Slashdot Mirror
Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com)
Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.
"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
No mention of Apple or Safari?
https://en.wikipedia.org/wiki/Client_certificate
Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.
All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
How is this any better really?
I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.
"People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"
"will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password"
1st of April ?
"if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"
the last thing we need for better security is more javascript :(
I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.
I don't have any internet accounts worth securing
But if they get your 'biometrics', you um... Use a different finger? Use a different face?
Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.
So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
You can stuff your websites up whatever biometrical part of you you might chose.
I do use passwords for a reason: they are under my conscious control. And that's the way I want 'em. It's *some* work, but it's totally worth it.
Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?
Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?
I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?
I have to ask again: Are you stupid?
Or do you just think I am?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.
We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.
Great, so now Zuck can share our penis lengths with the rest of his Facebook data. Fuck Zuck!
This is really doesn't seem to fix anything.
Just changes the password to a piece of hardware that you must always have on you or you must carry 5 around with you
Also, fingerprint scanning sucks IMO. My phone will not read it unless the sensor is completely clean, and then only works 3 out 10 times. YMMV thou.
The millennial that doesn't like most of the stuff designed for millennials.
You need to be taken out back and beaten with reeds.
is if online providers *mandate* the use of biometrics to create/access an account. I will then have to bow out and either roll my own solution or simply not use whatever it was. Banking may present a problem, as banks may collude with government and mandate this crap.
The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.
Or will it be Edge only, part of Microsoft's plan to force Spydows 10 on people.
With all the massive hacks happening daily, the last thing I would want is to rely on a password I cannot change.
Biometrics are a tool for controlling the public. They identify criminals, refugees, anyone crossing a border or making trouble who needs to be tracked and held accountable. Their main feature is that the holder of them can't fake them, change them, or hide them. It's a great evil to build ecosystems and infrastructure that offer up this power of authoritarian statehood to petty merchants and coupon-issuers.
Apologists for fingerprint scanners on phones said from the beginning, "the fingerprint never leaves the device." Intuition is the wrong way to think about privacy. You need to use attack models. If you allow a bank, a credit card, or a music-playing app to demand fingerprint enrolment, even if they don't get to see the fingerprint itself they get great power over the user because they can count the number of unique fingerprints claiming to be "the user" and demand the count equal one, which is almost the same as having the fingerprint itself. In that sense, the fingerprint is leaving the phone.
I know one of the "rules" is not to share passwords, but that imagines a non-adversarial relationship between the user and the web service that's not realistic, or even typical, today. The ability to share passwords is a key civil liberty described as a last ballwark against the dystopia in "The Right to Read."
"People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"
Not in my circle of tech literate friends and colleagues.
1) Many realise that biometrics == username and not an authentication 'password'
2) Fingerprint & face technologies are not robust and can be fooled. False negatives will turn people off the idea so expect the pattern matching to be loose at best.
3) Biometrics can't be changed easily (if at all)
4) Many people don't have/want phones / laptops with fingerprint readers or face recognition software. I for one don't see why I should dump perfectly serviceable hardware just to buy new copies with these features (which have yet to settle on a widely accepted standard). I could argue on 'green' grounds about why this is a bad idea but basically I'm too mean to waste money repeatedly changing and upgrading just to keep in fashion.
5) If remembering passwords is an issue, use a password safe. Personally I LIKE passwords - they can be complex yet easy to remember and I have [the illusion of] control.
You'll only be permanently identifiable for the rest of your life
Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.
Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.
All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.
We've given up security for convenience, and the ramifications are really bad.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I am against slippery slopes, but:
Want to purchase food? Need to use your fingerprint. Don't want to give fingerprint? No food. Use fingerprint? Hmm, you're purchasing too much junk food. Your insurance company has been notified, your rates go up accordingly.
People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them
Um, no. First of all, "people everywhere" do not use those, only a subset of them, and I suspect a small subset.
