you 109 00:07:06,839 --> 00:07:10,440 Speaker 1: want the two factor authentication. You have to possess or 110 00:07:10,480 --> 00:07:13,760 Speaker 1: know both of the authentication requirements independently of each other. 111 00:07:14,240 --> 00:07:17,960 Speaker 1: This also applies to other factors as well. It doesn't 112 00:07:18,000 --> 00:07:20,080 Speaker 1: just have to be knowledge and ownership. It could be 113 00:07:20,120 --> 00:07:22,840 Speaker 1: ownership and inherence. It could be knowledge and inherence. You 114 00:07:22,840 --> 00:07:27,480 Speaker 1: get the idea. So, if you've enabled to factor authentication 115 00:07:27,600 --> 00:07:31,360 Speaker 1: on various online accounts, which I urge you to do 116 00:07:31,520 --> 00:07:34,960 Speaker 1: for any accounts that actually offer it, you've likely had 117 00:07:35,000 --> 00:07:37,920 Speaker 1: to supply a password as well as a code sent 118 00:07:38,120 --> 00:07:40,840 Speaker 1: to you in some way. For example, you might have 119 00:07:40,840 --> 00:07:43,600 Speaker 1: an email account that when you try and access it 120 00:07:43,760 --> 00:07:46,920 Speaker 1: using a brand new device, says all right, well, what's 121 00:07:46,960 --> 00:07:49,160 Speaker 1: your password? So you typed a little password in and 122 00:07:49,160 --> 00:07:51,160 Speaker 1: then says all right, well, now I'm going to send 123 00:07:51,280 --> 00:07:55,400 Speaker 1: you a code via text message. You need to put 124 00:07:55,480 --> 00:07:58,080 Speaker 1: that code into this little box here, and then I'll 125 00:07:58,080 --> 00:08:02,080 Speaker 1: give you access to your email. So the password part 126 00:08:02,160 --> 00:08:06,440 Speaker 1: taps into that knowledge factor because you know the password 127 00:08:06,840 --> 00:08:11,480 Speaker 1: and the text message taps into the ownership factor because 128 00:08:11,760 --> 00:08:14,520 Speaker 1: there's a specific cell phone with a specific cell phone 129 00:08:14,600 --> 00:08:17,800 Speaker 1: number associated with your email account, so you have to 130 00:08:17,840 --> 00:08:20,120 Speaker 1: be an ownership of the cell phone in order to 131 00:08:20,200 --> 00:08:25,240 Speaker 1: receive the text message and complete that authentication strategy. Many 132 00:08:25,280 --> 00:08:28,480 Speaker 1: two factor authentication systems will actually allow you to designate 133 00:08:28,560 --> 00:08:32,880 Speaker 1: specific devices as being safe quote unquote safe, meaning that 134 00:08:32,920 --> 00:08:34,720 Speaker 1: you don't have to do that every single time you 135 00:08:34,760 --> 00:08:37,680 Speaker 1: log in from that specific device. That way, you don't 136 00:08:37,760 --> 00:08:39,640 Speaker 1: end up waiting for a text message every time you 137 00:08:39,679 --> 00:08:42,240 Speaker 1: try and check your email from your personal laptop, computer, 138 00:08:42,400 --> 00:08:45,920 Speaker 1: or smartphone. Now, there are systems that require even more 139 00:08:46,000 --> 00:08:50,880 Speaker 1: forms of authentication, and we typically group these under the 140 00:08:50,960 --> 00:08:56,360 Speaker 1: category multi factor authentication, indicating you've got to supply at 141 00:08:56,440 --> 00:09:00,280 Speaker 1: least two methods in order to access the respective syste them. 142 00:09:00,320 --> 00:09:03,160 Speaker 1: So technically, two factor authentication is a type of multi 143 00:09:03,240 --> 00:09:07,280 Speaker 1: factor authentication. Most of the time, when I encounter it, 144 00:09:07,400 --> 00:09:10,680 Speaker 1: multi factor is being used to mean more than two. 145 00:09:11,640 --> 00:09:16,000 Speaker 1: I haven't personally ever encountered a system where I've had 146 00:09:16,040 --> 00:09:19,319 Speaker 1: to supply more than two factors. But then again, no 147 00:09:19,360 --> 00:09:22,720 Speaker 1: one trusts me with anything that's that important, so no 148 00:09:22,760 --> 00:09:27,720 Speaker 1: big surprise there. Now, confusing matters somewhat is this term 149 00:09:27,880 --> 00:09:32,040 Speaker 1: called strong authentication, which is used in a lot of 150 00:09:32,080 --> 00:09:36,000 Speaker 1: different places, including the European Union. In fact, it's very 151 00:09:36,000 --> 00:09:39,360 Speaker 1: prominently used in the EU. At first glance, you might 152 00:09:39,400 --> 00:09:43,800 Speaker 1: think strong authentication and two factor or multi factor authentication 153 00:09:43,880 --> 00:09:46,640 Speaker 1: are synonymous, that in order of it to be strong, 154 00:09:46,720 --> 00:09:49,880 Speaker 1: it must be at least two factor authentication. But that's 155 00:09:49,920 --> 00:09:54,800 Speaker 1: not actually the case. If a single authentication strategy is 156 00:09:54,840 --> 00:09:59,200 Speaker 1: deemed secure enough, it can fall under the category of 157 00:09:59,320 --> 00:10:03,760 Speaker 1: strong authentication. And so there's a lot of disagreement over 158 00:10:03,800 --> 00:10:06,520 Speaker 1: what the actual definition is. It makes it pretty confusing. 159 00:10:06,840 --> 00:10:08,640 Speaker 1: But let's give you an example. Let's say that there's 160 00:10:08,640 --> 00:10:12,480 Speaker 1: a retinal scanner that scans the pattern of blood vessels 161 00:10:12,520 --> 00:10:17,079 Speaker 1: in your eye. Now that's really difficult to replicate compared 162 00:10:17,080 --> 00:10:20,480 Speaker 1: to other biometric measures such as a fingerprint, which you could, 163 00:10:21,120 --> 00:10:25,439 Speaker 1: in fact, if you're very clever fake. So in the 164 00:10:25,480 --> 00:10:28,800 Speaker 1: European Union, a system that looks at the blood vessels 165 00:10:28,840 --> 00:10:33,080 Speaker 1: in your eye for authentication might be considered strong even 166 00:10:33,120 --> 00:10:35,640 Speaker 1: though it's just a single factor. Let's say you don't 167 00:10:35,640 --> 00:10:38,200 Speaker 1: have to provide any other information, it's just a quick 168 00:10:38,240 --> 00:10:40,960 Speaker 1: skin of the eye and you're in if the system 169 00:10:41,000 --> 00:10:43,560 Speaker 1: is robust enough, and if it's looking at something that 170 00:10:43,640 --> 00:10:46,480 Speaker 1: is difficult enough to replicate, it could still count a 171 00:10:46,520 --> 00:10:50,679 Speaker 1: strong authentication. He could even refer to knowledge based factors. 172 00:10:51,040 --> 00:10:53,240 Speaker 1: So let's say a system requires you to answer a 173 00:10:53,240 --> 00:10:56,360 Speaker 1: series of unrelated questions when you set up your account. 174 00:10:57,040 --> 00:10:59,640 Speaker 1: Accessing the account at a later time requires that you 175 00:10:59,720 --> 00:11:02,200 Speaker 1: rep like hat those answers. You've got to remember how 176 00:11:02,240 --> 00:11:04,240 Speaker 1: you answered the questions when you first set it up. 177 00:11:04,240 --> 00:11:06,720 Speaker 1: It's kind of like the security questions a lot of 178 00:11:06,760 --> 00:11:10,640 Speaker 1: different systems used right now now, Because these questions are 179 00:11:10,760 --> 00:11:14,560 Speaker 1: unrelated and knowledge of one answer doesn't provide any of 180 00:11:14,600 --> 00:11:19,120 Speaker 1: the other answers, that could be considered strong authentication. Now, personally, 181 00:11:19,160 --> 00:11:20,520 Speaker 1: I find that method to be a little on the 182 00:11:20,520 --> 00:11:23,320 Speaker 1: flimsy side. But I'm not the one making definitions. I'm 183 00:11:23,400 --> 00:11:27,800 Speaker 1: just reporting them to you guys. Now we've got the 184 00:11:27,800 --> 00:11:31,360 Speaker 1: basic definitions out of the way, let's dive into a 185 00:11:31,400 --> 00:11:34,000 Speaker 1: bit of history, because you guys know, I love to 186 00:11:34,040 --> 00:11:38,239 Speaker 1: talk about the history of the various technologies and processes 187 00:11:38,280 --> 00:11:41,600 Speaker 1: we've developed over the years. So the concept of authentication 188 00:11:41,760 --> 00:11:47,040 Speaker 1: is ancient. It predates electronics by centuries. Throughout the years, 189 00:11:47,120 --> 00:11:50,000 Speaker 1: people would have to provide some sort of proof of 190 00:11:50,040 --> 00:11:53,520 Speaker 1: their identities. It might require someone else to vouchsafe for 191 00:11:53,559 --> 00:11:57,280 Speaker 1: a person, or it might require a special seal belonging 192 00:11:57,320 --> 00:12:00,559 Speaker 1: to a particular office or noble house place upon an 193 00:12:00,559 --> 00:12:03,280 Speaker 1: official document. You may have heard that a lot of 194 00:12:03,320 --> 00:12:06,559 Speaker 1: those documents would be sealed with wax, and then someone 195 00:12:06,600 --> 00:12:10,520 Speaker 1: would use a signet ring in order to put a 196 00:12:10,559 --> 00:12:14,120 Speaker 1: specific stamp in that wax. That was considered a form 197 00:12:14,160 --> 00:12:18,439 Speaker 1: of authentication. If you saw the proper symbol, then presumably 198 00:12:18,480 --> 00:12:22,679 Speaker 1: it came from the proper place. Not that you couldn't 199 00:12:23,000 --> 00:12:24,760 Speaker 1: create a fake of that if you really wanted to, 200 00:12:25,080 --> 00:12:27,839 Speaker 1: but you know, that was the idea. Or you might 201 00:12:27,880 --> 00:12:30,280 Speaker 1: even just have a password shared between a small group 202 00:12:30,280 --> 00:12:32,720 Speaker 1: of people. So as long as there have been secrets, 203 00:12:32,760 --> 00:12:35,320 Speaker 1: there have been means to identify those who should and 204 00:12:35,360 --> 00:12:39,360 Speaker 1: should not have access to those secrets. And secrets pre 205 00:12:39,480 --> 00:12:44,319 Speaker 1: date the written word. But let's talk about passwords and 206 00:12:44,400 --> 00:12:47,640 Speaker 1: authentication and electronics, because honestly, if I did a full 207 00:12:47,720 --> 00:12:51,440 Speaker 1: episode about the history of passwords, that would not really 208 00:12:51,480 --> 00:12:54,440 Speaker 1: be tech stuff. That would be an awesome, awesome episode 209 00:12:54,440 --> 00:12:57,000 Speaker 1: of stuff they don't want you to know. Hint, hint. 210 00:12:57,720 --> 00:13:02,240 Speaker 1: So computer passwords actually pre d eight personal computers. Back 211 00:13:02,360 --> 00:13:05,760 Speaker 1: in nineteen sixty one, m I T created a password 212 00:13:05,800 --> 00:13:09,920 Speaker 1: system for authorized access to its Compatible Time Sharing System 213 00:13:10,120 --> 00:13:14,520 Speaker 1: or ct s S. Ct S S allowed multiple users 214 00:13:14,559 --> 00:13:18,880 Speaker 1: to access the same computational core. So imagine that you 215 00:13:18,880 --> 00:13:22,040 Speaker 1: are in a room and it's filled. Uh, there's like 216 00:13:22,120 --> 00:13:24,600 Speaker 1: lots of tables everywhere, and every table has a couple 217 00:13:24,559 --> 00:13:28,559 Speaker 1: of different workstations. Every workstation has a screen and a keyboard, 218 00:13:29,080 --> 00:13:31,559 Speaker 1: but not a computer. They just have the keyboard in 219 00:13:31,600 --> 00:13:36,439 Speaker 1: the screen, which are connected via cables to a single computer. 