
Google and Microsoft Push Websites to Go Password-Less - ThoAppelsin
https://www.pcmag.com/news/360582/google-microsoft-push-websites-to-go-password-less
======
hirsin
Couple comments already on "websites shouldn't accept biometrics as a
password". They're totally correct, and that's not what is being shown here.
This is "websites accept hardware or software generated FIDO logins that have
access to them intermediated by a combination of several factors including
device presence, session login, and biometrics".

The hard part is making that look and feel like "login with a fingerprint".

~~~
JumpCrisscross
What happens when I lose or break all my devices?

~~~
magicalist
> _What happens when I lose or break all my devices?_

What happens when you use iOS's password generator and manager and you lose or
break your phone? Or the same but with LastPass?

You've either synced it or you lose all your passwords.

~~~
JumpCrisscross
My LastPass vault is protected with a master password. If I lose all my
devices, I can restore from online using that. I’m just wondering how that
would work in a password less schéma.

~~~
hirsin
We (IDPs in general, I can't quite speak to FIDO work) still have other
account recovery methods, like email (eg Facebook lets you do fast IDV for
password reset if you have a Gmail account associated). Part of this is a
turtle tower - there's always going to be some more definitive IDP that we ask
you to associate and fall back to, and hopefully that IDP will do the same.
Our work (MSFT Identity) on decentralized ID in particular needs to take this
into account - who's the last turtle there?

------
titanix2
While it may be interesting from an ease of use point of view, I'm worried it
is actually more of move from Google and Microsoft to get more lock-in on
their OS and of the web.

~~~
remir
Technically, nothing prevents Apple and Mozilla (and others) from implementing
this technology into their products.

~~~
titanix2
Sorry, I didn't details enough. I mean biometric data are gathered from the
hardware through system API. This is where system vendors can restrict things,
for example by exposing the API to some framework only (e.g. UWP) or even
making them private.

~~~
ThoAppelsin
Unless system vendors discriminate other browsers from their own browser in
terms of the said restrictions, I would say that it is fair game.

Following your example, if Microsoft were to require browsers use UWP
framework to utilize the biometric authentication API, implementing the
feature to Edge and not to Internet Explorer, would that be problematic?

------
skywhopper
This is nothing new, although there's perhaps no common standard implemented
by all the players. However, while the process may be "simpler, securer ways
to grant login access" from the users' perspectives, often these sorts of
protocols become many times more complex to get right on the server side of
things.

Another worry is that this sort of approach will effectively hide the
authentication mechanism from the user. So while I may make the choice to use
notional biometric login to a Facebook app on my phone, knowing all the risks
and compromises that come with having a Facebook account, I may not wish to
use a Facebook login for other authenticated services unrelated to Facebook
(when I'm confronted with the option to log in with Facebook, I always choose
the other option, whatever it is, even if it's "give up on using this
system/service").

~~~
hirsin
Authentication and Federated login shouldn't become the same thing, and FIDO
doesn't move us closer to that. There's not a scenario where this becomes
"silently login to Facebook and silently provide consent by clicking login" \-
users will still have to consciously click on "login with Facebook" at which
point they can use FIDO to login to a Facebook property.

------
jlgaddis
Yubico wants people to go "passwordless" too -- and was also at RSA to pitch
"passwordless login" [0] -- but wants you to use their new "Security Key" [1]
(which supports both U2F and FIDO2) instead.

Personally, I'd be more inclined to go this route (hardware key versus an app
on my phone that uses my fingerprint or a facial scan).

[0]: [https://www.yubico.com/2018/04/yubico-
rsa-2018-passwordless-...](https://www.yubico.com/2018/04/yubico-
rsa-2018-passwordless-logins-developer-programs/)

[1]: [https://www.yubico.com/product/security-key-by-
yubico/](https://www.yubico.com/product/security-key-by-yubico/)

------
JoshMnem
It sounds like a terrible idea. What if you don't have Android, Microsoft,
Apple, or Amazon products, or even a smartphone at all? Smartphones collect
too much information and it shouldn't be required to link all that data just
to log in to websites.

~~~
tootie
Plenty of sites provide multiple auth options. Like social login or
email/pass. There's something to be said for not trusting ever site in the
world to know how to secure a password database. In fact, many are outsourcing
auth to companies like auth0 behind the scenes.

------
Quarrelsome
As long as you're still logging into the device using some form of information
that can't be collected from you unconsciously its fine. Is that what it is? I
hope that's what it is otherwise I'm going to need to buy some gloves.

------
danielblazevski
Getting my fingerprints hacked sounds worse than getting my password hacked, I
can’t change my fingerprint!

------
amanzi
As others have already mentioned, this article is a bit misleading. However,
I'd like to point out the good work that Microsoft is already doing to enable
"passwordless" logins. You can log in to your Windows PC with a PIN or
biometrics, and you can log into many Microsoft web services using the
Authenticator app on your smartphone. The upshot to this, is that you can set
a much stronger account password knowing that you won't have to type it in
that often. Google and Apple are lagging behind in this space - both require
you to type in your full password way too often which leads customers to using
weaker, easier to type passwords instead. Still a lot to improve in this
space.

------
concerned_user
It has been said many times already, biometric data is not a password it is a
login/user name.

~~~
evfanknitram
But isn't it still a stronger form of authentication than the average
password?

I would not use it for authentication against the missile launch system, but
my ex will probably not chop of my finger to access my Facebook account, nor
will random bots trying to access my Gmail account.

~~~
cornholio
Yet, she can use 50$ kits to lift and scan a fingerprint from your belongings.

~~~
UncleMeat
She can, but the threat model here is so amazingly different than traditional
threat models for username/pw that it is _ridiculous_ to say that biometrics
are usernames. Biometrics are biometrics. They are simply different. They have
different threat models and failure modes than passwords. They are neither
better nor worse.

~~~
cornholio
It's an analogy that captures the essence of the problem framed in a way most
people can understand it: with biometrics there is no shared secret, just a
high entropy, non-revocable and very public UID.

Yes, public in a different model, with a different set of threats, but that's
irrelevant to what the analogy is trying to convey.

It's a human trait to evaluate and disseminate new concepts though existing
concepts. Everything is unique, if you want to refine or disprove the analogy
it's not enough to call it wrong repeatedly, you need to accept that specific
frame of reference is suggestive to those who chose it, and formulate your
arguments from that perspective.

------
toddh
I couldn't tell what data is leaking to the service provider. Are they
gathering data on all these sessions?

~~~
haspoken
Nothing is free and now you will have to have an account with the service
provider and whatever terms and service they choose.

------
tootie
It seems to me that biometric passwords are convenient and better than a weak
password, but much easier to compromise. Fingerprints can be lifted. Faces can
be photographed.

~~~
albertgoeswoof
more importantly, they can't be changed

------
jpswade
Biometric can be used as an identifier but not as a password.

------
shmerl
Biometrics should never be the only means of authentication. They can only be
complimentary.

------
newnewpdro
Authentication should always require something you know. Adding something you
have/possess like a crypto device is a great way to enhance security, but it
should always be a supplement to something you know - your password.

------
dredmorbius
Passwords are bad. Fingerprints and face-recognition worse.

I'm strongly in favour of very-near-field chips, at < 1cm range preferably. In
a wearable form factor, these are replaceable but difficult to misplace or
lose.

~~~
trumped
It might be <1cm with this antenna but someone else with a better antenna
might be able to read it from 1m...

~~~
dredmorbius
Timing would limit range.

The auth itself is query-response, replay attacks don't work.

