New web standard allows biometric authentication like face or fingerprint to any website

[captain_to_fire]

Primary Sources: W3C, Fido Alliance

Secondary Source: Engadget

 

Quote

 

The FIDO Alliance and W3C have launched a Web Authentication standard that makes it easier to offer truly unique encryption credentials for each site. That, in turn, lets you access virtually any online service in a PC browser through password-free FIDO Authentication, not just specific services. You can continue to use familiar methods like fingerprint readers, cameras and USB keys, and it can serve both in place of and in addition to passwords.

At the moment, only Mozilla Firefox supports WebAuthn with Microsoft Edge and Google Chrome to add support to this new web standard. Unfortunately, no mention from WebKit's website anything about adding the same support but I expect them to do the same thing maybe in WWDC 2018. I don't know how secure this is compared to a long alphanumeric password assuming that it isn't stolen. Here's some words of assurance from the Fido Alliance:

Quote

WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

 

Enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords — including phishing, man-in-the-middle and attacks using stolen credentials — can soon deploy standards-based strong authentication that works through the browser. Deploying FIDO Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day like mobile phones and security keys.

 

The new specifications complement existing passwordless FIDO UAF and second-factor FIDO U2F use cases and specifications and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO U2F Security Keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.

 

FIDO will soon launch interoperability testing and issue certifications for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, FIDO will introduce a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.

I'm pretty sure at the moment a lot of people can already sign in to websites in their phones using biometric authentication to unlock their third party password manager. In my case I used LastPass and it works very well for me as it supports both Touch ID and Face ID as well as in Android.

Here are some use cases W3C thinks this new standard can be useful:

Quote

1.1.1. Registration

• On a phone:

  • User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.

  • The phone prompts, "Do you want to register this device with example.com?"

  • User agrees.

  • The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.

  • Website shows message, "Registration complete."

1.1.2. Authentication

• On a laptop or desktop:

  • User navigates to example.com in a browser, sees an option to "Sign in with your phone."

  • User chooses this option and gets a message from the browser, "Please complete this action on your phone."

• Next, on their phone:

  • User sees a discrete prompt or notification, "Sign in to example.com."

  • User selects this prompt / notification.

  • User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."

  • User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

• Now, back on the laptop:

  • Web page shows that the selected user is signed in, and navigates to the signed-in page.

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

• A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

• A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.

• A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.

So when can I sign in to Linus Tech Tips using my fingerprint @colonel_mortis? 

/s

 

I'm by no means a web developer but looking at the W3C specifications, this is something already in existence using third party password managers that support biometric authentication,  hardware based authentication like Yubico's Yubikey andtwo-factor authentication with a smartphone only this time, the website must support it and the feature is built in to the browser. I see this as more of a convenience feature meaning I don't have to type my long passwords in each website and according to them, it reduces MITM attacks by using your biometrics to login instead of your passwords which can be stolen. But my concern is that biometrics can be spoofed nor they are protected by laws like America's 4th amendment so as nice as this open standard is for logging in, I think most people are better off with a password + password manager + two factor authentication. So many people have said the password is dead but I think not yet.

 

It sucks that Apple didn't participated and they're quite slow in adapting open standards.

Edited April 10, 2018 by hey_yo_

[Sauron]

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

[captain_to_fire]

2 minutes ago, Sauron said:

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

It might happen soon. Just spit to log in to your phone. https://www.intechopen.com/books/biometrics/dna-biometrics

[Misanthrope]

We should make bets on how long it will take before this is used to compromise unprecedented amounts of personal data.

 

I say under 5 years.

[Sauron]

3 minutes ago, Misanthrope said:

I say under 5 minutes.

FTFY

[Dylanc1500]

21 minutes ago, Sauron said:

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

 

17 minutes ago, hey_yo_ said:

It might happen soon. Just spit to log in to your phone. https://www.intechopen.com/books/biometrics/dna-biometrics

This could take "identity" theft to a whole other level.

[Sauron]

1 minute ago, Dylanc1500 said:

 

This could take "identity" theft to a whole other level.

There's a reason doctors are sworn to privacy... be weary of what you put on the internet.

 

A lock only knows the key, a guard knows you.

[Dylanc1500]

2 minutes ago, Sauron said:

There's a reason doctors are sworn to privacy... be weary of what you put on the internet.

 

A lock only knows the key, a guard knows you.

As someone that designs and creates databases for clients, believe me, I know everything that's collected.

 

That's a wonderful point.

[Catsrules]

44 minutes ago, Sauron said:

Why don't they take a droplet of my blood for testing too, just to be sure? Maybe they can give me a colon inspection while we're at it.

@Sauron must be difficult for you to use biometrics considering you lost all of your fingers on one of your hands.. and then lost your entire body, and then your became a giant eye building... and then your eye building exploded. 

 

Although I am happy for you that you apparently still have blood and a colon  

[Sauron]

2 minutes ago, Catsrules said:

@Sauron must be difficult for you to use biometrics considering you lost all of your fingers on one of your hands.. and then lost your entire body, and then your became a giant eye building... and then your eye building exploded. 

