Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? On this episode of the show? We're gonna talk about biometrics and bugs. Now, it's been a little while since we've done one of these and I appreciate your patience. I've been full steam ahead on a road to Aws re invent 2019 streaming series that's been taking up a lot of my time, but I wanted to come back and highlight an issue that popped up because we have not one but two separate reports of similar issues.
And I think they bring up a really interesting contextual point about and I'll say that even better contextual point about security as we employ today. So there's a couple of issues to this. But let me tell you what piqued my interest.
There was a report about the Samsung Galaxy 10. Now, that's a smartphone. This is the, the iphone, but the Galaxy smartphone has a fingerprint reader and it's a really cool one and that works through the display. But the problem is right now, there's a massive bug in that current versions fully up to date of the 10 will actually accept any fingerprint, not your fingerprint, any fingerprint, you can imagine that's a bit of a problem.
Similarly, on the new Google pixel four, it has face recognition similar to the iphones. The problem is unlike the iphone, which by default, you need to be looking at the phone, you need to have attention on the phone. If your eyes aren't looking at the device, it won't actually unlock, you can just hold the phone up to any face and it will unlock on the Google pixel four right now.
Now, that's in contrast to what they said when they originally launched this service, when they originally launched this phone. And there was an option displayed in the intro video that said, you know, paying attention just like on the iphone, you can turn it off where you don't actually have to have your eyes open by default, it's on, on the iphones.
And I think that's really, really important. So here we have two biometric security controls which it's really difficult to roll out new security controls to large populations. Take a look at multi factor authentication. That's when you type in your user name and password.
And then you need another factor whether that's a text message that's sent to you or an app on your device or a hard hardware key that generates a one time token. So a series of digits and that you then enter in addition to that.
So that reduces the attack surface. It's hugely successful when deployed. But getting people to adopt, it can be a challenge because you're putting another step in their way. If you're looking at this, from the usability perspective, you're adding more friction and the whole goal we use ability is to take away friction.
So when it comes to smartphones, fingerprints are a really effective way to open them, to access them, to provide an additional layer of authentication. That's why your phones when you're trying to buy something, have prompt you for additional verification.
They say like either give us your fingerprint again or face id or type in your password and face id is even less than the fingerprint because you don't need to readjust your finger. You just look at the device which you're already doing if you want to use it.
So it's a relatively smooth, especially in more in the up to date version of the iphone 11 or the ipad pro 2018, they're very fast and very effective. So that's a really positive thing. Now, the interesting thing here is that we've got a bug ostensively a bug or in one case, we have a bug on the galaxy of 10 where the feature is not working as designed.
And on the pixel four, we have a standard sort of software decision of not to ship an additional feature yet to get something at the door. Now, what I want to call it besides just the bugs and the challenges in the usability here is that security is just like any other feature that we build into software and technology, it gets evaluated and prioritized, it gets triaged and there are bugs when we implement it.
So there's always a problem when we implemented, there can be issues, right? Because people make mistakes. Now, the problem is when you recognize those mistakes is how do those issues get triaged? Now, in Samsung's case, they've said this is horrible.
We need to fix this right away and they're pushing out an emergency patch to rectify the situation and that's absolutely what they should be doing. In Google's case with the pixel four, they've said, no, this is working as intended.
Despite the fact that I can be absolutely asleep, someone can hold up the pixel four in my face and unlock it right. So there's a number of high risk scenarios where that's a really, really bad thing is at the end of the world.
No, but it's a bad thing. Now, Google said based on their prioritization, no, it was working as intended. We'll roll out the feature or we may roll out a feature where uh we enable the attention requirement in the future.
Now, that's a different software decision. Now, I understand teams don't have unlimited attention. Teams have a large amount of bugs that they need to triage and it may be a shock to you. But sometimes teams say we're not going to fix this and they look at a bug and they go it affects only a minor amount of the population.
It's not really catastrophic, it's not critical. So we're just going to leave it there and that's what we call technical debt. Right. These bugs that are sitting there is one aspect of technical debt. I should say where these bugs are sitting there triaged and said, you know what, we're not going to close it.
We're not gonna, or we're not going to address it. Now, other ones just get reprioritized. And unfortunately, as new bugs come in, the whole list gets reprioritized again, now you would think security issues should be at the top of the list than normally they are.
But sometimes you make the choice to hold back a little bit based on the risk decision because you've got a ton of momentum, shipping a feature or you're up against a deadline and the finances are, are dictating that you move forward.
It's never a clear cut decision and I do not envy the product managers out there and the teams who are making these decisions. But I think from the outside, from users, you need to realize that security is implemented just like any other feature, there will be bugs, there will be problems.
The challenge is, is from a user perspective, you may need to be in an uproar. So Samsung is doing the right thing in addressing it. Google is saying, hey, this is as designed. It's something that users may want to push back on because their answer to if you want a higher level of security is simply to turn off facial recognition as a security pro.
That's a frustrating answer because that to try to tell people or to tell people actively to turn something off if they want more security. The whole idea of facial recognition was to have a higher level of security with a less amount of friction on the usability.
So it's a real big challenge when a major company says, hey, no, just turn it off until we, you know, might at some point in the future, maybe deploy the feature, the additional functionality in this feature that makes it work as expected.
The key point here though is that security is implemented by the same development team that implements the rest of the product, which means there's going to be bugs. It's just human nature. The challenge is identifying them, prioritizing them and rolling out the fixes.
In the case of biometrics, users are hyper aware of it. We have a larger challenge around trust and assurance with biometrics, especially people to adopt it. Same with multi factor authentication. Any stumble sets everybody back and that's a major problem.
So hopefully this will get addressed very, very quickly. Please let me know what you think. Hit me up online at MARK NC A in the comments down below. I always look forward to hearing uh what you guys are thinking with this issue and any others.
Thank you very much for joining me. Have a fantastic weekend and we'll see you on the next episode of the show.
