OFFICIAL SECURITY BLOG

Lock-Unlock, Biometric adventures, part 2

September 27, 2013 | BY

Some time ago, I experimented with SignWave Unlock Free for Windows by Battelle.

This was software for my Leap controller that promised to use the shape of my hand as a biometric mechanism to unlock my workstation.

This app was only available for Windows and was a general disappointment.

My co-worker was able to unlock my workstation “handily” in about 30 seconds flat. We reproduced this failure several times, just to be sure. You can watch us do the “hack” here.

rsz_1rsz_img_1199

These hands are different, yet both unlocked my Windows workstation with the SignWave app.

I recently saw an application being advertised via the Leap motion newsletter that interested me, and when I plugged mine in and fired up their airspace market place, I was delighted to see that Battelle had released the Mac version of SignWave Unlock Free.

As originally promised, I decided to evaluate it.

Perhaps my days of super complicated passphrases were about to be a thing of the past? As I had downloaded and installed the Windows version, the Airspace market helpfully downloaded the Mac version on it’s own.

I then proceeded to go through the initial configuration setup for SignWave to record the biometric signature of my hand.

I am pleased to report that the process has gotten simpler and significantly less painful. Other than a more pro-eminent license agreement, the biometric profile creation was much more friendly.

In the past, if a motion was interrupted by say, your hand wandering away from the ideal position above the Leap, the step in the biometric profile creation had to be re-started from the beginning. This made the biometric signature creation process exceedingly frustrating.

Now the process just halts until you place your hand in the correct position again, and it simply resumes recording. You know exactly how long is left for each particular step, as it is illustrated by a blue progress line, slowly circling the wireframe representation of your hand.

Needless to say that the very first thing my co-worker, Jerome Segura, tried once this process was completed was to log-in as me with his hand.

I’m happy to report that he was unsuccessful in all attempts.

Even more promising was that after a few tries the app defaulted to requesting the password be typed in manually, the old fashion way, refusing to accept any more attempts at a biometric unlock.

This behavior effectively resolves the brute force attempt methods.

There are, however, some aspects of the app that prevent me from heartily recommending it as a day-to-day solution.

If your co-worker volunteers a free pen test of your SignWave Unlock app, and in the process, triggers the manual password entry mechanism, your biometric hand signature will stop working for a period of time.

There is nothing indicating this state. If you unlock the computer manually, then lock it again, the SignWave Unlock app will refuse any input, even the correct biometric signature of your hand.

I think this is by design; and I think that the SignWave is in a lockout mode after too many attempts.

I realize this is not a normal scenario, but some visual cue that the biometric login mechanism is disabled would have been nice. I did wait a little while before it started working again.

SignWave will also not allow you to unlock your Mac from a cold boot.

The real show stopper for me is that if you have your screen saver set to go to a login prompt after a period of inactivity, you cannot use the SignWave App to unlock it.

Waving your hand above the Leap will wake up the machine, but not offer the SignWave biometric method.

It would appear you can only use the SignWave app to unlock your computer after it has first been turned on and logged off through the Apple logo menu method. Or if you use some third-party method, such as the Intic Apple lock widget I use, when I know I will be away from it for a while.

Selecting a “fail to lock” behavior is definitely an improvement, but not allowing to unlock when the screensaver has kicked in sort of defeats the whole purpose.

*Addendum: After playing around with the settings, I am offered the option to login after the screen saver has kicked in, but SignWave fails to recognize my hand more than half of the attempts.