Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com)

Posted by msmash on from the next-big-thing dept.

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

96 of 161 comments (clear)

  1. https://xkcd.com/927/ by Anonymous Coward · · Score: 1

    https://en.wikipedia.org/wiki/Client_certificate

    1. Re:https://xkcd.com/927/ by Anonymous Coward · · Score: 4, Insightful

      You don't get it. Client certificates are anonymous. I can request as many as I want to use each for a dedicated site. This is not permitted under our feudal residentship in the corporate America. The corps need to know and connect you between all of them. That's why they are pushing for biometrics. But for fsck's sake, biometrics are usernames only, not usernames, passwords and second factor together like the corps are selling them to be. The only reason they are pushing for biometrics is that when enough people get used to the biometrics being showed down their throats, the will accept being chipped with an always on locator beacon with a serial number.

    2. Re:https://xkcd.com/927/ by TheRaven64 · · Score: 2, Informative

      There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time). Second, the JavaScript APIs for generating and installing client certs are pretty horrible. It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when you're doing multiple requests to the same site.

      This API is designed to make it easy to generate a keypair, provide the public key to the remote site, and lock the private key somewhere. In particular, it allows the private key to be stored in a separate process (e.g. the Keychain on macOS / iOS) and never given to the web browser, or stored in an entirely separate device (e.g. a UbiKey U2F device). The browser or other user agent then exposes a unified API to allow the server to request a keypair be generated for a particular site and to request that something be signed to verify that the client has the private key that matches the public key that the server stored the first time.

      As I understand the API, it is designed so that the server never stores anything that might be reused across sites, so even if you use a single password / fingerprint / face scan / blood sample to log into everything, that never leaves your local device and each site gets a key that is uniquely associated with that {authenticator, user, site} triple, where the authenticator is one of a service provided by your OS, functionality provided by your browser, a U2F device, and so on.

      --
      I am TheRaven on Soylent News
    3. Re:https://xkcd.com/927/ by WaffleMonster · · Score: 2

      There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI.

      The problem with client certs there is no defined means of filtering out relevant certificate(s) for site one is visiting.

      For example lets say I have 100 client certs for 100 different sites. Each time I visit a site I'm prompted for which of the 100 certs I want to use. If I pick the wrong one TLS handshake fails and I get to try again. If I pick a compatible one or chose none them I'm stuck with that decision until browser restart.

      Most browsers don't even provide basic facilities to manage client certs such as remembering or internally applying filters such that the second time I visit site 54 I get site 54's client cert not a pick list of 100 certs.

      They also fail to allow client cert selection to be modified while browser is running. If I'm visiting a site and chose not to use my client cert there is no way for me to upgrade to using a client cert. Or if I have multiple client certs for the same site there is no way for me to select a different cert. Each change normally requires complete restart of browser to facilitate.

      These are all problems that can be trivially overcome with minimal effort.

      UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time).

      The browser has no clue to begin with what certs are applicable to what sites so whether you have 100 for the same site or 1 for each of 100 sites the browser can't tell the difference.

      What is difficult is changing client certificates if you have multiple for a site as this requires a total restart of most browsers to facilitate.

      Second, the JavaScript APIs for generating and installing client certs are pretty horrible.

      The JavaScript APIs are pointless and should be ignored. Little point in not having sites issue certs directly during onboarding process.

      It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when you're doing multiple requests to the same site.

      Session resumption works the same regardless with no additional subsequent round trips.

    4. Re:https://xkcd.com/927/ by JMJimmy · · Score: 1

      Any company that implements this as a requirement loses my business. Simple as that.

  2. People don't even understand what they're losing by Anonymous Coward · · Score: 4, Insightful

    Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.

  3. Authentication != identification by 140Mandak262Jamuna · · Score: 4, Insightful
    So if these things get hacked or stolen, there is no way for you to change the user name, or password.. Can people be this idiotic?

    All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Authentication != identification by Archangel+Michael · · Score: 1

      Can people be this idiotic?

      Yes. And it is probably even worse than that.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re: Authentication != identification by oh_my_080980980 · · Score: 1

      How exactly does Cambridge Analytica fit into this? Cambridge Analytica had nothing to do with identification/authentication issues. It had to do with an aspect of Facebook, sharing. Facebook allows you to share all your information, including contacts. So when you said yes to the survey, you agreed to share your information as well as the information about your friends. That's a process issue with Facebook not an issue with identification/authentication.

