Hacker News new | ask | show | jobs
by lenazegher 4781 days ago 

    The so-called "Internet of things" adds another wrinkle. Barrett talked about
    development of refrigerators that can sense what food is inside them and
    automatically order replacement groceries. Perhaps such technology will be
    commonplace in a few years—and your refrigerator will need a way to pay for food.

    "It begs the question, do you really want your refrigerator to know your PayPal
    password?" Barrett said. "Unless we can solve that problem, life is not going to
    be good."
This is a problem that has already been solved. You create an authentication system that supports different privilege levels. You create a secret key for your fridge on a secure device (after authentication with your password). You then transfer this custom-made secret key to your fridge which gives it the privilege to spend no more than X amount on groceries to a small list of trusted vendors.

The biometric solution discussed in the article doesn't even solve this problem. Do you really want your fridge to store your fingerprint or retina data?

The part I have a hard time understanding: even if you register your phone as a trusted device and scan your fingerprint on your phone to log in to paypal, all your phone is doing is sending a secret key to paypal's servers (where's it's presumably hashed and stored).

How does that solve the problems the article identifies?

    "Left to their devices users will pick horrible passwords and then they'll
    reuse them all over the place," Barrett said.
     
    Various data breaches have exposed millions of user IDs and passwords.
    While passwords are typically exposed in an obscured or "hashed" form,
    increasingly powerful processors and password cracking programs allow
    even novice hackers to convert them into plain text
Biometrics forces you to use the same secrets to authenticate yourself with every service, and if weak security allows an attacker to reveal the "plaintext" equivalent of your fingerprint or retina scan, you're fucked.

Any system that's used to increase the security, entropy or uniqueness of your biometrics for each site you register with could equally be used to protect a single, strong master password instead. At least you could change that if it somehow got hacked.