New web standard allows biometric authentication like face or fingerprint to any website

[captain_to_fire]

11 minutes ago, HarryNyquist said:

Most people don't do passwords right. We're all nerds so hopefully we know better.

I taught my parents how to use LastPass just this January. At least none of them are still using Yahoo Mail. 

[dfsdfgfkjsefoiqzemnd]

11 hours ago, ElfFriend said:

Worth noting that courts can force you to touch, look at, etc. a device, they can't force you to type in a password. So biometrics are pretty awful if for whatever reason you want security from the law.

Also worth noting that in some instances or countries you can be imprisoned for refusing to give up your password. 

In the UK for example they have the RIPA which allows them to demand passwords and encryption keys.

If you refuse to unlock your device when entering the US you can be detained at the airport, without a limit as to how long. 

 

If your password is compromised, you can change it.  Good luck doing that with your fingerprint. 

 

I'll wait for SQRL to come along, that could be a game changer.  Last I heard, Gibson was ironing out the last few issues so I expect it this year. 

[Trik'Stari]

On 4/10/2018 at 9:43 AM, Misanthrope said:

We should make bets on how long it will take before this is used to compromise unprecedented amounts of personal data.

 

I say under 5 years.

Based on adoption rates of new tech, I'll say within 3.

 

It'll all be compromised already by governments, and the leaks will begin as adoption ramps up.

[mr moose]

I find the more features something has the more complex it gets. The more complex it gets the more likely exploits will be present,  this means time is the only thing between a secure connection and all your bank details lost to a criminal.

 

 

[Celmor]

Imagine you setting up your phone for WebAuthn with biometric authentication.

Your bank sends you a letter with a QR code on it which you scan with your phone to save the banks certificate with your WebAuthn setup locally (kinda like root certificates or ssh key fingerprint but with a built-in expiration date) and you have to manually accept that you trust their certificate on your phone which also sends your public key to the bank via an internet connection (to a server which authenticates to you using the same certificate which you got form the scanned QR code).

Now if you want to acces your banks online banking website you log-in through WebAuthn, the sends a unique authentication request (e.g. with a timestamp) through some means signed with their certificate which is trusted locally, you authenticate biometrically that you are you and accept this request for authentication. WebAuthn therefore signs the request with your private key which the bank can verify using your public key.

This would circumvent phishing, MITM attack, theft of password... IMO the perfect solution...

[Neokolzia]

When they were talking about it on Wanshow about how it could still be phished I don't see how that would be true, as the site would never themselves get a actual copy of your biometrics.

 

Rather they would just get a authentication from WebAuthn or whatever.  It might be possible to spoof a WebAuthn on a phishing site to allow someone else to login to a similar site on your behalf.

 

Like say your bank switches over to using WebAuthn, you authorize yourself to it, and login however it prompts you to do so.  At a later date you click a phishing link, and it prompts you to login again or complete some sort of "first time setup" which some users might not bat a eye at, and then they Authorize that, while not giving the phishing site themselves biometric data they might have enabled the phishing site to spoof your authentication, swapping out webauthn data with their own on the real site, but you were the one clicking the buttons.

 

Like I'm sure there's a way to reset or recalibrate auth data, and it could possible use that as a weakness, by getting the user to activate these prompts unknowingly on a phishing website, and when new data is requested the phisher enter's their own.

[SpaceGhostC2C]

6 hours ago, Celmor said:

Imagine you setting up your phone for WebAuthn with biometric authentication.

Your bank sends you a letter with a QR code on it which you scan with your phone to save the banks certificate with your WebAuthn setup locally (kinda like root certificates or ssh key fingerprint but with a built-in expiration date) and you have to manually accept that you trust their certificate on your phone which also sends your public key to the bank via an internet connection (to a server which authenticates to you using the same certificate which you got form the scanned QR code).

Now if you want to acces your banks online banking website you log-in through WebAuthn, the sends a unique authentication request (e.g. with a timestamp) through some means signed with their certificate which is trusted locally, you authenticate biometrically that you are you and accept this request for authentication. WebAuthn therefore signs the request with your private key which the bank can verify using your public key.

This would circumvent phishing, MITM attack, theft of password... IMO the perfect solution...

Well, it can't be perfect if it can be improved. Let's check:

Quote

If you want to acces your banks online banking website you log-in through WebAuthn, the sends a unique authentication request (e.g. with a timestamp) through some means signed with their certificate which is trusted locally, you authenticate with a user+password that you are you and accept this request for authentication. WebAuthn therefore signs the request with your private key which the bank can verify using your public key.

 

... and it's already better  (That's leaving aside that this would also imply no phone = no bank).

 

Passwords can be made as "local" as biometrics. But, as opposed to biometrics, passwords are not constantly exposed to everyone and everything you touch or whose field of vision you enter, nor can be used against your will when you are asleep or unconscious. When stolen, they can be replaced.

I can see how many of these steps could provide enhanced security, but biometrics are a downgrade in security. It just reminds us of those sci-fi and spy movies, but we must not forget that those were entertainment.

[Celmor]

9 hours ago, SpaceGhostC2C said:

Passwords can be made as "local" as biometrics. But, as opposed to biometrics, passwords are not constantly exposed to everyone and everything you touch or whose field of vision you enter, nor can be used against your will when you are asleep or unconscious. When stolen, they can be replaced.

I can see how many of these steps could provide enhanced security, but biometrics are a downgrade in security.

IMO best authentication is a combination, aka 2-Factor, like something you own (Yubikey) and something you know (PIN) or passphrase + biometrics.