    3. Re:Authentication != identification by Greyfox · · Score: 1

      Can't be hacked and can easily be forced if law enforcement or the Russian mafia decides they want to see your information. Of course, with a password the Russian mafia will just beat you with a wrench until you log in, anyway, so YMMV.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    4. Re:Authentication != identification by Wrath0fb0b · · Score: 1

      Of course you can. Did you ever read the damned FIDO specification?!

      If you did, you'd realize that FIDO does not directly bind the biometric with the webpage. Rather it creates a asymmetric key pair (separate for each verifier) that allows the verifier to do a challenge response. This lets the verifier verify that the person trying to log in is the same person that associated the public key with the account at the time of enrollment.

      The biometric part only enters into the stage in terms of protecting the private key. Some implementations can, for instance, put the private key on a dongle-thingy and require a fingerprint to allow a single signature to be produced. Others might be like YubiKey and just require you to press the button to confirm you are physically in possession. If you'd like, you can write a fully conforming implementation that holds the public key encrypted

      In all cases, you can easily revoke the credential from the webpage just by asking them to forget the public key associated to the account (or even nuke all keys associated to the account).

      Honestly, the answer to the question "can people be this idiotic" is usually no. I mean, sure idiotic things happen, but to think that a major consortium of big players didn't think through the most obvious concerns about revocation or compromise is just nonsense.

    5. Re:Authentication != identification by TheRaven64 · · Score: 2

      The API is not about providing biometrics to the remote server, it is about generating keypairs and attestations. When you register a device with a site, you generate a key pair associated with the {authenticator, site, user} triple. The authenticator (U2F device, keychain, whatever) stores the private key, you upload the public key. When you want to log back in, the server provides you with some data, which you then sign with the private key and upload. The server can then check it with the public key and validate that you are the same person as last time.

      This means that you never upload a password, biometrics, or anything else of this nature to the web site. You may use biometrics, a hardware security module, or a password locally to authorise the authenticator to provide the attestation.

      A typical use case is logging in with a bluetooth U2F device with a fingerprint reader. When you want to log in, the web browser sends the data to sign to the U2F device. It then waits until you put your finger on the reader. If you don't, nothing happens. If you do then it signs the data and the web browser provides the attestation to the server. At no point does your fingerprint data even leave the U2F device.

      --
      I am TheRaven on Soylent News
    6. Re: Authentication != identification by Anubis+IV · · Score: 5, Insightful

      Actually, authentication is identification.

      No, it's not. They may be handled as part of the same step in some implementations (e.g. providing your username and password at the same time), but claiming to be X (i.e. identification, e.g. "Hi, I'm Joe") is not the same as proving one is X (i.e. authentication, e.g. "Here's my driver's license") is not the same as consenting to an action (i.e. authorization, e.g. "And here's my signature on the dotted line"). Put differently:
      - Identification: Let's make sure we know who we're talking about
      - Authentication: Let's make sure you're who you claim to be
      - Authorization: Let's make sure we have your consent

      Identification must always precede authentication must always precede authorization. The fact that these three are conflated is a large part of why there are so many security issues with logins today. Biometrics are great at identification (each person has a unique identifier), but they're a bit hit-and-miss at authentication (bad actors can intercept or replicate them with varying degrees of ease), and their usefulness for authorization differs wildly based on implementation, since some of them are starting to stray into the territory of passive actions, rather than purposeful actions. For instance, Apple's Touch ID requires a purposeful action, making it clear that the user consents to the request, but Face ID seems as if it could be activated inadvertently, making it less clear whether authorization was actually intended to be granted.

    7. Re:Authentication != identification by 0x537461746943 · · Score: 1

      I think you are misunderstanding how this could be implemented. The fingerprint is not sent to the site you are authenticating too. The site would likely create a very long cookie or auth code once you log in normally. To access that auth code to send to the website you would use the biometric login which would then send that encrypted auth code to the website. This is similar to how thumbprint works on existing phones. The thumbprint isn't sent outside the security context of the phone. It only unlocks the real code that gets sent to the website.

    8. Re:Authentication != identification by 0x537461746943 · · Score: 1

      Indeed... this is how it is recommended to get implemented...

      https://www.w3.org/TR/2018/CR-...

    9. Re: Authentication != identification by nukenerd · · Score: 1

      How exactly does Cambridge Analytica fit into this? Cambridge Analytica had nothing to do with identification/authentication issues. It had to do with an aspect of Facebook, sharing. ...