220 00:13:36,600 --> 00:13:40,920 Speaker 1: Everyone is sharing the exact same computer. Well, way back 221 00:13:40,920 --> 00:13:43,320 Speaker 1: in the day, that's how a lot of computer systems 222 00:13:43,480 --> 00:13:47,920 Speaker 1: were made. They didn't have personal devices at every station. 223 00:13:48,440 --> 00:13:51,640 Speaker 1: The stations were just dummy terminals that connected to a 224 00:13:51,679 --> 00:13:55,240 Speaker 1: core system. Also, in those days, time sharing meant that 225 00:13:55,280 --> 00:13:59,120 Speaker 1: the computer actually would divvy up when it was specifically 226 00:13:59,160 --> 00:14:03,280 Speaker 1: available to do your calculations. So let's say you're typing 227 00:14:03,280 --> 00:14:06,600 Speaker 1: in something, you're programming some code, and you send it 228 00:14:06,640 --> 00:14:11,760 Speaker 1: to the computer. It would be responding to each station 229 00:14:11,920 --> 00:14:14,200 Speaker 1: in turn, and it's doing it so fast that it 230 00:14:14,240 --> 00:14:18,240 Speaker 1: feels almost instantaneous, or close enough to it, But in 231 00:14:18,320 --> 00:14:22,560 Speaker 1: fact it would be responding uh. In sequence, as people 232 00:14:22,640 --> 00:14:28,040 Speaker 1: had logged into the various terminals, now obviously using the 233 00:14:28,160 --> 00:14:32,080 Speaker 1: same computer for all these dummy terminals create some challenges. 234 00:14:32,640 --> 00:14:36,280 Speaker 1: How can each individual user maintain control over his or 235 00:14:36,320 --> 00:14:39,880 Speaker 1: her data? How do they maintain their own private files? 236 00:14:40,280 --> 00:14:43,480 Speaker 1: Because every user had a set of private files that 237 00:14:43,960 --> 00:14:47,520 Speaker 1: other users should not be able to access without authorization. 238 00:14:47,600 --> 00:14:50,680 Speaker 1: I mean, one person might be working on a project, 239 00:14:50,760 --> 00:14:52,880 Speaker 1: someone else is working on a totally different project. You 240 00:14:52,920 --> 00:14:56,200 Speaker 1: don't want those files to intermingle. You had the partition 241 00:14:56,280 --> 00:15:00,480 Speaker 1: that stuff, so without a password, you really couldn't do that. 242 00:15:00,680 --> 00:15:03,240 Speaker 1: So if everyone's using a core machine as the processor 243 00:15:03,240 --> 00:15:05,760 Speaker 1: and storage unit, you had to create some means of 244 00:15:05,840 --> 00:15:10,800 Speaker 1: differentiating one user from another. The solution was the password. 245 00:15:11,600 --> 00:15:14,160 Speaker 1: So every user would get a unique password to enter 246 00:15:14,240 --> 00:15:17,240 Speaker 1: into the system, which would then allow that user to 247 00:15:17,320 --> 00:15:20,920 Speaker 1: create an access private files. And it also helped control 248 00:15:21,480 --> 00:15:25,640 Speaker 1: the amount of time any individual user had with the machine. 249 00:15:25,680 --> 00:15:29,040 Speaker 1: Because these machines they were rare. There are only a 250 00:15:29,040 --> 00:15:32,760 Speaker 1: few of them in nineteen sixty one, so the time 251 00:15:33,360 --> 00:15:38,000 Speaker 1: on those machines was very valuable. You you know, people 252 00:15:38,000 --> 00:15:40,240 Speaker 1: were hoarding time. They were trying to do their best, 253 00:15:40,280 --> 00:15:42,120 Speaker 1: you know, you might only get a few hours a week, 254 00:15:42,720 --> 00:15:46,720 Speaker 1: so they would end up partitioning that out through passwords. 255 00:15:46,760 --> 00:15:49,520 Speaker 1: It was kind of like a controlled ticket system, so 256 00:15:49,600 --> 00:15:53,160 Speaker 1: that a ride doesn't get overwhelmed with a ton of people. 257 00:15:53,440 --> 00:15:55,680 Speaker 1: You have you release a certain number of tickets per hour, 258 00:15:56,240 --> 00:15:58,960 Speaker 1: and you keep the traffic flowing steadily. Same sort of thing, 259 00:15:59,000 --> 00:16:01,120 Speaker 1: except in this case it was with a computer access, 260 00:16:01,920 --> 00:16:04,400 Speaker 1: so it's a way to control the point of entry 261 00:16:04,480 --> 00:16:08,200 Speaker 1: into the system. Now, at that time, the passwords were 262 00:16:08,280 --> 00:16:11,400 Speaker 1: pretty simple, and they were not really secure at all. 263 00:16:12,240 --> 00:16:16,160 Speaker 1: It was more for the matter of convenience than security really. 264 00:16:16,720 --> 00:16:19,840 Speaker 1: After all, this predated the Internet, so external access to 265 00:16:19,920 --> 00:16:22,240 Speaker 1: the system wasn't really a factor. If you wanted to 266 00:16:22,280 --> 00:16:25,800 Speaker 1: get your hands on those sweet sweet private files, you 267 00:16:25,840 --> 00:16:28,960 Speaker 1: actually needed to have physical access to the system itself. 268 00:16:28,960 --> 00:16:32,000 Speaker 1: You couldn't just hack in from across the country. So 269 00:16:32,040 --> 00:16:34,720 Speaker 1: in a way, that's a one factor of authentication all 270 00:16:34,760 --> 00:16:38,160 Speaker 1: by itself. Ownership in this case, the ownership doesn't really 271 00:16:38,200 --> 00:16:41,200 Speaker 1: refer to something that you personally own, but rather your 272 00:16:41,200 --> 00:16:46,800 Speaker 1: physical access to the system. But these passwords weren't encrypted 273 00:16:47,200 --> 00:16:49,360 Speaker 1: or stored in a particularly safe way. They were in 274 00:16:49,400 --> 00:16:53,720 Speaker 1: plain text. So just a year after they debuted this 275 00:16:53,840 --> 00:16:59,160 Speaker 1: password strategy, a graduate student named Alan Share accessed the 276 00:16:59,400 --> 00:17:03,240 Speaker 1: entire list of unencrypted passwords stored on the system and 277 00:17:03,280 --> 00:17:06,280 Speaker 1: printed them out. Now, the reason Shared did this was 278 00:17:06,359 --> 00:17:10,040 Speaker 1: not to access private files created by other people. It 279 00:17:10,080 --> 00:17:12,639 Speaker 1: was so that Shared could get more time on the 280 00:17:12,680 --> 00:17:16,240 Speaker 1: system because every student was allotted just four hours of 281 00:17:16,280 --> 00:17:20,560 Speaker 1: access per week, and he needed more access, and he figured, well, 282 00:17:20,560 --> 00:17:22,880 Speaker 1: there's all these other hours of access that are going 283 00:17:22,960 --> 00:17:26,960 Speaker 1: unused from other students. That's not fair. I'll just take 284 00:17:27,080 --> 00:17:30,359 Speaker 1: their their hours and use them myself. The way he 285 00:17:30,400 --> 00:17:33,600 Speaker 1: did this was he actually created a punch card that 286 00:17:33,800 --> 00:17:37,800 Speaker 1: contained the file name and location for the password list, 287 00:17:38,400 --> 00:17:41,160 Speaker 1: and it also contained a set of instructions that said 288 00:17:41,960 --> 00:17:45,520 Speaker 1: take this file and send it to a printer. So 289 00:17:45,640 --> 00:17:48,520 Speaker 1: he didn't even have to physically look at this file 290 00:17:48,560 --> 00:17:50,359 Speaker 1: at all. He just had to figure out what was 291 00:17:50,400 --> 00:17:53,120 Speaker 1: the file name, where was it located on the system, 292 00:17:53,200 --> 00:17:57,280 Speaker 1: and then include the instructions sent to printer. By the way, 293 00:17:57,320 --> 00:17:59,240 Speaker 1: if you want to know more about how punch cards 294 00:17:59,280 --> 00:18:02,520 Speaker 1: work and the way that they were an integral part 295 00:18:02,560 --> 00:18:05,919 Speaker 1: of early computing, you can actually listen to a classic 296 00:18:06,119 --> 00:18:10,320 Speaker 1: two thousand nine Text Stuff episode titled computers from the past, 297 00:18:11,000 --> 00:18:13,200 Speaker 1: and Chris Pallette and I talked a lot about them 298 00:18:13,200 --> 00:18:17,720 Speaker 1: in that episode. So it's easy in hindsight to criticize 299 00:18:17,760 --> 00:18:19,840 Speaker 1: the M I T strategy. But keep in mind this 300 00:18:19,920 --> 00:18:22,679 Speaker 1: was at a time when unauthorized access to computers was 301 00:18:22,720 --> 00:18:27,320 Speaker 1: exceedingly rare, because well, the computers were exceedingly rare. As 302 00:18:27,320 --> 00:18:31,520 Speaker 1: computers began to proliferate throughout all areas of life, the 303 00:18:31,600 --> 00:18:36,880 Speaker 1: need for more secure access strategies grew. According to Roger Needham, 304 00:18:36,960 --> 00:18:40,520 Speaker 1: who was a professor of computing at Cambridge University, the 305 00:18:40,600 --> 00:18:44,080 Speaker 1: Cambridge Lab came up with a concept to make passwords 306 00:18:44,080 --> 00:18:47,560 Speaker 1: more secure, and that's the concept of hashing. Now, that's 307 00:18:47,560 --> 00:18:51,320 Speaker 1: when you convert passwords of variable lengths into a fixed 308 00:18:51,440 --> 00:18:55,639 Speaker 1: length string of characters using an algorithm for the transformation. 309 00:18:56,000 --> 00:18:58,560 Speaker 1: It's a fancy way of saying, no matter how long 310 00:18:58,680 --> 00:19:01,320 Speaker 1: or short of password is, you put it through a 311 00:19:01,400 --> 00:19:05,840 Speaker 1: series of mathematical processes. Will you convert the password into 312 00:19:05,960 --> 00:19:11,320 Speaker 1: numerals first? Then you do this series of mathematic processes, uh, 313 00:19:11,440 --> 00:19:14,400 Speaker 1: the end result of which is you get a much 314 00:19:14,600 --> 00:19:19,440 Speaker 1: longer string of characters and that represents the password. And 315 00:19:19,480 --> 00:19:21,399 Speaker 1: it doesn't matter how long or short the past the 316 00:19:21,400 --> 00:19:25,119 Speaker 1: original password was. All of the hashed versions of the 317 00:19:25,160 --> 00:19:29,040 Speaker 1: password are the same length. So let's say the hash 318 00:19:29,119 --> 00:19:31,200 Speaker 1: is e D characters long. That means if your base 319 00:19:31,240 --> 00:19:37,679 Speaker 1: password is pass or it's anti disestablishmentarianism or anything else, 320 00:19:38,080 --> 00:19:40,480 Speaker 1: it will end up converted into a string of e 321 00:19:40,560 --> 00:19:43,960 Speaker 1: D characters. So if someone gets hold of the hashed passwords, 322 00:19:44,400 --> 00:19:46,000 Speaker 1: those are the only ones that are being stored on 323 00:19:46,040 --> 00:19:48,280 Speaker 1: the system, they would still have to figure out what 324 00:19:48,320 --> 00:19:51,320 Speaker 1: was the mechanism used to generate the hashes in order 325 00:19:51,359 --> 00:19:54,680 Speaker 1: to guess what the root password was, because otherwise they're 326 00:19:54,720 --> 00:19:57,240 Speaker 1: all going to look like they're eight characters long. You 327 00:19:57,280 --> 00:20:01,959 Speaker 1: won't know which ones were short passwords or long password words. Uh. 328 00:20:02,000 --> 00:20:04,480 Speaker 1: In order to do that, obviously, you have to decide 329 00:20:04,520 --> 00:20:08,320 Speaker 1: upon what the specific sequence of mathematical operations are going 330 00:20:08,359 --> 00:20:14,080 Speaker 1: to be and what seed you're using for those operations. Uh. 331 00:20:14,119 --> 00:20:16,320 Speaker 1: And once you do that, then you're able to make 332 00:20:16,400 --> 00:20:21,240 Speaker 1: these kind of changes. So Needham said that the system 333 00:20:21,280 --> 00:20:24,680 Speaker 1: was created and implemented in the mid to late nineteen sixties, 334 00:20:25,119 --> 00:20:27,720 Speaker 1: so it wasn't very long after the m I T 335 00:20:28,560 --> 00:20:34,160 Speaker 1: H rollout of passwords. Now later, still, computer scientists began 336 00:20:34,200 --> 00:20:38,760 Speaker 1: to develop more secure hashing strategies. This includes salting passwords, 337 00:20:38,760 --> 00:20:42,320 Speaker 1: which means adding characters to a password before you hash it. 338 00:20:42,960 --> 00:20:45,600 Speaker 1: So a simple example of this is using a computer's 339 00:20:45,640 --> 00:20:49,560 Speaker 1: clock to insert digits into the password and then hashing 340 00:20:49,680 --> 00:20:52,280 Speaker 1: the new password, which makes it even harder for a 341 00:20:52,280 --> 00:20:55,000 Speaker 1: hacker to figure out the route password from the hash 342 00:20:55,160 --> 00:20:58,400 Speaker 1: because they need to know at what time that operation 343 00:20:58,480 --> 00:21:02,119 Speaker 1: was performed on the original path pas word um, otherwise 344 00:21:02,240 --> 00:21:06,240 Speaker 1: they wouldn't be able to replicate the original password. Now 345 00:21:06,280 --> 00:21:09,240 Speaker 1: this is easier to understand if I give you an example. 