Biometric data is the equivalent of a username not a credential to be used for auth. It uniquely identifies but does not authenticate a person. You can go passwordless with a FIDO key or push notification confirmation apps for auth and use biometrics instead of usernames (don't see the advantage).
Curious, what happens if people lose their arm or eye? How do you recover the account? Let me guess, email? Lol. So all this and you're still a phish away from pwnage!
Doesn’t FaceID stand an example of this not being the case? I can log into pretty much all of my apps and make purchases with my face. Never once worried about my face being stolen or lost. Until that Mission Impossible tech exists I’m not worried that someone is gonna be able to impersonate me.
Biometric auth isn’t “I send a picture of my face over the network and that auths me” but a device a prioiri trusted by the service or the user takes a reading and releases a key.
Nobody says that “your hardware configuration is just a username” when taking about TPM security but when it’s wetware suddenly it’s a huge issue.
You think it is difficult to 3d print your face from a photograph? You can't revoke wetware, doesn't matter what you do on the device. You can take a picture of someone's palm from a mile away and ise their fingerprint to auth as them!
That's just it, you can get as many iphones as you want The threat actor will always be able to fool it once they have your biometric data. Even a human can't tell apart by using a photo if the 3d print is good enough. There will always be a way to mimick wetware.
I feel like we're way better off just sending an email every time a user logs into a new device. We already have to assume the email is secure anyway...
Having to have tons of Yubikeys adds so much friction.
Death to email! Stop using email entirely unless users opt-in. Give users the option of FIDO or passwordless auth apps with a reset code or oauth federation with a third party.
I was listening to a security podcast in which the host was quite proud of having lots of Yubikeys around. No way this scales to the general population.
For companies, I think it should be part of the employee badge's cost. Just another peripheral.
I think it can indeed scale, people use USB drives a lot, think of it as another peripheral similar to mouse or keyboard. It is especially more attractive as a single factor auth when you go passwordless. It is a similar security model as physical keys and the cost is only ~1x more.
FIDO should only be used as a second factor. U2F keys can and will be lost or stolen. Speaking of which, anyone using U2F keys needs to record which keys were enrolled for which site, and sites should allow multiple keys as well as giving nicknames to them.
FIDO can and does get used as the only factor auth when people/orgs go passwordless. There are various ways of recovering and having temporary access when losing a key
I'm less concerned about loss of access than with what happens if your key is stolen and can be used to log in because no password is required. Just pressing a button is not strong enough. Now, Apple/Google/Microsoft implementing Passkeys with proper device authentication is perfectly fine. Perhaps I should have specified "FIDO U2F" rather than just "FIDO".
I think I've only seen it on the ebay site - there its just a way of bypassing entering a password whey you're using your laptop/phone which do the fingerprint auth. Assume if you lose your arm you'd enter password with the other hand.
The technology is interesting, probably fun to play with. The surrounding text seems to gloss over some complexity inherent in using it for authentication.
> "Hard to steal"
Depends on the situation and attack surface. I would not want to use it to unlock my car or access my bank account. The Chaos Computer Club demonstrated that in 2008 by publishing the fingerprint of a German minister[0]. Fooling fingerprint scanners is entirely possible [1]. It _may_ suit your application, do not blindly believe this article though.
> without adding any friction
That's not my experience with Apple devices. Sometimes it works and only adds about three seconds. Other times you wipe and re-position your fingers a second or even third time.
Although I certainly agree that biometric has shortcomings as an auth mechanism, not sure I agree it matters for a car, where you can just break a window to get access.
Good point. I was thinking about "unlock and start" the car, didn't write that though. And even in that case it might not be much worse than the keyless options nowadays.
The article is using "biometric authentication" to refer to WebAuthn-based authentication (which on lots of modern OSes can use biometrics to authenticate access to the keys used for WebAuthn).
It is indeed hard to steal WebAuthn keys out of modern secure mobile devices. It's not talking about stealing biometric data.
I would guess that most hardware/browsers that support the biometric API today (on iPhone/mac laptop anyway) the fingerprint/authentication is done on and tied to the device. So to logon to a website with it you would need access to someones unlocked phone or laptop - 99% of the time that would probably give you access to their email which would enable you todo a password reset anyway.
"This challenge will be returned in the response and you must verify they are the same."
Ummm, "MUST"? (emphasis is mine).
Too bad that we cannot somehow make this requirement word a "SHALL" as this leg of the "ceremony" can easily be overridden by a malicious JavaScript function(s).
Unless these JavaScript scripts AND its references HTML pages are also:
- under the protection of nonce hash values,
- complex CSP properly scoped,
- older WebAuthn protocol made client-side rejectable,
- its server-supplied JavaScript logic gets pre-tested in its client browsers prior to the ceremony,
- CTAP1 properly rejected, AND
- the browser is also deemed provably secured from an nonce override.
Awful lot of conditions such that it reminds me of the children's game of "Jenga" (a tower of stacked rectangular blocks) ... reaching for the sky.