      With biometrics, Facebook and hence Cambridge Analytica would also get to know my fingerprint. With that, they (or people they sold it to) could then follow wherever else I went on the internet (including the IoT). My various identities (like "Nukenerd" here and "John Smith" on FB for example) could could then all be identified as one and the same by them for whatever nefarious purposes, to get a much fuller picture of what I do and who I am...

    10. Re:Authentication != identification by nukenerd · · Score: 1

      Yes. the current way is much better, have to remember 8,000 different passwords from many websites, each with their own requirements, oh also have to change them every X months.

      I'll tell you a secret. For 7995 of the 8000 websites I visit I use the same password. So (OMG!) an admin from another website could start posting crap here under my ID. But would you notice the difference?

      The 5 websites with different PWs are my bank etc. And I've never been asked to change a password except at work, monthly, but they pay for my time anyway.

    11. Re: Authentication != identification by bws111 · · Score: 2, Informative

      Your biometric info is only used (if at all) to unlock your local keystore in order that your private key (for that site) can be used to sign a challenge. Your biometric data is not transferred to the site in any way.

    12. Re:Authentication != identification by h4ck7h3p14n37 · · Score: 1

      Don't confuse them with facts!

      I've been testing the Yubico devices, they work great! I just put an order in for their new security tokens.

    13. Re: Authentication != identification by dclydew · · Score: 1

      Facebook etc will not have your fingerprint. There are may different biometric models, but they don't actually store a copy of your fingerprint and then check the whorls against your thumb.

      For example, a model may use a hash of key points in the thumbprint and that hash is used in a challenge/response from the server. A model may use the biometrics to generate a derived key or to unlock a local key store.

      Any website or OS worth their salt (pun intended) doesn't store your password, they store a salted hash of your password and its the hash you authenticate with, not the actual password. Same concept here.

      --
      Get a life, not a lifestyle. - Hikem Bey
    14. Re:Authentication != identification by AmiMoJo · · Score: 1

      Can people be this idiotic?

      PROTIP: When something coming from people with a good track record on security seems stupid, it's probably because you didn't understand it. Best to try to figure it out, rather than going for the easy +5 first outraged-at-the-stupidity post on Slashdot because your mistake will get very publicly pointed out.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Dike move, but expected by Anonymous Coward · · Score: 4, Insightful

    How is this any better really?

    I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.

    1. Re:Dike move, but expected by taustin · · Score: 1

      Er, dude, passwords can (and are, often) certainly be brute forced without the victim's knowledge.

      And passwords can certainly be beaten out of someone as easily as a finger cut off and taken.

    2. Re:Dike move, but expected by 0x537461746943 · · Score: 1

      The fingerprint information is only stored on your device and does not get sent to the website you are logging into. Someone cannot use your thumbprint to get access to the website from another device. They would have to login to your specific device and use your thumbprint on it to get access. Essentially the website login information is just stored inside a security container that gets unlocked with your fingerprint. Think of it kind of like a password manager but using your thumbprint to use it. The thumbprint is only used locally and not part of the login information for the website.

    3. Re:Dike move, but expected by AmiMoJo · · Score: 1

      The fingerprint is only used to control access to a token that gets sent to the site. If the token gets compromised just generate a new one. If your fingerprint gets compromised they still need your laptop to get the token. If both get compromised you are screwed anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. noscript?! by Anonymous Coward · · Score: 3, Insightful

    "if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"

    the last thing we need for better security is more javascript :(

  6. Biometrics as login or as password ? by Anonymous Coward · · Score: 4, Insightful

    I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.

    1. Re:Biometrics as login or as password ? by Opportunist · · Score: 2

      Well, you should be good for 9 changes. The tenth could be a bit hard unless you're from Alabama.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Biometrics as login or as password ? by TheRaven64 · · Score: 2

      Neither. You use a user name as a login. You use the fingerprint scanner to authorise your device to provide an attestation. The attestation is something signed with a private key, where you have previously updated a (unique) public key to the site. You may store a set of keys identified by {user, site} pairs, or you might generate the private keys from a {user, site, secret} triple and provide the associated public key on demand. The latter is what most U2F devices do, so if someone steals the device they have no means of enumerating all of the sites that it's valid for.

      Typically, when you upload the public key, you'll associate some convenient name with it. Next time you log in with some recovery information or with another registered authenticator you can just go to the list and disable that one.

      --
      I am TheRaven on Soylent News
    3. Re:Biometrics as login or as password ? by taustin · · Score: 2

      Toe prints are just as unique as fingerprints.

      Makes logging into YouPorn a bit more of a challenge, though, what with your pants around your ankles and all.