Secondly, access to an object normally in your physical control is not the same as access to remote websites.
What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.
We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar with other programs like mSecure, Codebook, SafeInCloud, 1Password, and EnPass.
What if it breaks or gets stolen? From what I see it is basically a password manager. I would need several of them as I have several computers.
At this moment I am typing this at my PC at work during my break. I would not be able to use the dongle on this PC.
I would also need a dongle for each and every PC that I own, as I might want to use that specific one. It is not convinient to move them fropm one to the next one as I often use two at the same time. And some are even accessed remotely.
And I must not forget to remove the dongle if somebody else is using it.
And then we need to hope that this is an open standard that can be used in such a way that I am not dependent from any company, nor that I am limited in any way or that any third party has any information on me in any way.
Don't fight for your country, if your country does not fight for you.
So you don't want to give up your fingerprint willingly? No worries, I have a knife or scissors or I'll just kill you and drag your body to the scanner. Much easier than trying to beat a password/phrase/answer out of you.
There is no way biometric information can be verified to come from the actual live person and not from a copy, and once this data is out there, it can be copied at will without hope of ever being retracted, because you will still be you, no matter who knows your iris patterns, your fingerprints or whatever else you think you should use as a password. YOUR VOICE IS NOT YOUR PASSWORD. If you don't recognize the reference, you have no business discussing this topic.
The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.
This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.
When you register with a site, you and the site generate authentication keys. You swipe your fingerprint, insert your USB magic-key, or whatever to unlock the secure key store, and your authentication key is stored - either in a secure enclave, or encrypted with a totally local key that's stored in the secure enclave.
When you go back to log into that site again, you're prompted to complete the same ceremony again to unlock the key store and retrieve the material you prepared earlier.
There's some more details on top of that to make sure that:
-the site asking for your credentials is the same site you registered with
-the site can *only* ask for the credentials associated with it, not convince you to swipe / insert / whatever and go fishing in your key store for other useful credentials
-the credentials are generated correctly to have lots of length and randomness in so password-style brute-force or rainbow tables aren't applicable
and the authentications are encrypted challenge / responses, rather direct exchange of actual key material, so you try to avoid replay attacks and the like.
The only place your biometric info is ever used (if you want to use it as one of your factors) is to unlock your local key store. It's never sent across the network.
I'm nothing like enough of a cryptohead to say if the details of the proposal are right or solid, but it doesn't seem insanely wrong, and it's certainly not "OMG everyone now has my fingerprints instead of a password!"
And all this, because nerds couldn't establish a PGP key authentication for websites in, what, 25 years? It'd have been PGP's killer feature!
Slowly the frog boils.
Rick B.
I've not read the latest draft, but the earlier version of this spec was basically U2F with enough abstraction to avoid tying it to a specific hardware implementation. The goal was to have the user agent generate authentication tokens and accept responsibility for identifying the user, possibly using a hardware token, possibly using a separate process that handles credentials. I don't think uploading biometric data is part of the spec (unless it's changed), but using biometrics locally to authorise access to credentials is.
I am TheRaven on Soylent News
And this is a good thing? WTF is wrong with these people. They do it because they can, not because it's better.
what's the privacy on this?
... using Tor, at least I get a warning ... attempted to extract HTML5 canvas data ... uniquely identifying your computer.
How are my access data protected and stored across the board?
Thinking about this Facebook crap, I just want to start vomiting.
And
All the other browser just do it, and who uses it without even asking for permission.
Is any politician in this country (USA) even remotely aware about this abuse and doing (or can) something about it? Hardly...
And - don't give me the crap of it's too late, you have no privacy and - the genie is out of the bottle. It won't change the abuse happening....
>"For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient,"
And here we see the delusional developer in the wild just before forcing their "improved" stuff on countless millions
Accepted as in "We the rulers have the power, so we'll do it no matter what you say. Bugger off."
