Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 1

Biometrics and Bugs

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

More than everybody how you doing today on this episode of the show. We're going to talk about Biometrics and bugs. It's been a little while since we've done one of these and I appreciate your patience. I've been full steam ahead on a road to AWS reinvent 2019 streaming series that's been taking up a lot of my time, but I wanted to come back and highlight an issue that popped up because we have not one but two separate reports of similar issues and I think they bring up a really interesting contextual point about and will say that even better contextual point a stoat security as we employ today's there's a couple issues do this, but let me tell you what would pique my interest there was a report about the Samsung Galaxy 10 now, that's a smartphone.

This is DPI phone, but the Galaxy smartphone has a fingerprint reader and it's a really cool one in that works through the display have but the problem is right. Now, there's a massive bug in that car versions fully up-to-date of the S10 will actually accept any fingerprint. Not your fingerprint any fingerprint you can imagine that's a bit of a problem similarly.

The new Google pixel for it has face recognition similar to the iPhones. The problem is I don't like the iPhone which by default you need to be looking at the phone need to have attention on the phone. If your eyes aren't looking at the device. It won't actually unlocked.

You can just hold the phone up to any face and it will unlock on the Google pixel for right now and that's in contrast to what they said when they originally launched. This service was originally launched this phone and there was an option displayed in an in the intro video that said I know paying attention just like on the iPhone you can turn off where you don't actually have to have your eyes open by default lights on on the iPhones and I think that's really really important.

So here we have two biometric security controls, which it's really difficult to roll out a new security controls to a large populations at take a look at multi-factor authentication. That's when you type in your username and password and then you need another fact whether that's a text message to send to you or an app on your device or Hardcore Hardware key that generates a one-time tokoto series of digits and that you didn't answer in addition to that.

So that reduces the attack surface. It's hugely successful when deployed but getting people to adopt it can be a challenge because you're putting another step in their way. If you're looking at this from the usability perspective you're adding more friction in the whole go use abilities to take away friction.

So smartphones fingerprints are really effective way to open them to access them to provide an additional layer of authentication. That's why your phone when you're trying to buy something have loved you for additional verification to give us your fingerprinting in her face ID, you're typing in password admin face IDs and even less than the fingerprint because you don't need to readjust your your finger.

You just look at the device which you're already doing if you want to use it. So it's a relatively smooth. So she in the more I may be up-to-date version on the iPhone 11 Emily iPad Pro 2018 a very fast and very effective and I'm so that's a really positive thing now.

How to say interesting thing here is that we've got a bug extensively a bug or a vowel and one case of a bug on the Galaxy S10 where the future is not working as designed and on the pixel for we have a standard sort of software decision of not to ship an additional feature yet to get something at the door know what I want to call it besides just the bugs in the challenges in the usability here is it security is just like any other feature that we build into software and Technology it gets evaluated and prioritized it gets triage and there are bugs when we implement it.

So there's always a problem when we implemented there can be issues right because people make mistakes another problem is when you recognize those mistakes is how did those issues get Tree on it and it's Samsung's case. They said this is horrible. We need to fix this right away in the pushing out an emergency patch to rectify the situation.

That's absolutely what they should be doing. Google's case with pixel 4 they said no this is working as intended despite the fact that I can be absolutely asleep. Someone can hold up the pixel for my face and unlock it. Right. So there's a number of high-risk scenarios where that's a really really bad thing.

Is it the end of the world know there's a bad thing and Google said based on their prioritization know it was working as intended will roll out the feature. Or we may rule at a future where we are unable the attention requirement in the future. Now, that's a different software decision.

Now, I understand teams don't have unlimited potential teams have a large amount of bugs that they need a triage and it may be a shock to you. But sometimes team say we're not going to pick this haven't been looking about going to go with the effects only a minor amount of the population.

It's not really kind of traffic is not critical. So we're just going to leave it there and that's what we call technical debt. Right these bugs that are sitting there is one aspect detective that I can say with these bugs are sitting in a tree Oceanside. You know what I'm not going to close it when I'm going to or we're not going to drop the other ones just get reprioritize that unfortunately is new pugs come in the whole list gets reprioritized again name of it.

Take security issues should be at the top of the list and normally they are but sometimes you make the choice to hold back a little bit based on the risk decision because you get a ton of momentum shipping a feature or you're up against a deadline in the finances are are dictating that you move forward.

It's never a clear-cut decision and I do The product managers at out there. I am the teams were making these decisions but I think from the outside from users you need to realize that Securities implemented just like any other feature there will be bugs. There might be problems. The challenges is from a user perspective.

You may need to be in an uproar. So Samsung's doing the right thing in addressing a Google say this is as designed it something that you may want to put back on because they're answer to if you want a higher level of security is simply to turn off facial recognition as a security pro that the frustrating answer because to try to tell people to tell people actively to turn something off if they want more security whole idea of facial recognition was to have a higher level of security with a less amount of friction on the usability.

So it's a real big challenge with a major companies to take little just turn it off until we in a might at some point in the future may be deployed the feature the additional functionality the feature that makes it work as expected. The key Point here though is that security is implemented by the same development team that implements the rest of the product which means there's going to be bugs.

It's just human nature the challenges identifying prioritizing them and rolling out. The fix is in a case of Biometrics users are hyper aware of it. We have a larger challenge around trust and insurance with Biometrics, especially getting people to adopt on Sims multi-factor authentication. Any stumble says everybody packing that's a major problem.

So hopefully this will get addressed very very quickly. Please. Let me know what you think. Hit me up online at Mark NCAA in the comment down below. I always look forward to hearing what you guys are thinking with this issue and any others. Thank you very much for joining me a fantastic weekend, and we'll see you on the next episode of the show.

