Biometric and App Logins Will Soon Be Pushed Across the Web

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

People don't even understand what they're losing

Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.

Authentication != identification

[140Mandak262Jamuna]

So if these things get hacked or stolen, there is no way for you to change the user name, or password.. Can people be this idiotic?

All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.

Re: Authentication != identification

[Anubis+IV]

Actually, authentication is identification.

No, it's not. They may be handled as part of the same step in some implementations (e.g. providing your username and password at the same time), but claiming to be X (i.e. identification, e.g. "Hi, I'm Joe") is not the same as proving one is X (i.e. authentication, e.g. "Here's my driver's license") is not the same as consenting to an action (i.e. authorization, e.g. "And here's my signature on the dotted line"). Put differently:
- Identification: Let's make sure we know who we're talking about
- Authentication: Let's make sure you're who you claim to be
- Authorization: Let's make sure we have your consent

Identification must always precede authentication must always precede authorization. The fact that these three are conflated is a large part of why there are so many security issues with logins today. Biometrics are great at identification (each person has a unique identifier), but they're a bit hit-and-miss at authentication (bad actors can intercept or replicate them with varying degrees of ease), and their usefulness for authorization differs wildly based on implementation, since some of them are starting to stray into the territory of passive actions, rather than purposeful actions. For instance, Apple's Touch ID requires a purposeful action, making it clear that the user consents to the request, but Face ID seems as if it could be activated inadvertently, making it less clear whether authorization was actually intended to be granted.

Dike move, but expected

How is this any better really?

I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.

noscript?!

"if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"

the last thing we need for better security is more javascript :(

Biometrics as login or as password ?

I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.

Yes, let us make it worse.

[140Mandak262Jamuna]

Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

Re: People don't even understand what they're losi

While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.

We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.

Re:https://xkcd.com/927/

You don't get it. Client certificates are anonymous. I can request as many as I want to use each for a dedicated site. This is not permitted under our feudal residentship in the corporate America. The corps need to know and connect you between all of them. That's why they are pushing for biometrics. But for fsck's sake, biometrics are usernames only, not usernames, passwords and second factor together like the corps are selling them to be. The only reason they are pushing for biometrics is that when enough people get used to the biometrics being showed down their throats, the will accept being chipped with an always on locator beacon with a serial number.

Re:People don't even understand what they're losin

[Archangel+Michael]

You'll only be permanently identifiable for the rest of your life

Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.

Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.

All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.

We've given up security for convenience, and the ramifications are really bad.

Biometrics are NOT secure

It's astonishing that this is still not understood. Biometrics are a unique identifier, but you also can't change them. When they're breached, that's it. You can change a password; you can't change your fingerprints. And for whistleblowers or people in oppressive regimes, it's also much easier for a government to break into your accounts with biometrics than it is a password floating around in your head.

A strong passphrase + password managers (with different passwords for every account) + 2FA is still the best security you're going to get.