346 00:21:09,320 --> 00:21:13,680 Speaker 1: So let's say your password has been set to let's 347 00:21:13,680 --> 00:21:16,720 Speaker 1: say tech stuff. You chose tech stuff as your password. 348 00:21:17,080 --> 00:21:19,520 Speaker 1: First of all, that was dumb. Don't do that. Don't 349 00:21:19,560 --> 00:21:21,640 Speaker 1: pick a word that's easy to guess, even if it's 350 00:21:21,640 --> 00:21:25,240 Speaker 1: a name like tech stuff, which is granted an awesome show. 351 00:21:25,880 --> 00:21:29,280 Speaker 1: But you've chosen tech stuff for this example. You access 352 00:21:29,400 --> 00:21:32,880 Speaker 1: the system at two thirty five in the afternoon. Let's 353 00:21:32,880 --> 00:21:35,600 Speaker 1: say that the computer converts that into military time, so 354 00:21:35,800 --> 00:21:38,800 Speaker 1: that gives you fourteen thirty five, and then it salts 355 00:21:38,840 --> 00:21:42,000 Speaker 1: your password with those numbers. So instead of it just 356 00:21:42,000 --> 00:21:46,160 Speaker 1: saying text stuff, now it says T one e four 357 00:21:46,480 --> 00:21:52,640 Speaker 1: C three H five stuff. That password then gets hashed 358 00:21:52,720 --> 00:21:56,520 Speaker 1: into that eight character long version stored on the computers. 359 00:21:56,920 --> 00:21:59,520 Speaker 1: By the way, that eighty characters is just an arbitrary example. 360 00:21:59,720 --> 00:22:02,320 Speaker 1: I'm that doesn't really mean anything. I just need a 361 00:22:02,440 --> 00:22:05,639 Speaker 1: number for the example. Now, let's say you access the 362 00:22:05,680 --> 00:22:08,320 Speaker 1: same system the following day, but this time it's one 363 00:22:08,440 --> 00:22:10,760 Speaker 1: twenty three in the afternoon. Remember it was two thirty 364 00:22:10,760 --> 00:22:12,760 Speaker 1: five the day before, but now it's one twenty three 365 00:22:12,800 --> 00:22:15,960 Speaker 1: the next day. The salted password is going to be 366 00:22:16,000 --> 00:22:19,520 Speaker 1: different because it's going to convert one tree to military time, 367 00:22:19,920 --> 00:22:22,840 Speaker 1: and then it's going to salt the password that way, 368 00:22:22,880 --> 00:22:25,840 Speaker 1: so it would be T one E three C two 369 00:22:26,040 --> 00:22:30,560 Speaker 1: H three stuff. The hashed value will end up being 370 00:22:30,600 --> 00:22:34,679 Speaker 1: different as well, because it's inserted those new numbers. So 371 00:22:34,760 --> 00:22:37,239 Speaker 1: that means that if the hacker gets two versions of 372 00:22:37,280 --> 00:22:40,320 Speaker 1: your hashed password, they're still going to be different from 373 00:22:40,359 --> 00:22:42,719 Speaker 1: each other. It's all going to be dependent upon the 374 00:22:42,760 --> 00:22:46,080 Speaker 1: time you try to access the system. Now, the system 375 00:22:46,119 --> 00:22:49,480 Speaker 1: itself it knows when you were accessing it, so it's 376 00:22:49,520 --> 00:22:53,600 Speaker 1: able to do all of this decoding easily like that. 377 00:22:53,760 --> 00:22:56,199 Speaker 1: There's no problem for the system, but it makes it 378 00:22:56,200 --> 00:22:59,680 Speaker 1: difficult for a hacker to figure out what your password 379 00:22:59,800 --> 00:23:04,359 Speaker 1: was based upon the hashed value that appears inside the system. Now, 380 00:23:04,400 --> 00:23:07,280 Speaker 1: of course, hackers can bypass all that and try to 381 00:23:07,320 --> 00:23:10,800 Speaker 1: hack a password using brute force. That's when someone and 382 00:23:11,200 --> 00:23:13,639 Speaker 1: usually it's a computer program not a person these days, 383 00:23:14,480 --> 00:23:18,920 Speaker 1: submits endless guesses into a password protected account in order 384 00:23:18,960 --> 00:23:22,280 Speaker 1: to gain access. There's no need to work backward from 385 00:23:22,400 --> 00:23:25,840 Speaker 1: hashed values. Using this approach, you're just guessing the root 386 00:23:25,920 --> 00:23:29,520 Speaker 1: password from the get go. But it takes a lot 387 00:23:29,560 --> 00:23:33,119 Speaker 1: of time, particularly if the user has created a strong password. 388 00:23:33,400 --> 00:23:37,080 Speaker 1: So the longer and more complex a password, the less 389 00:23:37,080 --> 00:23:40,440 Speaker 1: likely and traditional computer can hack it in a reasonable 390 00:23:40,480 --> 00:23:44,200 Speaker 1: amount of time. Given enough time and enough computing power, 391 00:23:44,920 --> 00:23:49,520 Speaker 1: any password can ultimately be cracked by brute force. But 392 00:23:50,200 --> 00:23:52,600 Speaker 1: the more complex it is and the longer it is, 393 00:23:53,560 --> 00:23:56,080 Speaker 1: the more time it requires to a point where it 394 00:23:56,119 --> 00:23:59,800 Speaker 1: can approach time that last centuries, which means no one's 395 00:23:59,800 --> 00:24:01,800 Speaker 1: going to bother to do it because they're not going 396 00:24:01,880 --> 00:24:05,440 Speaker 1: to be around to actually see it work. Assuming you've 397 00:24:05,440 --> 00:24:08,520 Speaker 1: picked a good strong password. That's why you should never 398 00:24:08,600 --> 00:24:11,240 Speaker 1: use real words or even names as a password. They're 399 00:24:11,240 --> 00:24:13,440 Speaker 1: too easy for a computer to guess using what's called 400 00:24:13,440 --> 00:24:17,399 Speaker 1: a dictionary attack. So make sure you create those really 401 00:24:17,440 --> 00:24:20,639 Speaker 1: strong passwords, and as always, I like to recommend using 402 00:24:20,720 --> 00:24:24,439 Speaker 1: a password management program so that way you don't have 403 00:24:24,520 --> 00:24:28,879 Speaker 1: to remember those strong passwords, because obviously the downside to 404 00:24:28,920 --> 00:24:31,800 Speaker 1: creating a strong password is there difficult to remember. It's 405 00:24:31,960 --> 00:24:35,080 Speaker 1: really easy to remember a word like tech stuff, but 406 00:24:35,200 --> 00:24:39,000 Speaker 1: that's not very secure. Unfortunately, the more secure approach is 407 00:24:39,040 --> 00:24:41,560 Speaker 1: also difficult to remember. And you don't want to just 408 00:24:41,600 --> 00:24:45,040 Speaker 1: write stuff down someplace because that kind of defeats the 409 00:24:45,040 --> 00:24:48,359 Speaker 1: purpose of having a secret password. Having a really good 410 00:24:48,400 --> 00:24:51,600 Speaker 1: password management system and then just having to remember one 411 00:24:51,960 --> 00:24:57,560 Speaker 1: good master password simplifies things. So I recommend that I've 412 00:24:57,560 --> 00:25:00,399 Speaker 1: got a lot more to say about authentication strategy, but 413 00:25:00,480 --> 00:25:03,520 Speaker 1: before I get into it, let's take a quick break 414 00:25:03,600 --> 00:25:15,439 Speaker 1: to thank our sponsor. Okay, so I think we've covered 415 00:25:15,760 --> 00:25:19,800 Speaker 1: passwords pretty thoroughly. Let's talk about some other authentication strategies. 416 00:25:20,000 --> 00:25:23,159 Speaker 1: One of the earliest authentication systems in electronics was the 417 00:25:23,240 --> 00:25:27,919 Speaker 1: personal identification number, or PEN. And technically, yeah, if you 418 00:25:28,040 --> 00:25:31,000 Speaker 1: say PEN number, you're repeating yourself, just as if you 419 00:25:31,040 --> 00:25:33,800 Speaker 1: were to say a t M machine. And I still 420 00:25:33,880 --> 00:25:36,600 Speaker 1: do it just like a lot of people. If someone 421 00:25:36,640 --> 00:25:41,280 Speaker 1: can realistically argue that irrespective is a word, I can 422 00:25:41,400 --> 00:25:44,800 Speaker 1: argue pen number is acceptable. Dang it, so don't write me. 423 00:25:46,160 --> 00:25:50,879 Speaker 1: The PEN debuted on the world scene in nineteen sixty seven. 424 00:25:51,600 --> 00:25:55,040 Speaker 1: That's when Barclay's of London introduced the first a t 425 00:25:55,240 --> 00:25:58,680 Speaker 1: M system, which a man named John Shepherd Barron invented 426 00:25:59,240 --> 00:26:02,760 Speaker 1: Barkley's to come up with a method that kept customers 427 00:26:02,920 --> 00:26:07,359 Speaker 1: finances safe. Otherwise, anyone might be able to access anyone 428 00:26:07,440 --> 00:26:10,040 Speaker 1: else's money, and that does not make for a very 429 00:26:10,080 --> 00:26:13,120 Speaker 1: positive banking experience. I mean it does for the person 430 00:26:13,160 --> 00:26:15,200 Speaker 1: who makes off with all the cash, but for everybody 431 00:26:15,200 --> 00:26:18,960 Speaker 1: else it's pretty negative. The solution was the PEN, which 432 00:26:19,000 --> 00:26:22,720 Speaker 1: was a numeric code unique to the customer. The standard 433 00:26:22,840 --> 00:26:26,320 Speaker 1: for pen management is actually called I s O nine 434 00:26:26,440 --> 00:26:32,520 Speaker 1: five six four DASH one is DASH one. Technically, the 435 00:26:32,600 --> 00:26:36,240 Speaker 1: standard allows for a spectrum of pen lengths. We're mostly 436 00:26:36,320 --> 00:26:38,919 Speaker 1: used to four digits, but it doesn't have to just 437 00:26:39,040 --> 00:26:41,680 Speaker 1: before you could go from four that's the minimum number 438 00:26:41,680 --> 00:26:43,880 Speaker 1: of digits you can use, but you can use up 439 00:26:43,880 --> 00:26:47,520 Speaker 1: to twelve digits. But we humans tend to have trouble 440 00:26:47,560 --> 00:26:51,080 Speaker 1: remembering lots of unrelated numbers, and if you're choosing lots 441 00:26:51,080 --> 00:26:53,679 Speaker 1: of related numbers, and that makes it pretty easy for 442 00:26:53,680 --> 00:26:57,080 Speaker 1: people to guess your pen. So most A t M s, 443 00:26:57,280 --> 00:27:00,040 Speaker 1: especially in the banking and finance industry, would require a 444 00:27:00,040 --> 00:27:02,639 Speaker 1: pen of four digits in length, which dates back to 445 00:27:02,680 --> 00:27:05,400 Speaker 1: the first A t M system. So why why were 446 00:27:05,520 --> 00:27:08,800 Speaker 1: why was the number four picked in the very beginning? 