Jump to content
captain_to_fire

New web standard allows biometric authentication like face or fingerprint to any website

Recommended Posts

Posted (edited) · Original PosterOP

Primary Sources: W3C, Fido Alliance

Secondary Source: Engadget

 

Quote

IMG_1280.PNG.368e71c8b6c7bdd4788138c148fabc9b.PNG

 

The FIDO Alliance and W3C have launched a Web Authentication standard that makes it easier to offer truly unique encryption credentials for each site. That, in turn, lets you access virtually any online service in a PC browser through password-free FIDO Authentication, not just specific services. You can continue to use familiar methods like fingerprint readers, cameras and USB keys, and it can serve both in place of and in addition to passwords.

At the moment, only Mozilla Firefox supports WebAuthn with Microsoft Edge and Google Chrome to add support to this new web standard. Unfortunately, no mention from WebKit's website anything about adding the same support but I expect them to do the same thing maybe in WWDC 2018. I don't know how secure this is compared to a long alphanumeric password assuming that it isn't stolen. Here's some words of assurance from the Fido Alliance:

Quote

FIDO2-Graphic-v2-1024x391.png

WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

 

Enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords — including phishing, man-in-the-middle and attacks using stolen credentials — can soon deploy standards-based strong authentication that works through the browser. Deploying FIDO Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day like mobile phones and security keys.

 

The new specifications complement existing passwordless FIDO UAF and second-factor FIDO U2F use cases and specifications and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO U2F Security Keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.

 

FIDO will soon launch interoperability testing and issue certifications for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, FIDO will introduce a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.

I'm pretty sure at the moment a lot of people can already sign in to websites in their phones using biometric authentication to unlock their third party password manager. In my case I used LastPass and it works very well for me as it supports both Touch ID and Face ID as well as in Android.

IMG_2398.jpg.b8309b0737c9f450a79d573c96d7cb71.jpg

Here are some use cases W3C thinks this new standard can be useful:

Quote

1.1.1. Registration

  • On a phone:

    • User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.

    • The phone prompts, "Do you want to register this device with example.com?"

    • User agrees.

    • The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.

    • Website shows message, "Registration complete."

1.1.2. Authentication

  • On a laptop or desktop:

    • User navigates to example.com in a browser, sees an option to "Sign in with your phone."

    • User chooses this option and gets a message from the browser, "Please complete this action on your phone."

  • Next, on their phone:

    • User sees a discrete prompt or notification, "Sign in to example.com."

    • User selects this prompt / notification.

    • User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."

    • User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

  • Now, back on the laptop:

    • Web page shows that the selected user is signed in, and navigates to the signed-in page.

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

  • A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

  • A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.

  • A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.

So when can I sign in to Linus Tech Tips using my fingerprint @colonel_mortisxD

/s

 

I'm by no means a web developer but looking at the W3C specifications, this is something already in existence using third party password managers that support biometric authentication,  hardware based authentication like Yubico's Yubikey andtwo-factor authentication with a smartphone only this time, the website must support it and the feature is built in to the browser. I see this as more of a convenience feature meaning I don't have to type my long passwords in each website and according to them, it reduces MITM attacks by using your biometrics to login instead of your passwords which can be stolen. But my concern is that biometrics can be spoofed nor they are protected by laws like America's 4th amendment so as nice as this open standard is for logging in, I think most people are better off with a password + password manager + two factor authentication. So many people have said the password is dead but I think not yet.

 

It sucks that Apple didn't participated and they're quite slow in adapting open standards.

Edited by hey_yo_
Link to post
Share on other sites

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, Sauron said:

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

It might happen soon. Just spit to log in to your phone. xDhttps://www.intechopen.com/books/biometrics/dna-biometrics

Link to post
Share on other sites
3 minutes ago, Misanthrope said:

I say under 5 minutes.

FTFY


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
1 minute ago, Dylanc1500 said:

 

This could take "identity" theft to a whole other level.

There's a reason doctors are sworn to privacy... be weary of what you put on the internet.

 

A lock only knows the key, a guard knows you.


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
2 minutes ago, Sauron said:

There's a reason doctors are sworn to privacy... be weary of what you put on the internet.

 

A lock only knows the key, a guard knows you.

As someone that designs and creates databases for clients, believe me, I know everything that's collected.

 

That's a wonderful point.

Link to post
Share on other sites
44 minutes ago, Sauron said:

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

@Sauron must be difficult for you to use biometrics considering you lost all of your fingers on one of your hands.. and then lost your entire body, and then your became a giant eye building... and then your eye building exploded. 

 

Although I am happy for you that you apparently still have blood and a colon :) 

Link to post
Share on other sites
2 minutes ago, Catsrules said:

@Sauron must be difficult for you to use biometrics considering you lost all of your fingers on one of your hands.. and then lost your entire body, and then your became a giant eye building... and then your eye building exploded. 

