Author

Topic: Changing Google Captcha to Biometric Scan | Extended application to Crypto walle (Read 155 times)

legendary
Activity: 2170
Merit: 1789
So like, my mouse touch pad is entirely biometric sensor plate which will let my laptop understand I am working with it and let it know I am still human. Whenever a browser opens up it does not have to access my biometric data directly. It has to only call for verification parameters that are logged by my device itself. That could add up extra layer of security without compromising my privacy?
Maybe building an MVP/showing the code would help understand it better. What I'm wondering is how the browser/server knows the data (that you are an active user) is true if they need to call a "verification" request to the device without requiring some sort of validation process, which might require some sensitive data to be accessed by other parties.  If it is really not necessary, then how can it improve the current captcha if a bot or machine can bypass it by sending recorded biometric data btw?

For example, a bot computer is fed some random fingerprint data, since the website only needs to get an OK sign from an offline device, then the bot can simply say OK without doing any actual verification. At least that's what your idea sounds like to me. Competing with a captcha would probably be difficult, at least if you use a complex captcha and not the standard font typing that gets bypassed easily.
full member
Activity: 1092
Merit: 227
The only times when it would be synched is when our browser ends up with pre verification step.
Syncing means your data needs to be verified right? At one point or another, the data will need to be shared with other parties. The website needs to prove that I'm human in real time so I'll need to scan at the same time, I don't know how you can bypass this by sending encrypted data unless the website itself has the same data to do the verification. If the scanning in real-time itself is pointless because the data is stored offline (hence the website does not need any fingerprint data), then why need a fingerprint scan in the first place? A captcha would suffice no?

I'm not familiar with the technicalities but even if you only need the hash of such data, I still don't feel safe when I use it. I hope you understand what I'm trying to say since it is quite difficult to put it into words.

Nonetheless, in today's world we are anyways haring ton of personal data to these devices already. Whether it is my location (steady/live), motion detection, permissions to read the data on device for various purposes so that the app/site can function normally.
I don't see why we should normalize such practice if it harms our privacy and security, even if a lot of apps do the same thing. Not to mention you can disable/remove those permissions, and use other apps that don't require any sensitive data for your purpose. Those websites don't need so much of our data to function well, would you give your location data to an obscure website just because they asked you? If I need to scan my fingerprint just to see their website, I'd rather leave.

There are tons of abuse of such personal data if you take a look around this forum. Things from phishing e-mails because of a database leak, stolen identity where somebody suddenly got a lot of debt when they never made one, losing crypto money because their password is stored online, etc.

Not everyone is techy, not everyone understands what type of data might be getting shared.
And because not everyone understands the risk, we need to educate and spread awareness to them. Saying OK to privacy-invasive technology is not the right way IMO. CMIIW.

Okay mate. That lighten up my synapses now.

Hmm, okay I was like thinking that our devices will keep parsing the data regarding human confirmation based on which our device and the browser will contact each other.
So like, my mouse touch pad is entirely biometric sensor plate which will let my laptop understand I am working with it and let it know I am still human.

Whenever a browser opens up it does not have to access my biometric data directly. It has to only call for verification parameters that are logged by my device itself.

That could add up extra layer of security without compromising my privacy?

And also, there is no else other than the device who will have our data stored offline on it and only be used when applications requiring the verification data. (That to just log of my finger sense captured in real time).

legendary
Activity: 2170
Merit: 1789
The only times when it would be synched is when our browser ends up with pre verification step.
Syncing means your data needs to be verified right? At one point or another, the data will need to be shared with other parties. The website needs to prove that I'm human in real time so I'll need to scan at the same time, I don't know how you can bypass this by sending encrypted data unless the website itself has the same data to do the verification. If the scanning in real-time itself is pointless because the data is stored offline (hence the website does not need any fingerprint data), then why need a fingerprint scan in the first place? A captcha would suffice no?

I'm not familiar with the technicalities but even if you only need the hash of such data, I still don't feel safe when I use it. I hope you understand what I'm trying to say since it is quite difficult to put it into words.

Nonetheless, in today's world we are anyways haring ton of personal data to these devices already. Whether it is my location (steady/live), motion detection, permissions to read the data on device for various purposes so that the app/site can function normally.
I don't see why we should normalize such practice if it harms our privacy and security, even if a lot of apps do the same thing. Not to mention you can disable/remove those permissions, and use other apps that don't require any sensitive data for your purpose. Those websites don't need so much of our data to function well, would you give your location data to an obscure website just because they asked you? If I need to scan my fingerprint just to see their website, I'd rather leave.