About time. I've paid a lot for a Yubikey and only a handful use it.
just wait for pre existing conditions rules to go away then you will be blacklisted (USA ONLY does not apply to jail / prison system)
But make my identity easier to steal in the case of a data breach. This doesn't solve the problem.
Cable, DSL is tied to the modem ID
What a brilliant idea. Lets all come up with a "secure" web authentication feature that doesn't actually allow for secure password authentication.
Just for fun lets toss in "User Consent" and "User Presence" because "security".
And to complete our incompetence... channel bindings? What channel bindings?
My bank app, my paypal app, my amazon app, ... has been doing that for years now.
Since I'm an old fart here and ergo I can't possible read neither THA nor TFS, what's actually new here?
It's astonishing that this is still not understood. Biometrics are a unique identifier, but you also can't change them. When they're breached, that's it. You can change a password; you can't change your fingerprints. And for whistleblowers or people in oppressive regimes, it's also much easier for a government to break into your accounts with biometrics than it is a password floating around in your head.
A strong passphrase + password managers (with different passwords for every account) + 2FA is still the best security you're going to get.
court can order you to touch phone, can't order you to remember password
so why the fuck does this summary have that rainbow-butt chrome icon on it instead?
https://duo.com/blog/web-authentication-what-it-is-and-what-it-means-for-passwords
Sometimes you want to identify yorself on the web, and sometisme you dont. There is no solution to certainly idenfy you at all times. That is not what ordinary people want. That is the advertiser want.
I am not giving up my ID unless I log into my bank, or well actually nothing else.
Exactly.
I may wish to prove who I am to my bank. I might not be so keen to prove it to www.randomwebsite.com and I sure as hell have no wish to prove it to www.porns.r.us.scam and goat.se
Also, I have no wish for hackers.ru to be able to prove they are me for the rest of my life.
YMMV
Sent from my ASR33 using ASCII
Just gotta watch out for Nicolas Cage...
I once had to postpone getting my fingerprints taken for my job at NASA for a week because some of my fingers/prints were cut, calloused and beaten-up from car and house work. Anyone want chance getting locked out of your computer and the web for a week?
It must have been something you assimilated. . . .
The issue should be you can refuse to remember your password to unlock your phone but you have no right to keep your fingerprint secret so if "The Man" wants you to unlock your phone and you have enabled biometrics .. .you have fewer options.
?
Or am I missing something?
Fuck. Right. Off.
You can see where this is going
'To access teh interwebz, please plug your personal biometric ident device so we can track/tag/profile all your traffic...for your own safety'
OP is working for a brainstorming group, fishing for ideas to refine his biometric rational.
Police can force you to unlock a phone with your fingerprint/facescan. They can't (yet) force you to unlock a phone with passcode.
While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.
That doesn't nullify his point nor the reason to speak up about it.
The fingerprint scanner was just one example of a supported device. You can use hardware tokens too.
Yubico announced their new security tokens today, they ship on the 13th.
Real security isn't "more convenient".
You're not giving it away. The biometric data is used like the password to your private key. The entire thing is about standardizing the API for PKI authentication - certificate based.
Been using passwords since the 90s and hate hate hate being forced to use my phone for logins. Will cancel any service which forces me to use this "convenient" technology.
Why do you think this involves giving your biometric data away?
Your computer/phone scans your fingerprint and then tells the web site that you authenticated, with a token to prevent impersonation. The biometric data never leaves your local control.
For most people it's a massive win. No more crappy passwords. For experts we can more easily use security tokens.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I bet you can produce a person or two (maybe more) that can verify that you are who you say your are. That kind of "information" is based on "trust", not trusting that someone who can produce a list of facts is you. I doubt that a Russian can prove he is you if he also has to provide a number of people who are known associates of you, with their own list of associations.
I have all sorts of documentation of my relationships with other people, spanning decades. That kind of information is much harder to forge than knowing a bunch of publicly known facts about me.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.