 

Although I am happy for you that you apparently still have blood and a colon :) 

Iris scan? :P 


<Make me a sandwich.> <No! Make it yourself!> <Sudo make me a sandwich.> <FINE.> What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D  CoC F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

I've not read the full standard, so I might be wrong, but it is my understanding that your biometrics wouldn't be sent to the service that you're logging into. Instead, you authenticate to your phone/laptop/yubikey/etc and it then vouches for you to the server. That way, the protocol works regardless of the actual authentication method used (without the server needing support for every authentication method ever invented), and doesn't require the server to store any PII (and because it uses public key crypto, even if the website gets breached an attacker can't use the data to log in as you, because the service only stores a public key, and the private key would be needed to log in).

 

This sounds like a really good thing, though I suspect it will take a long time (if ever) to achieve widespread adoption by websites.

 

One thing that would be really interesting to me would be for password managers to start using this protocol, so they don't need to mess with autofilling password fields, they just implement an interface provided by the browser, and authenticate the user to the site directly.


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

 

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites

Why would we need this when phones already support password managers that need your fingerprint to use? Keeps your data local instead on servers which no company gives a fuck about security for. 

Link to post
Share on other sites
25 minutes ago, mynameisjuan said:

Why would we need this when phones already support password managers that need your fingerprint to use? Keeps your data local instead on servers which no company gives a fuck about security for. 

becuse the biometrics are still local? im pretty much fine with this, but id only use it as 2FA probably and not a main method of signing in, like how i use Steams sign in for this site or Authy with discord


I spent $2500 on building my PC and all i do with it is play Paladins & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The LAN PC 5.0

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites

how is this better than a password? I mean if a password can be cracked this too


Coffeemaker: Gigabyte Z370 HD3P • i5-8600k  • Corsair H110i GT • Corsair 2933MHz • STRIX 470-08G • EVGA 750G2 - Corsair 730T

3rd world peasant

Spoiler

The Furnace: 990FXA GD-65 V2 + Thermalright HR-09U 2x40mm + TT Extreme Spirit II ♦ AMD FX-8350 @4.845 GHz 255x19 ♦ Corsair H100i ♦ G.skill TridentX 2133 @2379MHz ♦ MSI R9 290x 8G ♦ Corsair CX650 ♦ WD Black 1TB ♦ Corsair C70 Army

 

Link to post
Share on other sites
3 hours ago, hey_yo_ said:

 

 I don't know how secure this is compared to a long alphanumeric password assuming that it isn't stolen.

I don't know how secure the overall system is, but any step involving biometrics is far less secure than a password. A password that you don't store anywhere but your own memory can only be stolen when you input it, or having physical control on you, very specific chemicals, and large disregard for legal consequences. Fingerprints, faces, etc, are publicly available at all times, and visual contact is enough with the appropriate technology (with a trade-off between how close/long/intense the access needs to be vs. the sophistication of the necessary technology). Passwords can be changed at any time; biometrics stay with you forever (with few exceptions).

 

In other words, take any authentication method involving biometrics, replace the biometric step with a password, and boom, you have made it more secure. Even if it involves a fingerprint scan and 6 passwords, it would still be better off with 7 passwords instead.

Despite what sci fi movies sometimes imply, biometrics serve a convenience purpose, not a security one, just like storing your password in your browser or re-using passwords.

 

 

Link to post
Share on other sites
3 hours ago, Misanthrope said:

We should make bets on how long it will take before this is used to compromise unprecedented amounts of personal data.

 

I say under 5 years.

Fuck. What would an unprecedented amount even be at this point? The Equifax breach set that bar pretty damn high.

Link to post
Share on other sites
26 minutes ago, JoeyDM said:

Fuck. What would an unprecedented amount even be at this point? The Equifax breach set that bar pretty damn high.

I think you know what will be unprecedented by them...

 

Spoiler

Pictures of your junk.

 


-------

Current Rig

-------

Link to post
Share on other sites
53 minutes ago, Misanthrope said:

I think you know what will be unprecedented by them...

 

  Hide contents

Pictures of your junk.

 

Fuck, I'll beat them to it. Here you go:

Spoiler
Spoiler
Spoiler

You just clicked through these boxes to see a dick pic.

 

 

 

Link to post
Share on other sites

facebook salivating right now 


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites

Worth noting that courts can force you to touch, look at, etc. a device, they can't force you to type in a password. So biometrics are pretty awful if for whatever reason you want security from the law.

Link to post
Share on other sites

I wont accept any of that, no biometrics from me NONE. If I could I'd unsolder GPS from my phone.


AMD Ryzen 1600X with ASUS Prime x370 Pro and Corsair Vegence 2x8GB 3466 15cas, Corsair H100i liquid cpu cooler, Samsung EVO 500GB, 4TB 7200, Asus GRX 1080 8gb rog strix, Fractal Define R4 case, Corsair RM750x, 10Gbps

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.


×