 

Although I am happy for you that you apparently still have blood and a colon  

Iris scan?  

[Ryujin2003]

How many Americans had biometrics stolen during the last OPM breach? No thank you.

 

[colonel_mortis]

I've not read the full standard, so I might be wrong, but it is my understanding that your biometrics wouldn't be sent to the service that you're logging into. Instead, you authenticate to your phone/laptop/yubikey/etc and it then vouches for you to the server. That way, the protocol works regardless of the actual authentication method used (without the server needing support for every authentication method ever invented), and doesn't require the server to store any PII (and because it uses public key crypto, even if the website gets breached an attacker can't use the data to log in as you, because the service only stores a public key, and the private key would be needed to log in).

 

This sounds like a really good thing, though I suspect it will take a long time (if ever) to achieve widespread adoption by websites.

 

One thing that would be really interesting to me would be for password managers to start using this protocol, so they don't need to mess with autofilling password fields, they just implement an interface provided by the browser, and authenticate the user to the site directly.

[mynameisjuan]

Why would we need this when phones already support password managers that need your fingerprint to use? Keeps your data local instead on servers which no company gives a fuck about security for. 

[Bananasplit_00]

25 minutes ago, mynameisjuan said:

Why would we need this when phones already support password managers that need your fingerprint to use? Keeps your data local instead on servers which no company gives a fuck about security for. 

becuse the biometrics are still local? im pretty much fine with this, but id only use it as 2FA probably and not a main method of signing in, like how i use Steams sign in for this site or Authy with discord

[aezakmi]

how is this better than a password? I mean if a password can be cracked this too

[SpaceGhostC2C]

3 hours ago, hey_yo_ said:

 

 I don't know how secure this is compared to a long alphanumeric password assuming that it isn't stolen.

I don't know how secure the overall system is, but any step involving biometrics is far less secure than a password. A password that you don't store anywhere but your own memory can only be stolen when you input it, or having physical control on you, very specific chemicals, and large disregard for legal consequences. Fingerprints, faces, etc, are publicly available at all times, and visual contact is enough with the appropriate technology (with a trade-off between how close/long/intense the access needs to be vs. the sophistication of the necessary technology). Passwords can be changed at any time; biometrics stay with you forever (with few exceptions).

 

In other words, take any authentication method involving biometrics, replace the biometric step with a password, and boom, you have made it more secure. Even if it involves a fingerprint scan and 6 passwords, it would still be better off with 7 passwords instead.

Despite what sci fi movies sometimes imply, biometrics serve a convenience purpose, not a security one, just like storing your password in your browser or re-using passwords.

 

 

[Unhelpful]

3 hours ago, Misanthrope said:

We should make bets on how long it will take before this is used to compromise unprecedented amounts of personal data.

 

I say under 5 years.

Fuck. What would an unprecedented amount even be at this point? The Equifax breach set that bar pretty damn high.

[Misanthrope]

26 minutes ago, JoeyDM said:

Fuck. What would an unprecedented amount even be at this point? The Equifax breach set that bar pretty damn high.

I think you know what will be unprecedented by them...

 

Spoiler

Pictures of your junk.

 

[Unhelpful]

53 minutes ago, Misanthrope said:

I think you know what will be unprecedented by them...

 

  Hide contents

Pictures of your junk.

 

Fuck, I'll beat them to it. Here you go:

Spoiler

Spoiler

Spoiler

You just clicked through these boxes to see a dick pic.

 

 

 

[suicidalfranco]

facebook salivating right now 

[Beskamir]

Worth noting that courts can force you to touch, look at, etc. a device, they can't force you to type in a password. So biometrics are pretty awful if for whatever reason you want security from the law.

[Canada EH]

I wont accept any of that, no biometrics from me NONE. If I could I'd unsolder GPS from my phone.

[HarryNyquist]

Nope. Passwords may not be as secure, but there is a legal precedent that says passwords can't be divulged or forced out of someone during an investigation.

 

Biometrics share no such precedent; in fact, they share the OPPOSITE precedent. You can (and likely will) be compelled or forced to biometrically authenticate during an investigation.

[captain_to_fire]

1 minute ago, HarryNyquist said:

Nope. Passwords may not be as secure, but there is a legal precedent that says passwords can't be divulged or forced out of someone during an investigation.

 

Biometrics share no such precedent; in fact, they share the OPPOSITE precedent. You can (and likely will) be compelled or forced to biometrically authenticate during an investigation.

Actually long alphanumeric passwords are still better than biometrics because biometrics can be spoofed so easily even though passwords can be stolen. But I agree that in most countries including the US (4th amendment) passwords are protected by the law and biometrics doesn’t have that kind if legal protection 

[HarryNyquist]

2 minutes ago, hey_yo_ said:

Actually long alphanumeric passwords are still better than biometrics because biometrics can be spoofed so easily even though passwords can be stolen. But I agree that in most countries including the US (4th amendment) passwords are protected by the law and biometrics doesn’t have that kind if legal protection 

Most people don't do passwords right. We're all nerds so hopefully we know better.