There are tons of abuse of such personal data if you take a look around this forum. Things from phishing e-mails because of a database leak, stolen identity where somebody suddenly got a lot of debt when they never made one, losing crypto money because their password is stored online, etc.

Not everyone is techy, not everyone understands what type of data might be getting shared.
And because not everyone understands the risk, we need to educate and spread awareness to them. Saying OK to privacy-invasive technology is not the right way IMO. CMIIW.
full member
Activity: 1092
Merit: 227
Oh okay. So it destroys the whole point of using this mechanism and we still need to rely on the traditional way of bot verificaiton.

I understand that our finger prints will be used to verify the bot or no bot verification but in that case also we can have the data stored on the device itself just like what you mentioned about the phone security right?

The only times when it would be synched is when our browser ends up with pre verification step.

Nonetheless, in today's world we are anyways haring ton of personal data to these devices already. Whether it is my location (steady/live), motion detection, permissions to read the data on device for various purposes so that the app/site can function normally.

Not everyone is techy, not everyone understands what type of data might be getting shared.

Does it really concerns us for single fingerprint scan?
legendary
Activity: 2170
Merit: 1789
My biggest concern is privacy and security. How can we ensure that my fingerprint data is secured? If I understood your idea correctly then somebody can link my activities and probably figure out who I am as long as they get my fingerprint scan data. What if some malware is installed on my phone and use the data to log in to our sensitive account for example?

I can understand why phones or other devices use fingerprints as their locking mechanism since the data is stored offline (assuming they don't send it to some server of course), but using fingerprints as a captcha for online service sounds like a bad idea. Compared to captchas that exist right now, using fingerprint or other biometric verification sounds like a step-down. At least if we consider privacy as something really important for the user.

Btw, you also mention a crypto wallet as the target for this, I think we can separate captcha and wallet verification entirely since their goal is different. Fingerprint for your crypto wallet can work with fewer privacy issues (if your wallet is a cold wallet at least), and you don't need to connect to the internet to do that in the first place. If you want to use your device as an extra security, you might want to install FIDO (or buy one like Yubico) or something similar, so you don't need personal data for that too. CMIIW.
full member
Activity: 1092
Merit: 227
Changing Google Captcha to Biometric Scan | Extended application to Crypto wallet accessing, internet banking services and more!


Google Captcha / hCaptcha / or any other type of bot verification barrier can be seen almost on every website these days. It is very boring and you have to keep trying until you pass the test. However, its not big deal to do so. In fact we have seen videos and hacks in which bots are actually able to figure it out through the pixels intensity and whats being asked by the bot verification tool.

Though its funny to know, there are some bots which are intentionally allowed to complete the verification in the background to keep track of valid logs.

However, there is one excellent idea to get rid of this verification and on top of this it could also revolutionize the way website are passed for the bot verification.



New Approach: Continuous Biometric Scan


In this approach we can have new laptops installed with the Biometric Scanner. There are already many versions from different Brands who are providing Thumb Scanner for the purpose of "logging into" you device. As far as smart phones are considered all of them comes with high end biometric scanners.

For smartphone:
1) You have facial recognition and deep eye retina scanner.
2) On screen and Off screen Thumb scanners are literally thing of past!

For Laptops and big screen devices:

Assume you are using a laptop and you have a keypad which can have multiple thumb sensor to cover the whole area of it. A program can be ran which will continuously keep track of the person touching it and thus telling the computer that real person is in touch with the device.

The scanner will obviously verify this data against the "pre-verification" data that is obtained during device set up.

Whenever I will visit a website then it should be done as smoothly as there should be no window popping up for verifying a human is accessing the same.

This is literally possible on every devices where you are accessing such website considering the fact that you will be using high end devices to do so. Frankly, even cheapest smartphone on the earth come with this tech!

Additional Benefits:

We can smoothly use this method for passing securities for our internet banking services, cryptocurrency wallet accessing and what not! There is no limit for its implementation.

If this project has to be made successful then it will need two things
A) Device manufacturer start producing devices with inbuilt biometric scanners and also required open end program which will synch with the apps and sites for confirmation
B) Open source projects and established projects accepting this sort of services.



Questions

1) Did you like this concept?
2) What could be possible challenges for this one?
3) Do you think it can revolutionize the way we look at verification of various layers over the web?

All thoughts are welcomed.

Jump to: