An app I came across shows the following error "This app doesn't support face recognition for verifying your identity. Use your fingerprint sensor instead" when tried to use Biometric face recognition when face recognition in the device is weak. They are not using BiometricManager.Authenticators to determine if biometric is STRONG or WEAK. Is there any other way that is possible to achieve this?
Authenticate the biometric prompt with the crypto object and the biometric prompt will show the following error if only unsecured biometrics are present.
Related
If I'm on #LinkedIn and I go to Account -> Login and Security there is an option for Two-step Verification. This is in addition to e.g. Email Addresses and Telephone Numbers (the latter clearly labeled "... in case you have trouble signing in").
However Two-step Verification also provides SMS (telephone) authentication in addition to an "authenticator app" option, "...such as Microsoft Authenticator". There is smoke here; is there fire?
How do I write my own authenticator: I presume there's a (REST) API (client / server, don't care)? How do I get #LinkedIn to call it (or vice versa)? Are there any examples?
General Background I'm envisioning two potential solutions: 1) a desktop app, tied to a particular desktop computing platform; 2) a deck of playing cards (seriously, and I've got POC for this). This is NOT using LinkedIn to login somewhere else, but providing custom MFA when logging in to LinkedIn. I'd probably try to write it in Python.
Request Background (IMPORTANT) I posed this question to #LinkedIn support, and they sent me here.
Security Background (IMPORTANT) SMS is not secure. There are ways of hijacking IMEIs. There are technical problems (bugs). There are other problems, for instance documented cases of bribery of telco personnel.
Political Background (IMPORTANT) #LinkedIn periodically asks me for a telephone number for MFA (multifactor authentication), but they have an email address; they could use that. There is documented past history of social networks using things like telephone numbers, provided for security purposes, to expand their social graph (in the legal sense, unauthorized conversion). Just like Certificate Authorities, there is no compelling technical reason that MFA can't be provided via open standards (in the case of CAs, DNSSEC and DANE as an alternative).
I am implementing Time based OTP (TOTP) for my network security course. The last time I gave presentation my instructor asked me "If you're going to share secret key by generating QR code and then letting the client(soft token) scan it, how are you sure that its safe ? " He meant that how the procedure of getting key from database and then making its QR code is safe ? If a third party have access to that web page then ? can third party know secret key without scanning code ?
I'm so confused from his questions.
Most probably the question was with generating the QR code, not really about the security of the shared secret itself (there is nothing you can do more about transferring the shared secret - you have to somehow share it).
What you have to be careful about when it comes to QR generation - do not use external services (like google chart) to generate the QR code, you have to do it with minimum external library use - ideally purely on the client side.
Here is an example https://github.com/token2/totp-toolset-local
I am working on an in house project with several sensor devices. I do not want a user to register each and every device individually. In the sense I want to use the same Public/Private Key pair for all devices registering to a registry but be able to pass device information on to pubsub via mqtt/http with unique device information like name or id. Is it possible to achieve that?
I am assuming if i am using the same Keys. I am registering all devices as one but is it possible to send device info as part of the message being published. does doing that inhibit the usage of google's inbuilt functionality in any way like API's.
new to cloud technologies, any thoughts/suggestions would help.
Depends on MQTT-broker configuration.
Normally Certificate based authorization is used only for authorisation on MQTT-Broker side. So you can use Public/Private Key pair to authorize and connect to the broker and use MQTT ClientID to differ between your devices.
MQTT-Broker can be also configured to use Identity from authorization Public/Private Key pair as Username.
use_identity_as_username true
In this case, if MQTT-Broker has also username based ACL configuration for example like that:
#device info sent from device. %u <- username
pattern readwrite %u/devinfo
All your devices will publish messages under same username, you should set different ClientID for each device or use CleanSession Flag in this case.
Here is a good reading to understand how the connection between device and broker works at all: https://www.hivemq.com/blog/mqtt-essentials-part-3-client-broker-connection-establishment/
Sounds like you really want to be using the new gateway functionality (it's in beta now, but I've run through using it a bunch and it's quite stable).
Check out this tutorial on gateways to get an idea of what we're talking about:
https://cloud.google.com/community/tutorials/cloud-iot-gateways-rpi
TL;DR version is that it allows a single device to manage many smaller devices (which may not be capable of auth on their own) but still have those smaller devices be represented in the Cloud.
So basically, you have a more powerful device (like a Raspberry Pi, or a desktop machine, whatever) registered in IoT Core as a "Gateway". Then when you create the individual devices in the Cloud, you don't specify an SSL key (the Console will warn you about the device not being able to connect) and then you can "associate" the device with the gateway, and it'll handle the auth piece for you. Then the individual devices instead of calling out to the internet, connect and talk to the gateway device locally.
First, I'm working on a Master student's project, the project is a Web Bank System and apply encryption algorithms on this system.
The first algorithm which is a new encryption algorithm designed by the student who requested my help is to encrypt the sensitive data (Credit Cards information) on the database.
The second algorithm (which is a modified AES algorithm) is to encrypt the messages between the customer of the bank and the admin of the bank system using a web chat room.
Of course, there is no problem with the first algorithm because I can apply it to encrypt the Credit Card information submitted by the user and save it on the database.
But, the problem is that the professor that supervising on this student project insisted to secure the messages sent across the network by the admin and customer that they are using the web chat room and these messages must be secured using the second algorithm (modified AES).
As you all know, if I just code the second algorithm in Javascript to encrypt the messages on the browser client machine then send those encrypted messages to the server, that means this algorithm will be available to anyone who opens this webpage because we all know that Javascript is an open client source.
So, no more talking, I just want to ask that:
How to apply any encryption algorithm to secure the data transfer between client machine and server machine by using web application (for example web chat application) without to be this algorithm an open source to any client machine?
ADyson's comment contains the best solution to solve this problem practically, but it sounds like the professor has added constraints that prevent you from employing a practical solution.
It is not possible to execute an encryption algorithm on a client machine and at the same time keep the encryption algorithm a secret from the person and machine running the algorithm. They can always inspect the code.
As far as I am aware this is not possible, because the client will have to be able to both encrypt and decrypt messages; it logically requires the client understanding the encryption algorithm.
The strength of an encryption mechanism comes from the difficulty of reversing an encrypted message to plaintext without the key, even if one knows the algorithm.
If knowing an encryption algorithm allows someone to decipher a message without the key, then the algorithm is weak.
As most of us know, background agents in Windows Phone have limitations on API (either which can be used or referenced).
What I'm looking for is a framework or service or SDK that allows to track events/crashes/logs from background agents.
List of services known:
https://googleanalyticssdk.codeplex.com/ (see discussion here)
What are you, folks, using for analytics in background agents?
Background agents have very low memory limits. That's why in the agent I've used my own custom code that only saves some data to the isolated storage.
Later, when my app is launched normally in the foreground, I read and handle that data. For example if my background agent has crashed I notify user "audio has been terminated due to an error: ..." and submit a crash report.