447 00:27:08,800 --> 00:27:12,240 Speaker 1: Why just four digits? Well, that's because John Shepherd Barron, 448 00:27:12,320 --> 00:27:16,280 Speaker 1: who originally was going to use a six digit pen system, 449 00:27:16,480 --> 00:27:19,840 Speaker 1: found his wife Caroline, had trouble remembering anything more than 450 00:27:19,880 --> 00:27:22,879 Speaker 1: four digits, so he sensed that there could be a 451 00:27:22,920 --> 00:27:26,280 Speaker 1: possible problem with longer pens and decided to stick with 452 00:27:26,320 --> 00:27:31,160 Speaker 1: four digits instead of six. That's why we have that Now. 453 00:27:31,200 --> 00:27:34,399 Speaker 1: Those early A t M s didn't accept plastic cards 454 00:27:34,400 --> 00:27:36,960 Speaker 1: with a magnetic stripe on them the way modern ones do, 455 00:27:37,600 --> 00:27:41,119 Speaker 1: and obviously the chip and pin system was decades away. 456 00:27:41,600 --> 00:27:43,920 Speaker 1: So instead, what you would use as a check, you 457 00:27:43,960 --> 00:27:46,600 Speaker 1: would actually insert a check into the machine, and each 458 00:27:46,680 --> 00:27:50,359 Speaker 1: check had information encoded upon it that allowed the A 459 00:27:50,440 --> 00:27:52,920 Speaker 1: t M to read the information on it, for example, 460 00:27:53,160 --> 00:27:55,880 Speaker 1: how much money it represented and who it was supposed 461 00:27:55,880 --> 00:27:59,159 Speaker 1: to go to. You would couple this with the proper 462 00:27:59,200 --> 00:28:01,919 Speaker 1: pen and then the a t M could dispense cash 463 00:28:02,160 --> 00:28:04,400 Speaker 1: at all hours of the day, which eliminated the need 464 00:28:04,440 --> 00:28:07,000 Speaker 1: for people to make time to access the bank during 465 00:28:07,080 --> 00:28:10,600 Speaker 1: bank hours, which we all know are the shortest hours 466 00:28:10,760 --> 00:28:13,359 Speaker 1: in the world. If you'd like to learn more about 467 00:28:13,400 --> 00:28:15,640 Speaker 1: a t t m s and how they work, be sure 468 00:28:15,680 --> 00:28:18,160 Speaker 1: to check out the classic episode of tech Stuff called 469 00:28:18,280 --> 00:28:22,320 Speaker 1: appropriately Enough, How a t M S Work. I republished 470 00:28:22,320 --> 00:28:25,160 Speaker 1: it in February two fifteen, so you can listen to that, 471 00:28:25,200 --> 00:28:28,879 Speaker 1: but it actually dates much further than that. Uh, this 472 00:28:29,000 --> 00:28:30,560 Speaker 1: is really a blast from the past with some of 473 00:28:30,600 --> 00:28:34,760 Speaker 1: the stuff in this episode. Now, another strategy is to 474 00:28:34,880 --> 00:28:39,760 Speaker 1: use tokens. That's very popular for authentication strategies. There's several 475 00:28:39,880 --> 00:28:42,760 Speaker 1: versions of these, including tokens that have a static code 476 00:28:42,960 --> 00:28:45,760 Speaker 1: that acts like a key to a system's lock. Now, 477 00:28:45,760 --> 00:28:48,480 Speaker 1: those are not terribly secure because if someone else gets 478 00:28:48,520 --> 00:28:52,120 Speaker 1: hold of that token, they can pretty much get into 479 00:28:52,160 --> 00:28:54,840 Speaker 1: the system. They represent kind of a single factor method 480 00:28:54,840 --> 00:28:58,520 Speaker 1: of authentication on their own. For example, if you work 481 00:28:58,560 --> 00:29:00,640 Speaker 1: in a building that requires you to tap a security 482 00:29:00,680 --> 00:29:03,120 Speaker 1: card to a panel in order to unlock the door, 483 00:29:03,800 --> 00:29:06,680 Speaker 1: that's a single factor approach, right, There's no other need 484 00:29:06,760 --> 00:29:09,640 Speaker 1: to submit any other proof that you should have access. 485 00:29:09,960 --> 00:29:12,680 Speaker 1: As long as you possess the security card, you can 486 00:29:12,800 --> 00:29:14,920 Speaker 1: enter the building. It's just like having a physical key 487 00:29:14,920 --> 00:29:19,120 Speaker 1: to a physical lock. Uh. You could pair that with 488 00:29:19,160 --> 00:29:22,800 Speaker 1: another factor and then make the security stronger. Right, there 489 00:29:22,800 --> 00:29:27,080 Speaker 1: could be some other additional information or element that you'd 490 00:29:27,120 --> 00:29:30,280 Speaker 1: have to supply apart from just owning the card, and 491 00:29:30,320 --> 00:29:32,960 Speaker 1: that would make it a two factor authentication approach, and 492 00:29:33,000 --> 00:29:39,320 Speaker 1: that would make it a stronger secure system. Now, there 493 00:29:39,320 --> 00:29:41,120 Speaker 1: are a lot of tokens that are used in two 494 00:29:41,200 --> 00:29:45,440 Speaker 1: factor authentication, and one of the most common is a 495 00:29:45,520 --> 00:29:48,400 Speaker 1: device with a small led screen that displays a string 496 00:29:48,440 --> 00:29:51,480 Speaker 1: of seemingly random numbers when you activate it, and those 497 00:29:51,520 --> 00:29:55,040 Speaker 1: seemingly random numbers change when you activate it over time. 498 00:29:55,080 --> 00:29:57,120 Speaker 1: Let's say that you you to pull out this token 499 00:29:57,200 --> 00:29:59,880 Speaker 1: in order to access a system. It's asking for this code. 500 00:30:00,280 --> 00:30:02,640 Speaker 1: You press the little button, the numbers light up, and 501 00:30:02,680 --> 00:30:04,680 Speaker 1: you type the numbers into the system and it gives 502 00:30:04,720 --> 00:30:07,360 Speaker 1: you access. And then the next day you want to 503 00:30:07,400 --> 00:30:09,320 Speaker 1: access it again, you pull up the token, you press 504 00:30:09,360 --> 00:30:12,240 Speaker 1: a button, a totally different set of numbers shows up, 505 00:30:12,320 --> 00:30:14,760 Speaker 1: you type those into the system, you get access to it. 506 00:30:14,960 --> 00:30:17,320 Speaker 1: What the heck is going on how does that work? 507 00:30:17,720 --> 00:30:20,120 Speaker 1: How does how does how does the token magically know 508 00:30:20,280 --> 00:30:25,040 Speaker 1: what numbers to create? It's actually a pretty elegant system, 509 00:30:25,080 --> 00:30:27,560 Speaker 1: as it turns out. I'll give an example of one 510 00:30:27,600 --> 00:30:29,600 Speaker 1: way this can happen. It's not the only way, but 511 00:30:29,680 --> 00:30:33,200 Speaker 1: it's a pretty common one. So in most of these devices, 512 00:30:33,240 --> 00:30:36,480 Speaker 1: the token has a low power clock which is synchronized 513 00:30:36,640 --> 00:30:39,880 Speaker 1: to the system that it is related to, and it 514 00:30:39,960 --> 00:30:42,920 Speaker 1: also has a serial number associated with the specific token. 515 00:30:43,440 --> 00:30:46,520 Speaker 1: The token uses those two values to generate what is 516 00:30:46,560 --> 00:30:49,360 Speaker 1: called a p r n G value, and p r 517 00:30:49,480 --> 00:30:53,680 Speaker 1: n G stands for pseudo random number generator and it 518 00:30:53,720 --> 00:30:55,840 Speaker 1: means pretty much what sounds like. It can create a 519 00:30:55,880 --> 00:30:59,040 Speaker 1: string of numbers that appears to be random, though ultimately 520 00:30:59,040 --> 00:31:02,360 Speaker 1: those numbers are in fact determined by an ordered series 521 00:31:02,400 --> 00:31:05,440 Speaker 1: of calculations. But you have to know what those calculations 522 00:31:05,440 --> 00:31:09,120 Speaker 1: are and what the two different numbers were to start 523 00:31:09,160 --> 00:31:13,640 Speaker 1: off with in order to get the pseudo random result. 524 00:31:14,560 --> 00:31:17,440 Speaker 1: So when you're typing in the string of numerals into 525 00:31:17,440 --> 00:31:20,640 Speaker 1: a system, the system runs the same pr n G 526 00:31:20,880 --> 00:31:24,880 Speaker 1: operation using the same time stamp and the serial number 527 00:31:24,880 --> 00:31:27,520 Speaker 1: for the token. Now, that obviously requires the system to 528 00:31:27,640 --> 00:31:31,960 Speaker 1: quote unquote know what your tokens serial number is, So 529 00:31:32,080 --> 00:31:35,640 Speaker 1: you have to have an official registered token, and if 530 00:31:35,640 --> 00:31:38,400 Speaker 1: the system's results match the one that you typed in, 531 00:31:38,480 --> 00:31:42,680 Speaker 1: you're authenticated. So typically these codes that you generate have 532 00:31:42,920 --> 00:31:45,080 Speaker 1: a shelf life of a certain amount of time. Let's 533 00:31:45,080 --> 00:31:49,440 Speaker 1: say it's thirty minutes. So you use the token and 534 00:31:49,560 --> 00:31:53,400 Speaker 1: it takes the closest time at the thirty minute mark 535 00:31:53,960 --> 00:31:56,240 Speaker 1: from when you push the button. So you push the 536 00:31:56,240 --> 00:31:59,480 Speaker 1: button at two thirty five. It says to thirty and 537 00:31:59,800 --> 00:32:02,800 Speaker 1: it runs the operation. It gives you some some numbers. 538 00:32:02,800 --> 00:32:05,280 Speaker 1: You type it into the system. The system looks at 539 00:32:05,360 --> 00:32:08,040 Speaker 1: it's clock. It says, oh, it's to thirty seven. Well, 540 00:32:08,080 --> 00:32:10,720 Speaker 1: the closest half hour mark was too thirty, So I'll 541 00:32:10,800 --> 00:32:12,880 Speaker 1: use that to start off with. I happen to know 542 00:32:12,960 --> 00:32:15,640 Speaker 1: that the serial number for this particular token is such 543 00:32:15,680 --> 00:32:18,480 Speaker 1: and such. I'll use that to perform the same number 544 00:32:18,520 --> 00:32:21,920 Speaker 1: of operations and it should create the exact same result. 545 00:32:22,320 --> 00:32:24,959 Speaker 1: If it doesn't create the same result, it means that 546 00:32:25,000 --> 00:32:28,080 Speaker 1: you've somehow spanned over that time limit and you're gonna 547 00:32:28,120 --> 00:32:30,840 Speaker 1: have to generate a new code and insert it again, 548 00:32:31,800 --> 00:32:34,280 Speaker 1: or something has gone wrong, or you're just trying to 549 00:32:34,320 --> 00:32:36,560 Speaker 1: access the system that you don't actually have a token for, 550 00:32:36,760 --> 00:32:38,600 Speaker 1: which would be kind of foolish because you have to 551 00:32:38,640 --> 00:32:42,320 Speaker 1: be incredibly lucky to just magically type in the right 552 00:32:42,360 --> 00:32:46,400 Speaker 1: string of numbers in order to get access. Another great 553 00:32:46,440 --> 00:32:49,520 Speaker 1: area to explore is biometrics. I love this field because 554 00:32:49,560 --> 00:32:53,880 Speaker 1: when implemented properly, it's pretty difficult to replicate biometrics. That 555 00:32:54,000 --> 00:32:57,080 Speaker 1: all has to do with our physical attributes, right, It's 556 00:32:57,120 --> 00:32:59,480 Speaker 1: tough for bad guys to get into a system that 557 00:32:59,520 --> 00:33:02,000 Speaker 1: are it happens to be based on our physical traits. 