  7. 00000000 by thinkwaitfast · · Score: 1

    I don't have any internet accounts worth securing

    1. Re:00000000 by Opportunist · · Score: 1

      Say, how exactly do you connect to the internet? Could it be that your modem connects using a username and password? You might not have seen it, ever, but that doesn't mean it ain't there. And can be abused for nefarious activities that will finally be pegged to you, the rightful user of that account.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:00000000 by Penguinisto · · Score: 1

      Your main point is correct, but...

      Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

      Now the built-in wifi** is a different story, sure - but nothing prevents me from using ethernet-only in the house (well in my case I might have to bury some fiber to get out from the house to the home office and shop, but...)

      ** built-in wifi is not a given. My Exede/ViaSat modem doesn't have it (so I provide my own router plugged into the ethernet port).

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:00000000 by WaffleMonster · · Score: 1

      Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

      Cable is a shared medium. It uses BPI+ yet the initial handshake is still very much faith based.

      DSL in some ways is more physically secure because unlike cable there is no shared medium. Every link is point to point. They often use MAC or PPPoE schemes with crummy authentication protocols. This is done more for management purposes than actual security.

    4. Re:00000000 by flink · · Score: 1

      Your main point is correct, but...

      Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

      Every DSL setup I've ever used has had some flavor of CHAP running over PPP or PPPoE. If you are using an ISP-supplied modem, then the tech probably put the credentials in there for you, but if you are bringing your own device to the table, you definitely had to get your account username and password from the ISP in order to be able to get your modem online.

      Cable modems, I believe, have a more sophisticated authentication setup, requiring the device itself to be authorized.

      Either way, you can't just stick a vanilla unauthenticated modem on a residential cable or DSL line and have it work.

    5. Re:00000000 by Opportunist · · Score: 1

      ...if your provider lets you control it. More and more you're forced to use your provider's modem and they, not you, decide whether your WiFi is on.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. They get your password, you just change it. by Fly+Swatter · · Score: 1

    But if they get your 'biometrics', you um... Use a different finger? Use a different face?

    1. Re:They get your password, you just change it. by nukenerd · · Score: 1

      But if they get your 'biometrics', you um...Use a different finger?Use a different face?

      Halloween mask? I can see a brisk trade in thimbles with false fingerprints - a different one for every occasion.

  9. Yes, let us make it worse. by 140Mandak262Jamuna · · Score: 5, Insightful

    Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

    So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Yes, let us make it worse. by fluffernutter · · Score: 1

      But they use fingerprint authentication in TV and movies all the time! It HAS to be a good idea, all the best movie safes have them!

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:Yes, let us make it worse. by Fly+Swatter · · Score: 1

      It gets even stupider when you realize they are breaking one of the 1st rules of passwords, use a different one for each account.

    3. Re:Yes, let us make it worse. by fluffernutter · · Score: 2

      Maybe we could use a different hand expression per site. I know what I am using for Facebook!

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    4. Re:Yes, let us make it worse. by timftbf · · Score: 2

      They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.

      Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.

    5. Re:Yes, let us make it worse. by Jahta · · Score: 1

      Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

      So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

      Not to mention that, legally speaking, in many countries passwords are protected by your right to silence. Biometrics typically aren't; you can be legally compelled to provide a fingerprint, say, to unlock an account or a device.

    6. Re:Yes, let us make it worse. by TheRaven64 · · Score: 1

      I think you're the tenth person to attack the same straw man that has absolutely nothing to do with how the WebAuthn design actually works. Do you get some kind of prize?

      --
      I am TheRaven on Soylent News
  10. Could you run this by a security department? by Opportunist · · Score: 2

    Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?

    Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?

    I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?

    I have to ask again: Are you stupid?

    Or do you just think I am?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Could you run this by a security department? by bws111 · · Score: 1

      Could you at least make a feeble attempt to understand what this actually is prior to ranting?

      This is NOT identifying OR authenticating you with biometrics. Identification is still done with some sort of userid. Authentication is done with public key encryption.

      When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.

      Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.

    2. Re:Could you run this by a security department? by WaffleMonster · · Score: 1

      When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.

      In other words reinventing client certificates poorly and mistaking it for progress.

      Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.

      Until you lose your key and go whining to the operators of the service.

    3. Re:Could you run this by a security department? by bws111 · · Score: 1

      Why, exactly, is it a 'poor implementation'? Where is a 'good implementation', and why isn't it being used anywhere?

      Losing your key is no different than losing/forgetting your password.