Surely, our large pool of esteemed and well-trained web ninjas can handle this seemingly "nuclear-safety" checklist with relative ease. /s
More must be done to streamline this before web integrity gets properly and safely restored in these days and ages.
reply
Shit. Disregard all that I said. I forgot about the malicious client-side nonce-disabling malware. That's a doable thing.
As a cryptographic protocol, Web Authentication is dependent upon randomized challenges to avoid replay attacks. Therefore, the values of both PublicKeyCredentialCreationOptions.challenge and PublicKeyCredentialRequestOptions.challenge MUST be randomly generated by Relying Parties in an environment they trust (e.g., on the server-side), and the returned challenge value in the client’s response MUST match what was generated. This SHOULD be done in a fashion that does not rely upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily until the operation is complete. Tolerating a mismatch will compromise the security of the protocol.
WebAuthN operates on a key pair generated using your biometrics in the background and then that is used for authentication. Your actual biometric data isn't sent to the website.
So I would just sync the keys locally or via some browser-extension and then on each device be responsible to provide the "secret" (e.g. my face or fingerprint) in a readily way to unlock said key, yes?
The idea is that you aren't giving away any kind of biometric data, just using your fingerprint/face-unlock/etc to "unlock" the key used for signing the request locally.
It could also be implemented in a way where it's behind a password instead of biometrics. Yubikey and the likes already use this method.
I'm guessing parent, like many here on HN, tend to travel internationally at least once in their lifetime. And then a passport is "forced" upon you, if you'd like to transport yourself across international borders (unless Schengen or similar areas).
In that case it’s simply a question of what you value most, your biometric privacy or the ability to have an international travel permit. It’s a choice; neither option is forced on anyone.
But no one chose to be presented with that choice. Ideally we would be able to have both biometric privacy and international travel.
Well, to be fair, a lot of people probably do support the idea that their own country checks the documents of people who enter and exit through their borders, and are maybe glad that the country they are visiting is similarly careful, but in principle, someone might want to emigrate to Antarctica, and never return to their country of birth, and for them it would be an unnecessary burden to have to apply for a passport.
Which really entrenches a specific philosophy of what the relationship should be between the state and the citizen.
A mandatory ID card says that every citizen has to prove their validity to the state, and it is the state which can grant or revoke that validity, rather than the state being the servant of the citizens.
There have surely been enough examples by now of successful countries not requiring mandatory ID cards, and examples of ID cards being abused by governments for discriminatory policies, that I don't know why they have such support.
No, but that way I keep my fingers AND (if lucky) my head.
But if my fingers are my password, they could either force me to unlock right now and have the problem that it locks again after some time of inactivity (depending on the impl on the other side), or take away the fingers (instead of a password) with them and be able to unlock as often as they want (and the fingers not rot) :)
I'd rather them take some knowledge and not harm me, or rather: make the harming part less likely.
tldr; my point isn't about keeping the account save, but about the potential risk of injuries to my body.
All I can say is that I hope other HN commentators don't find the most picky and shallow thing to complain about in the future. And if they do, at least give some reasoning behind it so it isn't so blatantly shallow and at least pretend to want to discuss something of value.
> Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Just please be aware of the limitations and offer choices. The author writes this:
> Due to the abstraction of the WebAuthn API, you can’t be certain the user is authenticating via a biometric. You can take certain steps to encourage it, but you can’t force it.
> However, biometric authentication tied to popular operating systems are a quite prevalent form of WebAuthn-compatible hardware, so it is likely that if you encourage your users to set up WebAuthn logins, they’ll be using biometrics. You can also encourage this via the messaging on your website.
Look man, I wake up around 3 in the morning most days. I browse in the dark pretty frequently. I've never set up face ID, but even if I had, I'm not going to go turn a light on to try and log into your website. And yeah, in 2022, you might find this hard to believe, but I don't even a web cam on any of my desktops. It sure is nice to still be able to use the web.
I also walk very frequently, play Pokemon Go quite a bit, and lift weights daily usually with chalk. As a result, my fingertips are often pretty burned and dry, and it is often not possible to take a fingerprint reading at all. I do have touch ID turned on for all my laptops, but it works maybe 50% of the time.
Just offer options. Whether you think it's less secure or not, my keyboard is almost never going to stop working.
Had you tried Face ID, you would be aware that it requires no visible light. It works in the infrared spectrum and produces the required infrared light independently.
Face ID also works a lot more reliably that Touch ID.
I also walk very frequently, play Pokemon Go quite a bit, and lift weights daily usually with chalk. As a result, my fingertips are often pretty burned and dry, and it is often not possible to take a fingerprint
How vigorously are you playing Pokemon that it's rubbing off your fingerprints?
Or is "playing Pokémon" a euphemism for some other activity?
Curious, what happens if people lose their arm or eye? How do you recover the account? Let me guess, email? Lol. So all this and you're still a phish away from pwnage!