558 00:33:02,560 --> 00:33:06,520 Speaker 1: We did an episode called Biometrics Digital Fingerprinting back in 559 00:33:06,560 --> 00:33:08,760 Speaker 1: two thousand fourteen. But let me give you a quick 560 00:33:08,840 --> 00:33:12,600 Speaker 1: rundown of the history of biometrics. First of all, fingerprints 561 00:33:12,600 --> 00:33:16,120 Speaker 1: have long been used as a means of identification. Actually, 562 00:33:16,160 --> 00:33:19,400 Speaker 1: centuries before the practice was officially adopted by law enforcement. 563 00:33:20,360 --> 00:33:25,120 Speaker 1: On ancient business transactions, merchants and customers would sometimes use 564 00:33:25,120 --> 00:33:28,560 Speaker 1: fingerprint marks in clay tablets as a kind of signature. 565 00:33:28,600 --> 00:33:32,160 Speaker 1: It would identify the person who had purchased a good 566 00:33:32,200 --> 00:33:35,959 Speaker 1: from someone else. It wouldn't be until the late eighteen 567 00:33:36,040 --> 00:33:40,560 Speaker 1: hundreds the law enforcement jumped on the fingerprint bandwagon. Once 568 00:33:40,600 --> 00:33:43,160 Speaker 1: the establishment accepted the fact that no two sets of 569 00:33:43,200 --> 00:33:46,160 Speaker 1: fingerprints were alike, which was something that ancient people had 570 00:33:46,240 --> 00:33:49,320 Speaker 1: known forever, but it just hadn't been accepted as a 571 00:33:49,320 --> 00:33:52,720 Speaker 1: scientific fact for a very long time. A couple of 572 00:33:52,720 --> 00:33:57,960 Speaker 1: people named as a Zul Hawk and Edward Henry created 573 00:33:58,000 --> 00:34:01,400 Speaker 1: a system for indexing and classifying fingerprints for the purposes 574 00:34:01,440 --> 00:34:05,120 Speaker 1: of criminal investigation. Now. They based that partly on a 575 00:34:05,160 --> 00:34:08,319 Speaker 1: classification system that was developed by another man named Sir 576 00:34:08,400 --> 00:34:12,120 Speaker 1: Francis Galton, but that system was more for academic purposes 577 00:34:12,239 --> 00:34:17,080 Speaker 1: right to to describe fingerprints, whereas Henry wanted a system 578 00:34:17,120 --> 00:34:21,680 Speaker 1: that could be used in investigations, legal investigations, criminal investigations. 579 00:34:22,200 --> 00:34:24,720 Speaker 1: Mark Twain actually wrote a story in the eighteen nineties 580 00:34:24,719 --> 00:34:27,080 Speaker 1: in which a character put on trial asks that his 581 00:34:27,200 --> 00:34:29,920 Speaker 1: fingerprints be compared to some left at the scene of 582 00:34:29,960 --> 00:34:33,600 Speaker 1: a crime in order to prove his innocence. In nineteen 583 00:34:33,719 --> 00:34:38,000 Speaker 1: sixty three, the Hughes Research Laboratory published a research paper 584 00:34:38,080 --> 00:34:42,279 Speaker 1: about fingerprint automation. The lab which is today known as 585 00:34:42,440 --> 00:34:46,399 Speaker 1: hr L Laboratories, which I guess makes it another repetitive term, 586 00:34:46,480 --> 00:34:50,239 Speaker 1: because I'm assuming HRL already stands for Hughes Research Laboratory, 587 00:34:50,320 --> 00:34:53,120 Speaker 1: so the new name could be interpreted as Hughes Research 588 00:34:53,200 --> 00:34:57,040 Speaker 1: Laboratory Laboratory. So stop bugging me about pen numbers, is 589 00:34:57,040 --> 00:35:00,320 Speaker 1: what I'm saying. Anyway. It used to be the search 590 00:35:00,320 --> 00:35:04,480 Speaker 1: and Development division of Hughes Aircraft. Today it's owned by 591 00:35:04,640 --> 00:35:07,440 Speaker 1: Boeing in General Motors. But back in the nineteen sixties, 592 00:35:07,440 --> 00:35:12,840 Speaker 1: the lab published a paper about automated fingerprint identification. It 593 00:35:13,080 --> 00:35:16,800 Speaker 1: kind of acts as the foundation for fingerprints scanning today. 594 00:35:17,040 --> 00:35:20,360 Speaker 1: It's basically automating a system that has been performed manually, 595 00:35:20,400 --> 00:35:23,080 Speaker 1: which is where you take two sets of fingerprints. You 596 00:35:23,160 --> 00:35:27,960 Speaker 1: have your reference set and you have your submitted set, 597 00:35:28,040 --> 00:35:30,480 Speaker 1: and you want to compare those together and look for 598 00:35:30,520 --> 00:35:33,480 Speaker 1: points of similar similarity. And if you have enough points 599 00:35:33,480 --> 00:35:36,440 Speaker 1: of similarity, the likelihood of the fingerprints belonging to someone 600 00:35:36,440 --> 00:35:39,799 Speaker 1: else drops to near zero. So it means someone who 601 00:35:39,880 --> 00:35:43,680 Speaker 1: happens to have very similar fingerprints to the person in question, 602 00:35:43,760 --> 00:35:46,920 Speaker 1: the reference happened to be in the same geographic region 603 00:35:46,960 --> 00:35:49,920 Speaker 1: around the same time, and if there are enough sufficient 604 00:35:50,000 --> 00:35:56,040 Speaker 1: points of similarity, this becomes increasingly unlikely. So while researchers 605 00:35:56,080 --> 00:36:00,000 Speaker 1: worked on creating automated systems for fingerprint identification. Others were 606 00:36:00,040 --> 00:36:05,360 Speaker 1: working on similar systems for facial recognition and voice identification strategies. Essentially, 607 00:36:05,760 --> 00:36:08,880 Speaker 1: any aspect of a person that would be intrinsically unique 608 00:36:08,960 --> 00:36:12,160 Speaker 1: to him or her was considered an interesting value to 609 00:36:12,239 --> 00:36:17,799 Speaker 1: quantify and classify for good or for ill. In nine, 610 00:36:18,719 --> 00:36:23,120 Speaker 1: the first commercial hand geometry systems launched. Dylan, you ever 611 00:36:23,160 --> 00:36:25,680 Speaker 1: have to use a hand geometry system where it measures 612 00:36:25,680 --> 00:36:28,560 Speaker 1: your hand? Dylan shaking his head. No, I did. I 613 00:36:28,800 --> 00:36:31,360 Speaker 1: It was a regular part of the University of Georgia 614 00:36:31,400 --> 00:36:34,880 Speaker 1: when I was there. So this is a scanner that 615 00:36:34,960 --> 00:36:38,000 Speaker 1: looks at the hand, the shape of a person's hand, 616 00:36:38,360 --> 00:36:41,319 Speaker 1: and compares it to a database and it authenticates the 617 00:36:41,360 --> 00:36:44,279 Speaker 1: person based on hand geometry. So you have to set 618 00:36:44,360 --> 00:36:47,120 Speaker 1: up your profile right you you scan your hand for 619 00:36:47,120 --> 00:36:50,799 Speaker 1: the first time, and it associates your hand geometry with 620 00:36:50,960 --> 00:36:54,000 Speaker 1: you the person. Every time you scan your hand later on, 621 00:36:54,440 --> 00:36:57,640 Speaker 1: it goes and references that database and says, hey, does 622 00:36:57,640 --> 00:37:00,520 Speaker 1: this match with the hand that we measured that first time, 623 00:37:00,520 --> 00:37:03,000 Speaker 1: And if the answer was yes, it authenticated you. So 624 00:37:03,080 --> 00:37:05,840 Speaker 1: my university's food hall had one of these. If you 625 00:37:05,880 --> 00:37:08,000 Speaker 1: wanted to eat, you had to stick your hand in 626 00:37:08,040 --> 00:37:12,239 Speaker 1: the machine. Uh. Kind of got a little bit sort 627 00:37:12,280 --> 00:37:16,640 Speaker 1: of flash gordon esque. You know, you sit there wondering 628 00:37:16,640 --> 00:37:18,799 Speaker 1: if you're gonna get your hand back after you put 629 00:37:18,840 --> 00:37:20,399 Speaker 1: your hand in there. But I mean, if you want 630 00:37:20,440 --> 00:37:22,839 Speaker 1: tater tots, you just had to do it, or in 631 00:37:22,840 --> 00:37:25,880 Speaker 1: my case, chili cheese fries, which I ate way too frequently. 632 00:37:26,160 --> 00:37:32,200 Speaker 1: I digress. In Partially funded by the FBI, researchers began 633 00:37:32,239 --> 00:37:35,720 Speaker 1: to develop fingerprints scanners. Now. The first of those used 634 00:37:35,719 --> 00:37:40,240 Speaker 1: capacity of detection, which wasn't terribly precise in the nineteen seventies. 635 00:37:40,280 --> 00:37:43,680 Speaker 1: Most smartphones these days actually use this approach. Capacity of touch. 636 00:37:43,719 --> 00:37:47,560 Speaker 1: Screens use that Essentially, touching the screen alters an electric 637 00:37:47,640 --> 00:37:51,680 Speaker 1: field on the phone because we conduct electricity. It's a 638 00:37:51,760 --> 00:37:55,520 Speaker 1: very weak electric field, but we conduct electricity. Touching a 639 00:37:56,000 --> 00:37:58,400 Speaker 1: device that has an electric field running across the surface 640 00:37:58,880 --> 00:38:02,680 Speaker 1: disrupts that electric field, and it actually allows a device 641 00:38:02,719 --> 00:38:05,440 Speaker 1: to detect the presence and orientation of a touch, so 642 00:38:05,480 --> 00:38:08,000 Speaker 1: it knows, you know, the X and y axis of 643 00:38:08,120 --> 00:38:10,440 Speaker 1: where you are touching on a screen. That's why if 644 00:38:10,480 --> 00:38:13,560 Speaker 1: you wear non capacitive gloves while trying to work an iPhone, 645 00:38:13,600 --> 00:38:18,040 Speaker 1: nothing happens because it cannot hold that capacitance, So the 646 00:38:18,080 --> 00:38:22,000 Speaker 1: screen isn't a resistive touch screen. It can't detect a 647 00:38:22,000 --> 00:38:27,920 Speaker 1: touch unless that capacitance is there. Our capacitive aspect is there, 648 00:38:28,000 --> 00:38:33,080 Speaker 1: rather not capacity inse Sorry about that misspoke. Well, speaking 649 00:38:33,080 --> 00:38:36,080 Speaker 1: of the iPhone, the touch i D on the iPhone 650 00:38:36,120 --> 00:38:39,279 Speaker 1: five S and later models actually uses capacitive touch to 651 00:38:39,360 --> 00:38:43,080 Speaker 1: authenticate a fingerprint, just like this system did in nine 652 00:38:43,920 --> 00:38:47,319 Speaker 1: except these days it's way more precise than the tech 653 00:38:47,400 --> 00:38:51,040 Speaker 1: was capable of back in the seventies, so it's much 654 00:38:51,120 --> 00:38:54,160 Speaker 1: less likely to give a either a false positive or 655 00:38:54,200 --> 00:38:57,800 Speaker 1: to deny someone access to their phone. It may require 656 00:38:57,840 --> 00:39:00,359 Speaker 1: you to scan a second time if you and get 657 00:39:00,360 --> 00:39:02,919 Speaker 1: a good representation of your fingerprint when you were trying 658 00:39:02,920 --> 00:39:04,960 Speaker 1: to unlock the phone, but it's not likely to deny 659 00:39:05,040 --> 00:39:10,240 Speaker 1: you because it cannot identify your fingerprint now. In nineteen 660 00:39:11,480 --> 00:39:16,040 Speaker 1: two doctors Erin Sepia and Leonard Flam proposed that I 661 00:39:16,239 --> 00:39:19,719 Speaker 1: rides could be unique to a person. And you might say, well, 662 00:39:19,719 --> 00:39:22,080 Speaker 1: what are I rides? Well, I ride is the plural 663 00:39:22,160 --> 00:39:25,800 Speaker 1: for iris, so we're talking about the pigmented membranes surrounding 664 00:39:25,840 --> 00:39:30,120 Speaker 1: the pupil in your eye. By six, these two ophthalmologists 665 00:39:30,200 --> 00:39:33,120 Speaker 1: received a patent for their approach to use I rides 666 00:39:33,120 --> 00:39:39,000 Speaker 1: for authentication and identification purposes. By the first IRIS identification 667 00:39:39,040 --> 00:39:43,520 Speaker 1: security systems became part of the Defense Nuclear Agency. So 668 00:39:43,680 --> 00:39:46,680 Speaker 1: all those spy movies where you see someone leaning forward 669 00:39:46,719 --> 00:39:49,640 Speaker 1: and getting their eyes scanned, that's a real thing. Our 670 00:39:49,719 --> 00:39:53,319 Speaker 1: irises or I rides, i should say, are unique to us, 671 00:39:53,400 --> 00:39:57,239 Speaker 1: and so that is a pretty tricky thing to replicate. 