    4. Re:Could you run this by a security department? by WaffleMonster · · Score: 1

      Where is a 'good implementation', and why isn't it being used anywhere?

      TLS mutual certificate authentication has been widely deployed in corporate environments for creeping up on two decades now.

      TLS mutual password authentication using ZKP/PAKE is able to securely authenticate passwords with no information leakage and no external sources of trust. This technology is widely deployed across all the major TLS stacks.

      Both sources of trust contribute to and are cryptographically bound to underlying communications channel.

      Why, exactly, is it a 'poor implementation'?

      Primarily it's the wrong layer. It doesn't leverage itself to secure underlying communications channel.

      The security of whatever your protecting with "secure authentication" is directly dependent on the security of hundreds of globally redundant DV CAs several of which are known to be owned and operated by foreign governments. Virtually all the worlds CAs use automated indications from totally INSECURE protocols to AUTOMATICALLY issue certificates and do not even coordinate amongst themselves.

      A secure authentication protocol stands alone not requiring PKI or other auxiliary sources of trust to protect integrity of authentication process.

      A secure authentication protocol does NOT put the end user at risk even when they enter their passwords into the wrong site.

      This scheme does nothing to support secure password authentication.

      Losing your key is no different than losing/forgetting your password.

      Exactly my point. The service is a stakeholder in key management.

      Most Internet based 2FA schemes actually deployed today are designed to offer recovery leveraging either factor alone or even worse (see password reset questions). It isn't about enhancing security it's about enhancing your ability not to be locked out of your shit.

      The fundamental reality is most Online services don't give a crap about how secure you are they care about protecting their wallets from the deleterious effects of handling "I forgot my password".

    5. Re:Could you run this by a security department? by h4ck7h3p14n37 · · Score: 1

      Until you lose your key and go whining to the operators of the service.

      I have several of the Yubikeys and in the user guides they explicitly tell you to (a) have a spare and (b) make a backup.

    6. Re:Could you run this by a security department? by WaffleMonster · · Score: 1

      Do you not realize that the mechanism itself does actually authenticate and verify that it is talking to the correct website?

      When you enroll your device with the website in the first place, mutual trust is established.

      This process depends on PKI to protect the integrity of initial handshake rather than standing alone.

      If initial account creation and "device enrollment" are the same things then the effective difference between providing a password and enrolling is academic otherwise see below.

      Often in security sensitive situations account creation has an offline component where one must appear in person with appropriate papers or they are otherwise provided with initial credentials out of band such as when showing up for work or being given credentials in a phone conversation.

      If a user puts their password into the same site and then presses their key, their actual account is still safe.

      Assume someone was able to fraudulently obtain a cert for target domain. No compromise of the server has taken place.

      A bad actor leverages this certificate to impersonate target domain. When "enrolling" using this authentication scheme bad actor is able to MITM the entire process giving themselves the key to your account while leaving you with a worthless paper weight of a key to the attackers system.

      With a secure authentication protocol this isn't possible because password itself is used to establish proof of possession and impersonation attacks fail on the imposter certificate.

      Obviously a password only serving as a local gatekeeper to locally stored private key is never compromised but this really isn't the point. The point is this source of trust can't be directly leveraged to protect the communications channel. It's exclusively a "by-proxy" scheme which requires external sources of trust to remain secure. Depending on local protection schemes it may also provide additional attack vectors for brute forcing passwords if a users device is compromised that would otherwise not even be represented in persistent storage.

      Even when using token bindings the bindings themselves are divorced from underlying credentials.

    7. Re:Could you run this by a security department? by Opportunist · · Score: 1

      As long as we let idiots run our companies and even the world, how could you resist?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re: People don't even understand what they're losi by Anonymous Coward · · Score: 2, Insightful

    While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.

    We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.

  12. I don't see how by DarkRookie · · Score: 1

    This is really doesn't seem to fix anything.
    Just changes the password to a piece of hardware that you must always have on you or you must carry 5 around with you
    Also, fingerprint scanning sucks IMO. My phone will not read it unless the sensor is completely clean, and then only works 3 out 10 times. YMMV thou.

    --
    The millennial that doesn't like most of the stuff designed for millennials.
  13. Msmash, Stop the bullshit posting by casings · · Score: 1

    You need to be taken out back and beaten with reeds.

  14. Can't wait to see my biometric data by MerlinTheWizard · · Score: 3
    leaking and widely available. I'm sure it's no big deal. :D

    The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.

  15. I'll never use them by Anonymous Coward · · Score: 1

    With all the massive hacks happening daily, the last thing I would want is to rely on a password I cannot change.

