"The problem has always been that a really good biometric -- such as a retinal scan or fingerprint -- typically is hard to collect," observed Michael Jude, a research program manager at Frost & Sullivan. "Less than reliable biometrics are easy to collect but require validation, usually by collecting several -- but the more you collect, the more chances for authentication failure," he told TechNewsWorld. If biometrics fail, a standby such as a password or some form of support infrastructure to do a reset is required, and "this could be complex for both the user and the service provider," Jude pointed out. On the positive side, "when [the trust API] works, it could provide a faster, more secure, consistent method of gaining access to secure sites," Enderle suggested. However, "Google's reputation of being unsecure, of not following through, of not listening to partners, and the complexity of the solution stand against this effort," he said. Potential Privacy Problems An API-based security protocol will put personal information in the cloud to some extent, Jude noted, so "the question will be, do you trust your service provider with that kind of information?" Further, the trust API will be always on, running continually in the background, and that could be a concern -- especially because many Android apps send back users' information to devs, often without the knowledge of the device's owner. That always-on feature means users it will be easy to track users -- and with Americans being concerned about surveillance without warrants by the NSA, the FBI and various police agencies, there might be a backlash. On the other hand, the feature could make it easier to track terrorist or criminal suspects. There has been at least one legal ruling requiring a suspect to unlock a cellphone protected by fingerprint authentication, and with user information more readily available, law enforcement might push harder to seize data. "This is a problem," Jude said. "This approach to security potentially opens a lot of personal information up to coercive disclosure. I'm just waiting for someone to build a countermeasure that lets users clear a m
big nows
"The problem has always been that a really good biometric -- such as a retinal scan or fingerprint -- typically is hard to collect," observed Michael Jude, a research program manager at Frost & Sullivan. "Less than reliable biometrics are easy to collect but require validation, usually by collecting several -- but the more you collect, the more chances for authentication failure," he told TechNewsWorld. If biometrics fail, a standby such as a password or some form of support infrastructure to do a reset is required, and "this could be complex for both the user and the service provider," Jude pointed out. On the positive side, "when [the trust API] works, it could provide a faster, more secure, consistent method of gaining access to secure sites," Enderle suggested. However, "Google's reputation of being unsecure, of not following through, of not listening to partners, and the complexity of the solution stand against this effort," he said. Potential Privacy Problems An API-based security protocol will put personal information in the cloud to some extent, Jude noted, so "the question will be, do you trust your service provider with that kind of information?" Further, the trust API will be always on, running continually in the background, and that could be a concern -- especially because many Android apps send back users' information to devs, often without the knowledge of the device's owner. That always-on feature means users it will be easy to track users -- and with Americans being concerned about surveillance without warrants by the NSA, the FBI and various police agencies, there might be a backlash. On the other hand, the feature could make it easier to track terrorist or criminal suspects. There has been at least one legal ruling requiring a suspect to unlock a cellphone protected by fingerprint authentication, and with user information more readily available, law enforcement might push harder to seize data. "This is a problem," Jude said. "This approach to security potentially opens a lot of personal information up to coercive disclosure. I'm just waiting for someone to build a countermeasure that lets users clear a m