672 00:39:58,480 --> 00:40:00,719 Speaker 1: You probably have seen at least one or two movies 673 00:40:00,760 --> 00:40:04,480 Speaker 1: where someone got hold of somebody's eyeball and got access 674 00:40:04,560 --> 00:40:07,680 Speaker 1: that way, or knocked a person out then force their 675 00:40:07,680 --> 00:40:10,080 Speaker 1: eye open and held their head up to the scanner. 676 00:40:10,640 --> 00:40:14,000 Speaker 1: But in general not easy to replicate without access to 677 00:40:14,200 --> 00:40:19,439 Speaker 1: somebody who already you know, is authorized to enter that area. 678 00:40:19,800 --> 00:40:22,799 Speaker 1: Over the next several years, advances in biometrics opened up 679 00:40:23,000 --> 00:40:26,960 Speaker 1: new opportunities, not just for authentication or security. So facial 680 00:40:27,000 --> 00:40:30,120 Speaker 1: recognition is a great example. It's been incorporated into dozens 681 00:40:30,120 --> 00:40:33,799 Speaker 1: of technologies, probably most notably into our cameras, including the 682 00:40:33,840 --> 00:40:37,440 Speaker 1: cameras on our smartphones. And sometimes it's a simple implementation 683 00:40:37,680 --> 00:40:40,200 Speaker 1: which just detects a face in order to focus properly 684 00:40:40,200 --> 00:40:43,160 Speaker 1: on a subject. Uh, sometimes it's more complicated, so it 685 00:40:43,239 --> 00:40:47,600 Speaker 1: might allow for automatic tagging of images because it can 686 00:40:47,640 --> 00:40:50,759 Speaker 1: recognize people based on their facial features. You probably had 687 00:40:50,760 --> 00:40:55,400 Speaker 1: some experience with this, and some capacity organizations also began 688 00:40:55,480 --> 00:40:59,400 Speaker 1: to form around this time to create standards for biometric implementations. 689 00:41:00,280 --> 00:41:03,000 Speaker 1: This would reduce the chance of competing technologies with varying 690 00:41:03,080 --> 00:41:06,439 Speaker 1: degrees of efficiency and accuracy from interfering with each other, 691 00:41:07,120 --> 00:41:09,799 Speaker 1: and by two thousand three, the US government began to 692 00:41:09,880 --> 00:41:16,399 Speaker 1: formally coordinate biometric implementations. Meanwhile, the International Civil Aviation Organization 693 00:41:16,680 --> 00:41:20,000 Speaker 1: created a global standard to incorporate biometric data into travel 694 00:41:20,080 --> 00:41:24,600 Speaker 1: documentation like passports, and ten years later you could find 695 00:41:24,640 --> 00:41:29,879 Speaker 1: biometric solutions built directly into personal electronics like laptops and smartphones. 696 00:41:30,160 --> 00:41:33,799 Speaker 1: In fact, I had a fingerprint scanner from before, or 697 00:41:33,920 --> 00:41:36,640 Speaker 1: you just you would actually have to slide your finger 698 00:41:36,920 --> 00:41:39,799 Speaker 1: kind of like a copier against the little panel and 699 00:41:39,920 --> 00:41:42,879 Speaker 1: if your fingerprint matched, it would unlock your computer for you. 700 00:41:43,800 --> 00:41:45,760 Speaker 1: I actually had that one. Here at how stuff works. 701 00:41:46,960 --> 00:41:49,799 Speaker 1: I miss it sometimes. Well. I got a lot more 702 00:41:49,840 --> 00:41:52,680 Speaker 1: to say, but first let's take another quick break to 703 00:41:52,800 --> 00:42:05,879 Speaker 1: think our sponsor. All right, things like fingerprint scanners are 704 00:42:05,960 --> 00:42:10,759 Speaker 1: not foolproof. It is possible, although challenging, to lift a 705 00:42:10,760 --> 00:42:14,200 Speaker 1: person's fingerprint from something they've handled, scan it, and replicate it. 706 00:42:14,719 --> 00:42:17,040 Speaker 1: A couple of different ways to do this, Some of 707 00:42:17,080 --> 00:42:19,920 Speaker 1: them require access to some equipment and materials most of 708 00:42:20,000 --> 00:42:21,799 Speaker 1: us don't have in our homes, so it's not like 709 00:42:21,880 --> 00:42:24,600 Speaker 1: it's practical for the average person. But the point is, 710 00:42:25,400 --> 00:42:28,319 Speaker 1: with the right determination and the right know how, and 711 00:42:28,520 --> 00:42:32,879 Speaker 1: specifically the right materials, you can create a fake fingerprint. 712 00:42:33,360 --> 00:42:36,560 Speaker 1: And you might use something like latex or even wood glue, 713 00:42:37,200 --> 00:42:39,960 Speaker 1: and you could lift a fingerprint and use it to 714 00:42:40,080 --> 00:42:44,840 Speaker 1: fool certain authentication systems. If the system is just looking 715 00:42:45,160 --> 00:42:48,680 Speaker 1: for a particular pattern on a fingerprint, the copy could 716 00:42:48,680 --> 00:42:51,480 Speaker 1: be good enough to fool the system, particularly if you 717 00:42:51,520 --> 00:42:54,040 Speaker 1: can overlay the copy on top of your own finger 718 00:42:55,000 --> 00:42:58,440 Speaker 1: This would provide the capacity of connections. So in other words, 719 00:42:58,600 --> 00:43:00,880 Speaker 1: let's say I've got a latex finger print and I 720 00:43:00,920 --> 00:43:03,799 Speaker 1: need to access a phone. Well, if I just lay 721 00:43:04,040 --> 00:43:08,000 Speaker 1: the latex down against the capacity screen, it's not really 722 00:43:08,000 --> 00:43:11,640 Speaker 1: gonna affect anything. If I put an actual, living, living 723 00:43:11,640 --> 00:43:14,880 Speaker 1: tissue behind it, that's a different story. So how do 724 00:43:14,960 --> 00:43:18,200 Speaker 1: you defeat that sort of security vulnerability? Well, I had 725 00:43:18,239 --> 00:43:20,840 Speaker 1: the opportunity to speak with Dr P, who is the 726 00:43:20,880 --> 00:43:23,799 Speaker 1: Chief Technology officer of good X, to talk about a 727 00:43:23,840 --> 00:43:28,239 Speaker 1: fingerprint scanner with an additional measure of of of security 728 00:43:28,280 --> 00:43:31,360 Speaker 1: to counteract those sort of spoofing attempts. Here's what we 729 00:43:31,440 --> 00:43:35,560 Speaker 1: talked about, Dr P. Let's start off by talking about 730 00:43:36,680 --> 00:43:43,239 Speaker 1: how biometrics are transforming security in the technology field, specifically 731 00:43:43,600 --> 00:43:47,680 Speaker 1: for things like consumer tech. Because my listeners are very 732 00:43:47,719 --> 00:43:51,400 Speaker 1: interested in that, the concept of of using biometrics to 733 00:43:51,520 --> 00:43:56,759 Speaker 1: access various devices. I think probably the example most of 734 00:43:57,040 --> 00:44:00,560 Speaker 1: them would be familiar with it would be smartphones. Uh, 735 00:44:00,760 --> 00:44:02,919 Speaker 1: can you talk a little bit about how that has 736 00:44:03,040 --> 00:44:06,279 Speaker 1: developed over the last few years and and why it 737 00:44:06,440 --> 00:44:11,520 Speaker 1: is such a a compelling component for security. Well, I 738 00:44:11,560 --> 00:44:15,239 Speaker 1: think one of the story I actually met, which is 739 00:44:15,239 --> 00:44:18,160 Speaker 1: a part of my experience too, is uh summing up 740 00:44:18,360 --> 00:44:22,040 Speaker 1: really well, is the since the more and more phone 741 00:44:22,120 --> 00:44:27,799 Speaker 1: has a fingerprint, uh said, more and more people using it. 742 00:44:27,880 --> 00:44:30,160 Speaker 1: Is the one guy, an over friend of my agency, 743 00:44:30,600 --> 00:44:34,440 Speaker 1: totally forgot the pass code now is using fingerprints on 744 00:44:34,520 --> 00:44:37,319 Speaker 1: the phone all the time. And one of my point 745 00:44:37,360 --> 00:44:39,920 Speaker 1: I don't use the officer also I forgot the pass 746 00:44:40,000 --> 00:44:43,240 Speaker 1: code as well. So it is a kind of tells 747 00:44:43,320 --> 00:44:47,919 Speaker 1: you the consumer behavior doesn't changed and so much. Yeah, 748 00:44:47,920 --> 00:44:52,960 Speaker 1: they used to obviously everyone have a pass code, and 749 00:44:53,920 --> 00:44:58,480 Speaker 1: nowadays they do, but they they don't use it anymore. 750 00:44:58,719 --> 00:45:03,400 Speaker 1: They think of printing. That is certainly take over a 751 00:45:03,480 --> 00:45:09,080 Speaker 1: majority of the authentication. And then the other thing was 752 00:45:09,200 --> 00:45:13,279 Speaker 1: the in the case of like in China market where 753 00:45:13,320 --> 00:45:18,280 Speaker 1: a lot of mobile payment. Now, if you were in China, 754 00:45:18,680 --> 00:45:22,840 Speaker 1: you could literally live without It's like a critic, right, 755 00:45:22,920 --> 00:45:26,200 Speaker 1: you can live without a cash but that you in China, 756 00:45:26,280 --> 00:45:30,279 Speaker 1: you can live without critic car and the cash. You 757 00:45:30,320 --> 00:45:34,920 Speaker 1: can use your phone and mobile payment literally do everything 758 00:45:35,080 --> 00:45:40,520 Speaker 1: from convenience store to buying ticket to hotel payment everything. 759 00:45:41,360 --> 00:45:46,440 Speaker 1: It's quite uh, but all that things obviously going through 760 00:45:47,200 --> 00:45:51,600 Speaker 1: think of your in the authentication right, and so the 761 00:45:51,920 --> 00:45:55,640 Speaker 1: authentication part is obviously really important. You want to make 762 00:45:55,680 --> 00:46:00,160 Speaker 1: certain that the person who is utilizing a device, particularly 763 00:46:00,480 --> 00:46:03,640 Speaker 1: one that can be used as a means of commerce, 764 00:46:03,640 --> 00:46:07,120 Speaker 1: a means of purchase. You want to make sure that 765 00:46:07,200 --> 00:46:10,480 Speaker 1: the the identity of the person holding the phone is 766 00:46:10,520 --> 00:46:13,520 Speaker 1: in fact the person authorized to use that device for 767 00:46:13,560 --> 00:46:16,839 Speaker 1: that purpose. And that kind of comes in with the 768 00:46:16,840 --> 00:46:21,240 Speaker 1: the sensors that you've been working on in the recent 769 00:46:21,360 --> 00:46:25,120 Speaker 1: past where it's not just looking for the pattern of 770 00:46:25,120 --> 00:46:28,640 Speaker 1: a fingerprint, which, as some people have pointed out, is 771 00:46:28,840 --> 00:46:33,080 Speaker 1: something that is uh possible to spoof. If you go 772 00:46:33,360 --> 00:46:36,239 Speaker 1: and you have the right scanners and you have the 773 00:46:36,320 --> 00:46:39,120 Speaker 1: right you know, even three D printer technology, you could 774 00:46:39,200 --> 00:46:45,400 Speaker 1: potentially create a fake fingerprint and access sensors that are 775 00:46:45,680 --> 00:46:51,600 Speaker 1: only capable of detecting the fingerprint layout. You are working 776 00:46:51,680 --> 00:46:54,200 Speaker 1: on technology that goes a step further than that. Can 777 00:46:54,200 --> 00:46:58,919 Speaker 1: you talk about that a little bit? Yes? Uh, yeah, 778 00:46:58,960 --> 00:47:03,000 Speaker 1: this is the one technology we recently released to the market. 