  16. Start off with false assumptions, add a bad idea by andrewbaldwin · · Score: 1

    "People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"

    Not in my circle of tech literate friends and colleagues.

    1) Many realise that biometrics == username and not an authentication 'password'

    2) Fingerprint & face technologies are not robust and can be fooled. False negatives will turn people off the idea so expect the pattern matching to be loose at best.

    3) Biometrics can't be changed easily (if at all)

    4) Many people don't have/want phones / laptops with fingerprint readers or face recognition software. I for one don't see why I should dump perfectly serviceable hardware just to buy new copies with these features (which have yet to settle on a widely accepted standard). I could argue on 'green' grounds about why this is a bad idea but basically I'm too mean to waste money repeatedly changing and upgrading just to keep in fashion.

    5) If remembering passwords is an issue, use a password safe. Personally I LIKE passwords - they can be complex yet easy to remember and I have [the illusion of] control.

  17. Re:What's going to suck... by Fly+Swatter · · Score: 1

    It's going to suck more for them as my business goes elsewhere.

  18. Re:People don't even understand what they're losin by Archangel+Michael · · Score: 5, Insightful

    You'll only be permanently identifiable for the rest of your life

    Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.

    Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.

    All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.

    We've given up security for convenience, and the ramifications are really bad.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  19. Slippery slope... by Anonymous Coward · · Score: 1

    I am against slippery slopes, but:
    Want to purchase food? Need to use your fingerprint. Don't want to give fingerprint? No food. Use fingerprint? Hmm, you're purchasing too much junk food. Your insurance company has been notified, your rates go up accordingly.

  20. um, no by cascadingstylesheet · · Score: 1

    People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them

    Um, no. First of all, "people everywhere" do not use those, only a subset of them, and I suspect a small subset.

    Secondly, access to an object normally in your physical control is not the same as access to remote websites.

  21. What we need is a OTP that uses public keys... by ctilsie242 · · Score: 1

    What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.

    We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar with other programs like mSecure, Codebook, SafeInCloud, 1Password, and EnPass.

  22. Dongles? by houghi · · Score: 1

    What if it breaks or gets stolen? From what I see it is basically a password manager. I would need several of them as I have several computers.
    At this moment I am typing this at my PC at work during my break. I would not be able to use the dongle on this PC.
    I would also need a dongle for each and every PC that I own, as I might want to use that specific one. It is not convinient to move them fropm one to the next one as I often use two at the same time. And some are even accessed remotely.
    And I must not forget to remove the dongle if somebody else is using it.

    And then we need to hope that this is an open standard that can be used in such a way that I am not dependent from any company, nor that I am limited in any way or that any third party has any information on me in any way.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Dongles? by timftbf · · Score: 1

      It does seem to suggest that they expect out-of-band authentications to be possible. e.g. the password manager lives on your phone. When you log in from your PC, a request is sent to your phone asking if you want to allow access from the that PC (with some kind of fingerprinting info that would let you make a reasonable confirmation that you're authenticating your connection, and not a random hack attempt being made at the same time). You unlock the password manager and authenticate on the phone, and that permits the corresponding PC session to proceed, without the PC needing to have access to the password manager.

      Thinking about it, I already have cases where exactly this happens, for some Apple and Blizzard sites. I don't have to copy an authentication code from my Blizzard phone app into a PC login, I just acknowledge that it's my PC trying to access right now.

    2. Re:Dongles? by Anne+Thwacks · · Score: 2
      Even worse....I'm at my parents house and need to login to one of my accounts but I left my dongle (or hardware key) at home. Now what?

      You 3D print a Kaptain Krunch whistle - you don't think this system will actually be secure, do you?

      --
      Sent from my ASR33 using ASCII
  23. Sharps by unixcorn · · Score: 1

    So you don't want to give up your fingerprint willingly? No worries, I have a knife or scissors or I'll just kill you and drag your body to the scanner. Much easier than trying to beat a password/phrase/answer out of you.

  24. RTFSpec by timftbf · · Score: 1

    The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.

    This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.

    When you register with a site, you and the site generate authentication keys. You swipe your fingerprint, insert your USB magic-key, or whatever to unlock the secure key store, and your authentication key is stored - either in a secure enclave, or encrypted with a totally local key that's stored in the secure enclave.

    When you go back to log into that site again, you're prompted to complete the same ceremony again to unlock the key store and retrieve the material you prepared earlier.