More than everybody how you doing today on this episode of the show. We're going to talk about Biometrics and bugs. It's been a little while since we've done one of these and I appreciate your patience. I've been full steam ahead on a road to AWS reinvent 2019 streaming series that's been taking up a lot of my time, but I wanted to come back and highlight an issue that popped up because we have not one but two separate reports of similar issues and I think they bring up a really interesting contextual point about and will say that even better contextual point a stoat security as we employ today's there's a couple issues do this, but let me tell you what would pique my interest there was a report about the Samsung Galaxy 10 now, that's a smartphone.

This is DPI phone, but the Galaxy smartphone has a fingerprint reader and it's a really cool one in that works through the display have but the problem is right. Now, there's a massive bug in that car versions fully up-to-date of the S10 will actually accept any fingerprint. Not your fingerprint any fingerprint you can imagine that's a bit of a problem similarly.

The new Google pixel for it has face recognition similar to the iPhones. The problem is I don't like the iPhone which by default you need to be looking at the phone need to have attention on the phone. If your eyes aren't looking at the device. It won't actually unlocked.

You can just hold the phone up to any face and it will unlock on the Google pixel for right now and that's in contrast to what they said when they originally launched. This service was originally launched this phone and there was an option displayed in an in the intro video that said I know paying attention just like on the iPhone you can turn off where you don't actually have to have your eyes open by default lights on on the iPhones and I think that's really really important.

So here we have two biometric security controls, which it's really difficult to roll out a new security controls to a large populations at take a look at multi-factor authentication. That's when you type in your username and password and then you need another fact whether that's a text message to send to you or an app on your device or Hardcore Hardware key that generates a one-time tokoto series of digits and that you didn't answer in addition to that.

So that reduces the attack surface. It's hugely successful when deployed but getting people to adopt it can be a challenge because you're putting another step in their way. If you're looking at this from the usability perspective you're adding more friction in the whole go use abilities to take away friction.

So smartphones fingerprints are really effective way to open them to access them to provide an additional layer of authentication. That's why your phone when you're trying to buy something have loved you for additional verification to give us your fingerprinting in her face ID, you're typing in password admin face IDs and even less than the fingerprint because you don't need to readjust your your finger.

You just look at the device which you're already doing if you want to use it. So it's a relatively smooth. So she in the more I may be up-to-date version on the iPhone 11 Emily iPad Pro 2018 a very fast and very effective and I'm so that's a really positive thing now.

How to say interesting thing here is that we've got a bug extensively a bug or a vowel and one case of a bug on the Galaxy S10 where the future is not working as designed and on the pixel for we have a standard sort of software decision of not to ship an additional feature yet to get something at the door know what I want to call it besides just the bugs in the challenges in the usability here is it security is just like any other feature that we build into software and Technology it gets evaluated and prioritized it gets triage and there are bugs when we implement it.

So there's always a problem when we implemented there can be issues right because people make mistakes another problem is when you recognize those mistakes is how did those issues get Tree on it and it's Samsung's case. They said this is horrible. We need to fix this right away in the pushing out an emergency patch to rectify the situation.

That's absolutely what they should be doing. Google's case with pixel 4 they said no this is working as intended despite the fact that I can be absolutely asleep. Someone can hold up the pixel for my face and unlock it. Right. So there's a number of high-risk scenarios where that's a really really bad thing.

Is it the end of the world know there's a bad thing and Google said based on their prioritization know it was working as intended will roll out the feature. Or we may rule at a future where we are unable the attention requirement in the future. Now, that's a different software decision.

Now, I understand teams don't have unlimited potential teams have a large amount of bugs that they need a triage and it may be a shock to you. But sometimes team say we're not going to pick this haven't been looking about going to go with the effects only a minor amount of the population.

It's not really kind of traffic is not critical. So we're just going to leave it there and that's what we call technical debt. Right these bugs that are sitting there is one aspect detective that I can say with these bugs are sitting in a tree Oceanside. You know what I'm not going to close it when I'm going to or we're not going to drop the other ones just get reprioritize that unfortunately is new pugs come in the whole list gets reprioritized again name of it.

Take security issues should be at the top of the list and normally they are but sometimes you make the choice to hold back a little bit based on the risk decision because you get a ton of momentum shipping a feature or you're up against a deadline in the finances are are dictating that you move forward.

It's never a clear-cut decision and I do The product managers at out there. I am the teams were making these decisions but I think from the outside from users you need to realize that Securities implemented just like any other feature there will be bugs. There might be problems. The challenges is from a user perspective.

You may need to be in an uproar. So Samsung's doing the right thing in addressing a Google say this is as designed it something that you may want to put back on because they're answer to if you want a higher level of security is simply to turn off facial recognition as a security pro that the frustrating answer because to try to tell people to tell people actively to turn something off if they want more security whole idea of facial recognition was to have a higher level of security with a less amount of friction on the usability.

So it's a real big challenge with a major companies to take little just turn it off until we in a might at some point in the future may be deployed the feature the additional functionality the feature that makes it work as expected. The key Point here though is that security is implemented by the same development team that implements the rest of the product which means there's going to be bugs.

It's just human nature the challenges identifying prioritizing them and rolling out. The fix is in a case of Biometrics users are hyper aware of it. We have a larger challenge around trust and insurance with Biometrics, especially getting people to adopt on Sims multi-factor authentication. Any stumble says everybody packing that's a major problem.

So hopefully this will get addressed very very quickly. Please. Let me know what you think. Hit me up online at Mark NCAA in the comment down below. I always look forward to hearing what you guys are thinking with this issue and any others. Thank you very much for joining me a fantastic weekend, and we'll see you on the next episode of the show.