779 00:47:04,120 --> 00:47:08,200 Speaker 1: Is uh. You at the same time when you scan 780 00:47:08,440 --> 00:47:13,080 Speaker 1: recording as snit is a thinker frame pattern, you're also 781 00:47:13,280 --> 00:47:19,759 Speaker 1: detecting the dynamic bluff flow in your fingerchieps. So that 782 00:47:20,320 --> 00:47:24,800 Speaker 1: enabled the sensor tells this thinker print pattern is from 783 00:47:24,840 --> 00:47:30,600 Speaker 1: a a life person versus h a mark up spoof. 784 00:47:31,360 --> 00:47:38,200 Speaker 1: So that further enhanced the security level of thinkerprint authentication 785 00:47:38,440 --> 00:47:43,160 Speaker 1: because the most of the spoof measure we know obviously 786 00:47:43,600 --> 00:47:49,160 Speaker 1: is uh it's not a life object. So this basically 787 00:47:49,360 --> 00:47:56,319 Speaker 1: enabled the security level one level up from so I 788 00:47:56,360 --> 00:47:59,239 Speaker 1: think it will block out the most if not order 789 00:47:59,520 --> 00:48:03,759 Speaker 1: protect show. Right, So people who would be you know, 790 00:48:03,760 --> 00:48:06,680 Speaker 1: people who would normally rely on something like a a 791 00:48:06,840 --> 00:48:11,200 Speaker 1: fake fingerprint made from say silicone or rubber. That wouldn't 792 00:48:11,200 --> 00:48:14,760 Speaker 1: work on this particular type of device or this particular sensor, 793 00:48:14,800 --> 00:48:17,520 Speaker 1: I should say that will be incorporated into other devices, 794 00:48:18,360 --> 00:48:22,080 Speaker 1: whether it's a phone or a secure entry point or 795 00:48:22,120 --> 00:48:25,880 Speaker 1: whatever it may be, because it will lack that blood flow, 796 00:48:26,040 --> 00:48:29,120 Speaker 1: and without the blood flow, the the device quote unquote 797 00:48:29,160 --> 00:48:32,840 Speaker 1: knows it is not a valid authentication. Am I getting 798 00:48:32,880 --> 00:48:37,680 Speaker 1: that correct? Correct? Right? You're absolutely correct, wonderful. So let's 799 00:48:37,719 --> 00:48:40,040 Speaker 1: talk a little bit about how this how this sensor 800 00:48:40,080 --> 00:48:43,480 Speaker 1: actually does detect that blood flow. What are you using 801 00:48:44,280 --> 00:48:48,200 Speaker 1: in order for the technology to to quote unquote know 802 00:48:48,520 --> 00:48:54,120 Speaker 1: that blood is flowing behind that fingerprint? Yeah, so what 803 00:48:54,640 --> 00:48:59,840 Speaker 1: we I think we're using this technology, uh injury the 804 00:49:00,320 --> 00:49:05,200 Speaker 1: a obstacle sense in the same area as a finger 805 00:49:05,239 --> 00:49:10,120 Speaker 1: train setor and so. And we also put in a 806 00:49:10,160 --> 00:49:16,760 Speaker 1: small led emitter emitting an infrared light through the sentor 807 00:49:16,920 --> 00:49:22,200 Speaker 1: glass cover, so that sending the light in to your fingerchip, 808 00:49:23,000 --> 00:49:26,600 Speaker 1: and then the optical center detected the scatter line of 809 00:49:26,719 --> 00:49:31,200 Speaker 1: your fingertip, so the blood blow itself well, changing the 810 00:49:31,400 --> 00:49:34,840 Speaker 1: scatter lize the intensity. So this is a very common 811 00:49:34,840 --> 00:49:39,040 Speaker 1: technique to use. Like in the hospital, they are pometer 812 00:49:39,840 --> 00:49:41,960 Speaker 1: we use all the time. You know, it's you're in 813 00:49:42,000 --> 00:49:46,360 Speaker 1: the hospital bed, the putout your fingertips. There's the same principle, 814 00:49:47,000 --> 00:49:50,000 Speaker 1: except that in this case we just use it to 815 00:49:51,160 --> 00:49:55,279 Speaker 1: detected the blood blows of a detecting the host. Give 816 00:49:55,360 --> 00:49:58,520 Speaker 1: that right. So in some ways you could even argue 817 00:49:58,560 --> 00:50:01,640 Speaker 1: this is this is a a simpler use of a 818 00:50:01,680 --> 00:50:05,520 Speaker 1: technology that's been put to use specifically for those monitoring 819 00:50:05,560 --> 00:50:09,239 Speaker 1: devices and hospitals where you know you need to have 820 00:50:09,400 --> 00:50:12,960 Speaker 1: more specific information. It's not like your smartphone necessarily is 821 00:50:13,000 --> 00:50:15,080 Speaker 1: going to tell you what the oxygen levels are in 822 00:50:15,080 --> 00:50:18,600 Speaker 1: your blood, although I guess you could technically develop sensors 823 00:50:18,640 --> 00:50:23,080 Speaker 1: that could do that. You're right. But on the other hand, 824 00:50:23,120 --> 00:50:27,759 Speaker 1: obviously is that fontify everything I got? That boy is 825 00:50:28,520 --> 00:50:31,400 Speaker 1: one level up? Right? You also need a longer time, 826 00:50:31,680 --> 00:50:37,560 Speaker 1: you mean, not something average you that we're waiting to wait? Right, 827 00:50:37,719 --> 00:50:41,080 Speaker 1: So why wait? We do providing a simple way to 828 00:50:41,960 --> 00:50:46,920 Speaker 1: also provide a heartbeat the heart great on the it's 829 00:50:46,960 --> 00:50:50,400 Speaker 1: a sensor, so user could just to leave the bigative 830 00:50:50,520 --> 00:50:54,239 Speaker 1: on the sensor for you that kind as that will 831 00:50:54,320 --> 00:50:57,080 Speaker 1: report the heart great. But there is a kind of 832 00:50:57,200 --> 00:51:01,280 Speaker 1: side benefit of this technology, right, and so one potential 833 00:51:01,320 --> 00:51:06,160 Speaker 1: application for being able to detect heart rate. Obviously you 834 00:51:06,200 --> 00:51:09,759 Speaker 1: have medical applications, but you also have applications within the 835 00:51:09,840 --> 00:51:13,680 Speaker 1: health and fitness sector where people might be using their 836 00:51:13,719 --> 00:51:16,719 Speaker 1: smartphone while out on say a jog, and they want 837 00:51:16,760 --> 00:51:18,600 Speaker 1: to make sure that they're keeping their heart rate within 838 00:51:18,640 --> 00:51:21,960 Speaker 1: a specific target zone. That could be something that you 839 00:51:22,000 --> 00:51:25,000 Speaker 1: would use that sort of sensor technology for beyond its 840 00:51:25,000 --> 00:51:30,719 Speaker 1: authentication capabilities. So it's really interesting to me that we're 841 00:51:30,760 --> 00:51:34,040 Speaker 1: looking at a technology that for a long time people 842 00:51:34,080 --> 00:51:36,120 Speaker 1: thought of as sort of science fiction. You know, you 843 00:51:36,200 --> 00:51:39,480 Speaker 1: saw you would see in movies that someone would put 844 00:51:39,480 --> 00:51:41,799 Speaker 1: their finger down and get a scan and that would 845 00:51:41,800 --> 00:51:45,600 Speaker 1: give them access to stuff. And now we're realizing that's 846 00:51:45,600 --> 00:51:49,440 Speaker 1: convenient because you unless something terrible has happened, you always 847 00:51:49,480 --> 00:51:53,399 Speaker 1: have your finger with you. But but as well as 848 00:51:53,440 --> 00:51:56,920 Speaker 1: we've discussed, it's it's not full proof unless you have 849 00:51:57,120 --> 00:52:00,960 Speaker 1: this second day dairy layer of protection and uh in 850 00:52:00,960 --> 00:52:05,040 Speaker 1: this case, that detection of blood flow. Uh So what 851 00:52:05,239 --> 00:52:08,560 Speaker 1: sort of devices might we see this incorporated into. I 852 00:52:08,560 --> 00:52:11,839 Speaker 1: mean again, smartphones are are an obvious example. Are there 853 00:52:11,840 --> 00:52:15,839 Speaker 1: others that uh that you either have your eye on 854 00:52:16,120 --> 00:52:18,920 Speaker 1: or you could see as being a potential in the future. Yeah, 855 00:52:19,040 --> 00:52:25,000 Speaker 1: the other uh we not the mobile device then you're 856 00:52:25,080 --> 00:52:29,800 Speaker 1: looking at it maybe save the same for example, I 857 00:52:30,000 --> 00:52:35,479 Speaker 1: people using UH code and see. But at the same 858 00:52:35,560 --> 00:52:42,360 Speaker 1: time you could even in the codett could implement the 859 00:52:43,520 --> 00:52:47,960 Speaker 1: press camera, right and so not only you use the code, 860 00:52:48,120 --> 00:52:51,279 Speaker 1: you also on top of that you can use think 861 00:52:51,320 --> 00:52:55,160 Speaker 1: of right now there over so that will add you know, 862 00:52:55,239 --> 00:53:00,680 Speaker 1: actual layer of security. Yeah, and your your doors. So 863 00:53:00,719 --> 00:53:04,560 Speaker 1: many times people you know now they're wireless, they control 864 00:53:04,560 --> 00:53:09,080 Speaker 1: a door become more and more popular and you may 865 00:53:09,600 --> 00:53:13,560 Speaker 1: enable a scan there for people to do that. There's 866 00:53:13,600 --> 00:53:16,400 Speaker 1: a lot of us Like the car, right they the 867 00:53:16,560 --> 00:53:20,120 Speaker 1: atom is the same way people steal your key today 868 00:53:20,160 --> 00:53:23,520 Speaker 1: can just drive away with your car. But if you 869 00:53:23,680 --> 00:53:27,359 Speaker 1: have one different scanner in the car or on the key, 870 00:53:28,080 --> 00:53:31,799 Speaker 1: that will obviously they protect your car better. You can 871 00:53:31,960 --> 00:53:34,799 Speaker 1: stock you can lose your key, but the people still 872 00:53:35,200 --> 00:53:39,160 Speaker 1: kind of drive away with your car. So there's a 873 00:53:39,800 --> 00:53:43,080 Speaker 1: way of using is the one benefit of the mobile 874 00:53:43,120 --> 00:53:47,600 Speaker 1: application is uh it's really driving their cars and the 875 00:53:47,760 --> 00:53:53,040 Speaker 1: side and the power way done imagine is a biting 876 00:53:53,120 --> 00:53:57,600 Speaker 1: devisorshipping every year, so they scale the economy make it 877 00:53:58,480 --> 00:54:01,799 Speaker 1: costs coming down so much so you enable all those 878 00:54:01,840 --> 00:54:06,040 Speaker 1: other applications. Yeah, you hit upon something really interesting there, 879 00:54:06,040 --> 00:54:09,960 Speaker 1: because we've seen that. We've seen the smartphone and cell 880 00:54:10,000 --> 00:54:14,319 Speaker 1: phone technologies drive a lot of development in what you 881 00:54:14,440 --> 00:54:20,200 Speaker 1: might think initially are unrelated technology simply because as you say, 882 00:54:20,239 --> 00:54:25,279 Speaker 1: the economies of scale provide this this economic imperative. It's 883 00:54:25,280 --> 00:54:31,000 Speaker 1: not even an incentive, it's an imperative to develop uh, smaller, 884 00:54:31,280 --> 00:54:36,920 Speaker 1: more efficient, more economic sensors and other technologies. So, for example, 885 00:54:37,480 --> 00:54:41,000 Speaker 1: beyond this fingerprint sensing technology that could be used in 886 00:54:41,080 --> 00:54:44,960 Speaker 1: multiple applications, a lot of the development we've seen in 887 00:54:45,120 --> 00:54:49,719 Speaker 1: the virtual reality space, in in just gaming in general, 888 00:54:50,560 --> 00:54:54,480 Speaker 1: and a lot of technologies. The reason why it's possible 889 00:54:54,840 --> 00:54:58,960 Speaker 1: is because the smartphone has acted as a platform that 890 00:54:59,520 --> 00:55:03,000 Speaker 1: people have been developing for for years to increase, increase 891 00:55:03,040 --> 00:55:07,320 Speaker 1: the number of features, increase its security, increase its applicability 892 00:55:07,440 --> 00:55:11,920 Speaker 1: for lots of different uh possible uses, and we end 893 00:55:12,000 --> 00:55:17,880 Speaker 1: up seeing that spill over into seemingly unrelated uses. And UH, 894 00:55:17,920 --> 00:55:21,200 Speaker 1: I think that's a great story in general, just that 895 00:55:21,640 --> 00:55:28,080 Speaker 1: it illustrates that work in one particular platform benefits in 896 00:55:28,120 --> 00:55:32,560 Speaker 1: ways that you can't necessarily anticipate from the beginning. And uh, 897 00:55:32,600 --> 00:55:36,360 Speaker 1: and certainly when it comes to things like authentication and security, 898 00:55:36,880 --> 00:55:40,319 Speaker 1: you want to see those benefits being applied to a 899 00:55:40,400 --> 00:55:44,640 Speaker 1: broader spectrum of uses because we're getting to a world. 