    There's some more details on top of that to make sure that:

    -the site asking for your credentials is the same site you registered with
    -the site can *only* ask for the credentials associated with it, not convince you to swipe / insert / whatever and go fishing in your key store for other useful credentials
    -the credentials are generated correctly to have lots of length and randomness in so password-style brute-force or rainbow tables aren't applicable

    and the authentications are encrypted challenge / responses, rather direct exchange of actual key material, so you try to avoid replay attacks and the like.

    The only place your biometric info is ever used (if you want to use it as one of your factors) is to unlock your local key store. It's never sent across the network.

    I'm nothing like enough of a cryptohead to say if the details of the proposal are right or solid, but it doesn't seem insanely wrong, and it's certainly not "OMG everyone now has my fingerprints instead of a password!"

    1. Re:RTFSpec by timftbf · · Score: 1

      Again, skimming, but the spec seems fairly abstract in terms of "Authorization Gestures" and "Ceremonies" without mandating how these are done.

      There is some mention of biometric specifics, but only (as far as I can find so far) in letting the requesting site specify acceptable false-positive and false-negative rates for the client-side Authorization Gesture.

      I'm not clear yet how the site goes about validating that an Authenticator behaves as per the spec. Perhaps the onus is on the user if they use a client which lies about its ability to deal with key material securely? That would suggest we're still going to need some kind of user-education to use a robust Authenticator and not "Special Russian Business Network Keystore (with Prizes!)" that came as a drive-by install :(

    2. Re:RTFSpec by timftbf · · Score: 1

      Seems a reasonable request, although I think you can get some of the way there with 'keep me logged in', appropriate use of cookies, and the sites making sensible UX decisions about how often to authenticate.

      I'm happy if my many web forum accounts only ask me to authenticate the first time on a new device, or maybe every 30, 60, 90 days. Perhaps I can browse Amazon on a cookie, but I need to authenticate again to buy something? (Above a limit?) My bank should authenticate me when I log in, and again for each transaction I make. Your thresholds might be different...

    3. Re:RTFSpec by bws111 · · Score: 1

      It seems to me that with this method it could be entirely up to the client how often you need to 'authenticate'. In other words, your key manager could have settings for each site, ranging from 'just reply without asking me' (for forums, etc) to 'ask me every 10 minutes' (for banking, etc).

  25. Re:Apple? by Penguinisto · · Score: 1

    RTFA? You must be new here.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  26. How Orwellian! by Grand+Facade · · Score: 1

    Slowly the frog boils.

    --
    Rick B.
  27. Re:People don't even understand what they're losin by TheRaven64 · · Score: 1

    I've not read the latest draft, but the earlier version of this spec was basically U2F with enough abstraction to avoid tying it to a specific hardware implementation. The goal was to have the user agent generate authentication tokens and accept responsibility for identifying the user, possibly using a hardware token, possibly using a separate process that handles credentials. I don't think uploading biometric data is part of the spec (unless it's changed), but using biometrics locally to authorise access to credentials is.

    --
    I am TheRaven on Soylent News
  28. And - by no-body · · Score: 1

    what's the privacy on this?
    How are my access data protected and stored across the board?
    Thinking about this Facebook crap, I just want to start vomiting.

    And ... using Tor, at least I get a warning ... attempted to extract HTML5 canvas data ... uniquely identifying your computer.
    All the other browser just do it, and who uses it without even asking for permission.

    Is any politician in this country (USA) even remotely aware about this abuse and doing (or can) something about it? Hardly...
    And - don't give me the crap of it's too late, you have no privacy and - the genie is out of the bottle. It won't change the abuse happening....

    1. Re:And - by cmaurand · · Score: 1

      There isn't any. You have no expectation of privacy on public services

    2. Re:And - by no-body · · Score: 1

      There isn't any. You have no expectation of privacy on public services

      Total BS you utter here, shows the usual uncritical wimp behavior getting fucked over.

      I have expectations against abuse and exploit of my privacy. Apparently, in other countries something like that exists and there are attempts to hold the bigger players - Google, Facebook, Twitter etc. somewhat accountable.

      For starters - you are not allowed to take a picture of a person without getting permission to do so and people in those countries are growing up with this kind of consciousness. You are not - wimp!

  29. Re: WTF? by Anonymous Coward · · Score: 1

    This.

    I would bet 10 BTC that the same people who were 'shocked' that Facebook was having their info will be the first to use this.

    Then they'll be surprised in 5 years to realize it ties all their activity to their bio data.

