Category: Security

A new commit in the Android Open Source Project (AOSP) repository suggests that facial authentication is coming to Android as a system level API.  It could mean that from system point of view, Android P could well allow for facial authentication on devices, assuming of course that the hardware to do so is built into the device.

Currently, for manufactures to support facial authentication (like OnePlus for example), they have to build their own app and leverage existing APIs, mostly around the fingerprint authentication.  That works, obviously, but it isn’t as optimized as it could be and it is dependent upon OEMs to build the supporting software & hardware to make it happen.  This commit would more-or-less standardize things for Android.

It appears that once again Apple is upping device security with the upcoming release of iOS 11.4.  In a new report on Elcomsoft indicates that when the new build of iOS rolls out, it will come with a Lightening Connection lockdown that requires the device to unlocked or the password/fingerprint to be entered every seven days.  The feature is meant to prevent tethering a device to a PC or Mac and brute force cracking the device to gain access.

The feature first appeared in iOS 11.3 but was dropped during the beta testing.  It reappeared in 11.4 and, to this point, has pretty much gone unnoticed until now.  What this means is after 7 days, if the device hasn’t been unlocked either with biometrics or a password, the Lightening connector becomes a charging port only.  No data is transmitted to or from the device by the connected laptop.

Google has announced that physical USB security key support is coming to all version of G Suite over the next few weeks.  Support of security keys, to this point, has been limited to Enterprise level customers.  That is changing as all variants of the service will be gaining support.

Security Keys are a physical USB key that you plug into a device that gives you access to it.  It is perhaps the ultimate in 2-Factor authentication.  Yubico is perhaps the most well known of these types of keys and they are readily available at low cost.

Twitter has finally begun allowing users to use 3rd party two factor authentication apps to verify their identity.  The new feature is rolling out to users accounts online and you can now select the default SMS authentication or a 3rd party authentication tool.

In April, the social micro blogging site rolled out SMS authentication that allowed users to have an authentication code texted to them when they were logging into their account.  That is still enabled by default but you now have the option to use a 3rd party app like Google Authenticator to verify your identity.   The feature requires that you log into your Twitter account online, then go to Settings & Privacy in your account settings.  There you can setup an authentication app.

One of the best password management apps out there, LastPass, has given everyone a reason to be happy:  They have lowered their price to… free!  The even better news, they haven’t stripped the app down to the barebones either.  The free app now gives you the ability to sync your password and other secure content to your phone, PC, Chrome extension and tablet.  To this point, that sync feature was part of the premium package for the app (which was a quite affordable $1/month).

From the company’s blog…

I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.

If you have been looking for a password management app, you need to seriously consider LastPass as an option.

In a report from NSS Labs, the research company found that Microsoft Edge, the latest browser from the Redmond company, is more secure against phishing and malware than both Google Chrome and Mozilla’s Firefox.  The set of reports, which can be downloaded here, tested three current versions of each browser over the months of September and October to get the results which will likely come as a surprise to some.  The versions tested for the reports were:

• Google Chrome 53.0.2785
• Mozilla Firefox 48.0.2
• Microsoft Edge 38.14393.0.0

The first report focused on phishing where Edge achieved a 91.4% over the course of 12 days of testing at the NSS Labs in Austin, Texas in recognizing phishing URLs presented to it.  Chrome was at 82.4% while Firefox came in at 81.4%.  This is an important consideration in choosing a browser given the social engineering nature of phishing attacks which can lead to compromised accounts for users.