900 00:55:45,200 --> 00:55:47,320 Speaker 1: In fact, we're already there. We're in a world where 901 00:55:47,800 --> 00:55:52,440 Speaker 1: more and more of our devices are interconnected in ways 902 00:55:52,520 --> 00:55:56,080 Speaker 1: where if you are able to get unauthorized access to them, 903 00:55:56,440 --> 00:56:00,360 Speaker 1: you could potentially cause a great deal of mischief and harm. 904 00:56:00,480 --> 00:56:03,640 Speaker 1: Um So where do you see the future going? If 905 00:56:03,640 --> 00:56:07,080 Speaker 1: you had to put on your prognosticator hat, what do 906 00:56:07,120 --> 00:56:11,000 Speaker 1: you think the next big step in authentication is going 907 00:56:11,080 --> 00:56:14,800 Speaker 1: to be? Well, are they already happening? The I R 908 00:56:14,960 --> 00:56:18,600 Speaker 1: S scan on the phone? Right? That the same song 909 00:56:18,719 --> 00:56:23,040 Speaker 1: as the donkey already there is also incremented, and I 910 00:56:23,160 --> 00:56:28,759 Speaker 1: think it would become more goal popular. And they the 911 00:56:28,800 --> 00:56:31,919 Speaker 1: next level of people already talking is a fingerprints scan 912 00:56:32,040 --> 00:56:36,520 Speaker 1: and will getting into the display area as I think 913 00:56:36,880 --> 00:56:40,240 Speaker 1: rumor is the d I phone may have this function. 914 00:56:41,000 --> 00:56:44,359 Speaker 1: And uh, then I think you're going beyond. You're going 915 00:56:44,400 --> 00:56:48,480 Speaker 1: to see more and more maybe medical reading, right because 916 00:56:48,480 --> 00:56:52,680 Speaker 1: they the mobile device is so powerful and with us 917 00:56:52,719 --> 00:56:57,160 Speaker 1: all the time, you can really use as a platform 918 00:56:57,440 --> 00:57:03,560 Speaker 1: for monitoring your house because it's wheezy all the time. 919 00:57:04,160 --> 00:57:09,000 Speaker 1: So we see a lot of those censor well happened, 920 00:57:09,960 --> 00:57:15,959 Speaker 1: and so I think, I think that is uh, that's 921 00:57:16,000 --> 00:57:18,280 Speaker 1: a kind of next a few years it we're going 922 00:57:18,360 --> 00:57:23,480 Speaker 1: to be more and more those things to the interesting. Well, sir, 923 00:57:23,680 --> 00:57:27,080 Speaker 1: thank you so much for joining our show and answering 924 00:57:27,120 --> 00:57:31,880 Speaker 1: my questions. This has been a fascinating conversation, and I 925 00:57:31,920 --> 00:57:35,200 Speaker 1: know that my listeners are always really interested to learn 926 00:57:35,360 --> 00:57:39,720 Speaker 1: not just about how technology works, but but why those 927 00:57:39,760 --> 00:57:42,000 Speaker 1: applications are so important. I think I think you've done 928 00:57:42,000 --> 00:57:44,640 Speaker 1: a great job at doing that. So thank you very 929 00:57:44,680 --> 00:57:48,400 Speaker 1: much for joining me today. My presure, thank you. As 930 00:57:48,440 --> 00:57:51,160 Speaker 1: for the future, what if you could authenticate your identity 931 00:57:51,280 --> 00:57:55,640 Speaker 1: just through thinking? Researchers over at Binghampton University developed a 932 00:57:55,720 --> 00:57:58,280 Speaker 1: process in which they could identify or at least they 933 00:57:58,320 --> 00:58:01,280 Speaker 1: claim they can identify a person based on their brain 934 00:58:01,320 --> 00:58:04,360 Speaker 1: wave activity alone. So here's what they did. They took 935 00:58:04,400 --> 00:58:07,240 Speaker 1: a sample of fifty people. It's not a big sample size, 936 00:58:07,280 --> 00:58:11,040 Speaker 1: but it's interesting fifty people, fitted each person with an 937 00:58:11,040 --> 00:58:15,200 Speaker 1: electro and cephalogram or e G headset. Then they showed 938 00:58:15,240 --> 00:58:19,160 Speaker 1: each person a series of five images, and those images 939 00:58:19,160 --> 00:58:24,720 Speaker 1: prompted various emotional and cognitive responses. Now, those responses are 940 00:58:24,840 --> 00:58:29,200 Speaker 1: unique to each individual. So let's say that you and 941 00:58:29,240 --> 00:58:31,440 Speaker 1: I are looking at the same photo, and just for 942 00:58:31,560 --> 00:58:34,920 Speaker 1: argument's sake, it's a picture of my adorable dog, Tibolt, 943 00:58:35,400 --> 00:58:37,120 Speaker 1: and both of us just think he's accused a little 944 00:58:37,120 --> 00:58:40,520 Speaker 1: dog in the world because he is. I mean, come on, Well, 945 00:58:40,560 --> 00:58:44,560 Speaker 1: the way your brain manifests that information and the way 946 00:58:44,720 --> 00:58:48,320 Speaker 1: my brain manifests that information, even if we both feel 947 00:58:48,640 --> 00:58:53,080 Speaker 1: the same way, is going to be different. So theoretically, 948 00:58:53,720 --> 00:58:58,920 Speaker 1: once you record responses from people, these brain responses to 949 00:58:59,000 --> 00:59:02,360 Speaker 1: these images, and assign each of those responses to the 950 00:59:02,440 --> 00:59:06,160 Speaker 1: respective identity, you can authenticate a person's identity just by 951 00:59:06,160 --> 00:59:08,600 Speaker 1: showing him or her the same series of images and 952 00:59:08,640 --> 00:59:12,200 Speaker 1: looking for matches. If there's no match, then the person 953 00:59:12,240 --> 00:59:15,200 Speaker 1: you're looking at isn't who you think they are, and 954 00:59:15,240 --> 00:59:20,320 Speaker 1: they're likely a pod person. Maybe I should add that 955 00:59:20,360 --> 00:59:22,920 Speaker 1: no one I know of is actually talking about using 956 00:59:23,000 --> 00:59:27,720 Speaker 1: brain waves for authentication just yet. The study said that 957 00:59:27,760 --> 00:59:32,240 Speaker 1: the researchers had a success rate identifying subjects based on 958 00:59:32,320 --> 00:59:35,480 Speaker 1: brain waves, and it came out in so in other words, 959 00:59:35,880 --> 00:59:38,840 Speaker 1: they put these fifty people through the test of recording 960 00:59:38,880 --> 00:59:42,720 Speaker 1: all of these responses. Then I assume they used a 961 00:59:42,760 --> 00:59:48,200 Speaker 1: blind method where somebody would end up looking at the 962 00:59:48,320 --> 00:59:51,960 Speaker 1: responses that were coming in from an unknown subject and 963 00:59:51,960 --> 00:59:55,440 Speaker 1: they would be able to match that person's responses to 964 00:59:55,560 --> 00:59:58,520 Speaker 1: one that was already in the database, thus saying, Oh, 965 00:59:58,640 --> 01:00:01,680 Speaker 1: that's Jill, because when Jelsey is a picture of tibaled, 966 01:00:02,280 --> 01:00:07,160 Speaker 1: her heart grows three sizes that day. We've got to 967 01:00:07,160 --> 01:00:11,840 Speaker 1: stop showing those pictures. She's having heart trouble. Trouble. It's terrible. 968 01:00:12,200 --> 01:00:16,600 Speaker 1: Tile is just so cute. Anyway, I should add that. Uh. Also, 969 01:00:17,240 --> 01:00:20,520 Speaker 1: if you wanted to use this as an authentication strategy, 970 01:00:20,720 --> 01:00:23,240 Speaker 1: it would be pretty tricky because it requires an e 971 01:00:23,400 --> 01:00:27,080 Speaker 1: G headset. It's not exactly the most convenient authentication technology 972 01:00:27,120 --> 01:00:30,600 Speaker 1: around now. If we ever develop a less cumbersome method 973 01:00:30,720 --> 01:00:35,800 Speaker 1: for measuring measuring brainwave activity with precision, that's important, that 974 01:00:35,840 --> 01:00:39,280 Speaker 1: could become an authentication technology of the future. It's literally 975 01:00:39,320 --> 01:00:42,080 Speaker 1: the way you think, and that would be much much 976 01:00:42,120 --> 01:00:46,160 Speaker 1: more difficult, if not impossible, to replicate unless you had 977 01:00:46,200 --> 01:00:48,600 Speaker 1: some sort of recording of a person's brain waves and 978 01:00:48,640 --> 01:00:52,320 Speaker 1: you could somehow you know, push those out to cover 979 01:00:52,400 --> 01:00:55,480 Speaker 1: up your own brainwave activity. I think I might have 980 01:00:55,520 --> 01:00:59,760 Speaker 1: just written a science fiction novel accidentally. Anyway, that wraps 981 01:00:59,800 --> 01:01:01,680 Speaker 1: it up for this episode. If you want to know 982 01:01:01,720 --> 01:01:05,720 Speaker 1: more about authentication, or biometrics or anything else, really just 983 01:01:06,120 --> 01:01:08,720 Speaker 1: check out how stuff works dot com. Our site is 984 01:01:08,760 --> 01:01:11,320 Speaker 1: pretty awesome, you guys, and it can teach you pretty 985 01:01:11,360 --> 01:01:13,800 Speaker 1: much how anything works. And if we don't have what 986 01:01:13,840 --> 01:01:15,880 Speaker 1: you're looking for, you can actually let us know, and 987 01:01:15,920 --> 01:01:18,439 Speaker 1: there's a good chance that someone will create a new 988 01:01:18,480 --> 01:01:20,680 Speaker 1: writing assignment. It will go out to a writer, they 989 01:01:20,680 --> 01:01:22,600 Speaker 1: will research it and they'll write it, and we'll create 990 01:01:22,600 --> 01:01:25,400 Speaker 1: a new article and then you'll have your answer. Also, 991 01:01:25,680 --> 01:01:27,640 Speaker 1: remember you can get in touch with me with any 992 01:01:27,680 --> 01:01:30,920 Speaker 1: suggestions you might have for future episodes, guests I should 993 01:01:30,920 --> 01:01:33,720 Speaker 1: have on the show, or really anything else. The email 994 01:01:33,720 --> 01:01:36,800 Speaker 1: address for the show is tech stuff at how stuff 995 01:01:36,800 --> 01:01:39,320 Speaker 1: works dot com, or you can drop me a line 996 01:01:39,360 --> 01:01:42,320 Speaker 1: on Facebook or Twitter. The show's handle at both is 997 01:01:42,440 --> 01:01:45,440 Speaker 1: tech Stuff H s W. And I'll talk to you 998 01:01:45,480 --> 01:01:53,920 Speaker 1: again really soon. For more on this and thousands of 999 01:01:53,960 --> 01:02:01,680 Speaker 1: other topics. Is it how stuff works dot com. Whe