  30. just wait for pre existing conditions rules to go by Joe_Dragon · · Score: 1

    just wait for pre existing conditions rules to go away then you will be blacklisted (USA ONLY does not apply to jail / prison system)

  31. This would solve the problem of passwords by cmaurand · · Score: 1

    But make my identity easier to steal in the case of a data breach. This doesn't solve the problem.

    1. Re:This would solve the problem of passwords by bws111 · · Score: 1

      How will it make that easier? In case of a breach, all they get is a bunch of public keys.

  32. Cable, DSL is tied to the modem ID by Joe_Dragon · · Score: 1

    Cable, DSL is tied to the modem ID

  33. More BS from cyber stalking firms by WaffleMonster · · Score: 1

    What a brilliant idea. Lets all come up with a "secure" web authentication feature that doesn't actually allow for secure password authentication.

    Just for fun lets toss in "User Consent" and "User Presence" because "security".

    And to complete our incompetence... channel bindings? What channel bindings?

  34. Soon? by nospam007 · · Score: 1

    My bank app, my paypal app, my amazon app, ... has been doing that for years now.

    Since I'm an old fart here and ergo I can't possible read neither THA nor TFS, what's actually new here?

  35. Biometrics are NOT secure by Anonymous Coward · · Score: 3, Insightful

    It's astonishing that this is still not understood. Biometrics are a unique identifier, but you also can't change them. When they're breached, that's it. You can change a password; you can't change your fingerprints. And for whistleblowers or people in oppressive regimes, it's also much easier for a government to break into your accounts with biometrics than it is a password floating around in your head.

    A strong passphrase + password managers (with different passwords for every account) + 2FA is still the best security you're going to get.

    1. Re:Biometrics are NOT secure by DontBeAMoran · · Score: 1

      A password manager is still a security risk and has been proven to be a weak point in the past.

      A strong passphrase + paper notepad* + 2FA is the best security.

      If someone has access to your paper notepad, it means he's in your house and you have more to worry about than passwords.

      --
      #DeleteFacebook
    2. Re:Biometrics are NOT secure by Cederic · · Score: 1

      Strange, you never access online services from outside your home?

      The rest of us do.

  36. Re:People don't even understand what they're losin by Anne+Thwacks · · Score: 2
    you can realize that identity is proof of who you are (and not someone else)

    Exactly.

    I may wish to prove who I am to my bank. I might not be so keen to prove it to www.randomwebsite.com and I sure as hell have no wish to prove it to www.porns.r.us.scam and goat.se

    Also, I have no wish for hackers.ru to be able to prove they are me for the rest of my life.

    YMMV

    --
    Sent from my ASR33 using ASCII
  37. Face/Off by Aereus · · Score: 1

    Just gotta watch out for Nicolas Cage...

  38. Ya, no. Fingerprints can be damaged. by fahrbot-bot · · Score: 1

    I once had to postpone getting my fingerprints taken for my job at NASA for a week because some of my fingers/prints were cut, calloused and beaten-up from car and house work. Anyone want chance getting locked out of your computer and the web for a week?

    --
    It must have been something you assimilated. . . .
  39. Re:Start off with false assumptions, add a bad ide by elcor · · Score: 1

    OP is working for a brainstorming group, fishing for ideas to refine his biometric rational.

  40. New Yubico Security Tokens by h4ck7h3p14n37 · · Score: 2

    The fingerprint scanner was just one example of a supported device. You can use hardware tokens too.

    Yubico announced their new security tokens today, they ship on the 13th.

  41. Re:People don't even understand what they're losin by Anonymous Coward · · Score: 1

    You're not giving it away. The biometric data is used like the password to your private key. The entire thing is about standardizing the API for PKI authentication - certificate based.

  42. Re:People don't even understand what they're losin by AmiMoJo · · Score: 1

    Why do you think this involves giving your biometric data away?

    Your computer/phone scans your fingerprint and then tells the web site that you authenticated, with a token to prevent impersonation. The biometric data never leaves your local control.

    For most people it's a massive win. No more crappy passwords. For experts we can more easily use security tokens.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  43. Re:People don't even understand what they're losin by Archangel+Michael · · Score: 1

    I bet you can produce a person or two (maybe more) that can verify that you are who you say your are. That kind of "information" is based on "trust", not trusting that someone who can produce a list of facts is you. I doubt that a Russian can prove he is you if he also has to provide a number of people who are known associates of you, with their own list of associations.

    I have all sorts of documentation of my relationships with other people, spanning decades. That kind of information is much harder to forge than knowing a bunch of publicly known facts about me.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.