Passphrase can be stolen without your knowledge (keylogger, database breach, forensic analysis), can be hard to choose correctly and many companies don't handle them correctly (limited character set, length limitation, length silently capped, storing the hashes, storing in plain). If you only have only someones public key though and they authenticate using their private key (which never is actually transfered) that's a major advantage.

Also the weak point in Public-key cryptography is how one exchanges each others public key/certificate which is what I tried to focus on as well, e.g. in a closed letter via mail like TANs or pins are traditionally transfered anyway.

[Nicnac]

not sure but isn't this a repost?

[Celmor]

On 4/11/2018 at 4:28 PM, HarryNyquist said:

Biometrics share no such precedent; in fact, they share the OPPOSITE precedent. You can (and likely will) be compelled or forced to biometrically authenticate during an investigation.

Depends on legislation, they can't in my country. Also you can easily get around this by trying to unlock with the wrong finger a few times cause then it'll ask for a PIN (at least on Android).

[Kamina]

Hacker's wet dream.

[SpaceGhostC2C]

14 hours ago, Celmor said:

IMO best authentication is a combination, aka 2-Factor, like something you own (Yubikey) and something you know (PIN) or passphrase + biometrics.

Passphrase can be stolen without your knowledge (keylogger, database breach, forensic analysis), can be hard to choose correctly and many companies don't handle them correctly (limited character set, length limitation, length silently capped, storing the hashes, storing in plain). If you only have only someones public key though and they authenticate using their private key (which never is actually transfered) that's a major advantage.

But you are mixing things: not having your credentials stored remotely isn't a difference between biometrics and passwords. My point is that the same authentication step can be performed with biometrics or passwords, that can be both as local as you desire. Swiping your finger or typing a password on your phone or whatever aren't different in that respect. And while a keylogger in your phone could steal that password (which you could change, as opposed to biometrics), that requires for the keylogger to be on your phone, since it's the only moment in which it will be exposed. Your biometrics, on the other hand, are always exposed, and they can be taken in many instances without touching your phone. In fact, to make them fully equivalent you would have to constantly be on a mask and/or gloves except for authentication purposes.

Then you go about how people are bad at using systems, but that applies to everything.

 

Ultimately, the key advantage you highlight (public-private key) is completely separate from the biometrics vs password, as it would apply to both.

 

14 hours ago, Celmor said:

Also the weak point in Public-key cryptography is how one exchanges each others public key/certificate which is what I tried to focus on as well, e.g. in a closed letter via mail like TANs or pins are traditionally transfered anyway.

This, once again, has no bearing on whether to use biometrics or alphanumeric passwords.

My only point is that, ultimately, biometrics are just passwords, or to be precise, bad passwords. An inferior form of password.

[captain_to_fire]

On ‎4‎/‎15‎/‎2018 at 9:01 PM, Nicnac said:

not sure but isn't this a repost?

I actually posted it first

[TechyBen]

Biometrics are not passwords...

[TechyBen]

20 hours ago, VegetableStu said:

they are. just that they're written over your fingers / vein geography / iris / face / colon

Nope. They are identity tokens. As in, a passport, user name, identity. Not a password.

[Celmor]

On 4/16/2018 at 5:31 AM, SpaceGhostC2C said:

that requires for the keylogger to be on your phone, since it's the only moment in which it will be exposed. Your biometrics, on the other hand, are always exposed, and they can be taken in many instances without touching your phone

Getting malware on your phone which includes keylogger or sniffing tools to grab your passphrase or make you enter it in a fake input is easer and can be done on mass. Someone trying to 'steal' your biometric data is harder (requires targeted attack) and depends on what kind of biometric data is being used for authentication, fingerprints may be the easiest to steal but requires a lot of work for a single hack, even facial (3D) can't be stolen that easily since it requries special sensors and close proximity. Passphrase can be stolen remotely, biometric data not. This is assuming the biometric authentication is handled correctly, in a secure enclave on the phone, etc.

[TechyBen]

21 hours ago, Celmor said:

Getting malware on your phone which includes keylogger or sniffing tools to grab your passphrase or make you enter it in a fake input is easer and can be done on mass. Someone trying to 'steal' your biometric data is harder (requires targeted attack) and depends on what kind of biometric data is being used for authentication, fingerprints may be the easiest to steal but requires a lot of work for a single hack, even facial (3D) can't be stolen that easily since it requries special sensors and close proximity. Passphrase can be stolen remotely, biometric data not. This is assuming the biometric authentication is handled correctly, in a secure enclave on the phone, etc.

Nope. Stealing biometics is easier (can be don't analoue in most cases, and where it can be done digitally on a password, same can be said for biometrics, hack kepyboard presses with driver, or hack biometrics with camera/scanner driver). Biometrics is a single tag/code. It's literally an id tag.

 

The only benefit is it is "newer" technology (current systems as you said need targeted hacks, but research shows a single pixel change can trick such systems at times!) and, as you said "enclave" hardware. But that same enclave hardware can also store passwords (see Apple iPhones!).

 

I don't disagree with your benefits list. I disagree that biometrics are passwords. They are ID.

[Cheezdoodlez]

I think this wouldnt work as shadywebsite.org gets to store your fingerprint in a database. But rather similar as the system we already have here in Sweden. We have an app called BankID that you use to be able to sign in to most government sites, banks and the like. 

 

The standard way is that you choose to login by BankID, type in your SSN and then the server sends a request to your app promoting you to enter a six digit code. But you can also toggle a setting to instead use touch-id.

 

The page you try to login to have no information about your passcode or touchid only that the app sends back a "Auth.ok" to the server. Much like the login by Facebook/Gmail buttons you see everywhere.

 

This seem like the most logical way to implement this.