Biometric and App Logins Will Soon Be Pushed Across the Web

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

People don't even understand what they're losing

Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.

Authentication != identification

[140Mandak262Jamuna]

So if these things get hacked or stolen, there is no way for you to change the user name, or password.. Can people be this idiotic?

All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.

Re:Authentication != identification

[TheRaven64]

The API is not about providing biometrics to the remote server, it is about generating keypairs and attestations. When you register a device with a site, you generate a key pair associated with the {authenticator, site, user} triple. The authenticator (U2F device, keychain, whatever) stores the private key, you upload the public key. When you want to log back in, the server provides you with some data, which you then sign with the private key and upload. The server can then check it with the public key and validate that you are the same person as last time.

This means that you never upload a password, biometrics, or anything else of this nature to the web site. You may use biometrics, a hardware security module, or a password locally to authorise the authenticator to provide the attestation.

A typical use case is logging in with a bluetooth U2F device with a fingerprint reader. When you want to log in, the web browser sends the data to sign to the U2F device. It then waits until you put your finger on the reader. If you don't, nothing happens. If you do then it signs the data and the web browser provides the attestation to the server. At no point does your fingerprint data even leave the U2F device.

Re: Authentication != identification

[Anubis+IV]

Actually, authentication is identification.

No, it's not. They may be handled as part of the same step in some implementations (e.g. providing your username and password at the same time), but claiming to be X (i.e. identification, e.g. "Hi, I'm Joe") is not the same as proving one is X (i.e. authentication, e.g. "Here's my driver's license") is not the same as consenting to an action (i.e. authorization, e.g. "And here's my signature on the dotted line"). Put differently:
- Identification: Let's make sure we know who we're talking about
- Authentication: Let's make sure you're who you claim to be
- Authorization: Let's make sure we have your consent

Identification must always precede authentication must always precede authorization. The fact that these three are conflated is a large part of why there are so many security issues with logins today. Biometrics are great at identification (each person has a unique identifier), but they're a bit hit-and-miss at authentication (bad actors can intercept or replicate them with varying degrees of ease), and their usefulness for authorization differs wildly based on implementation, since some of them are starting to stray into the territory of passive actions, rather than purposeful actions. For instance, Apple's Touch ID requires a purposeful action, making it clear that the user consents to the request, but Face ID seems as if it could be activated inadvertently, making it less clear whether authorization was actually intended to be granted.

Re: Authentication != identification

[bws111]

Your biometric info is only used (if at all) to unlock your local keystore in order that your private key (for that site) can be used to sign a challenge. Your biometric data is not transferred to the site in any way.

Dike move, but expected

How is this any better really?

I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.

noscript?!

"if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"

the last thing we need for better security is more javascript :(

Biometrics as login or as password ?

I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.

Re:Biometrics as login or as password ?

[Opportunist]

Well, you should be good for 9 changes. The tenth could be a bit hard unless you're from Alabama.

Re:Biometrics as login or as password ?

[TheRaven64]

Neither. You use a user name as a login. You use the fingerprint scanner to authorise your device to provide an attestation. The attestation is something signed with a private key, where you have previously updated a (unique) public key to the site. You may store a set of keys identified by {user, site} pairs, or you might generate the private keys from a {user, site, secret} triple and provide the associated public key on demand. The latter is what most U2F devices do, so if someone steals the device they have no means of enumerating all of the sites that it's valid for.

Typically, when you upload the public key, you'll associate some convenient name with it. Next time you log in with some recovery information or with another registered authenticator you can just go to the list and disable that one.

Re:Biometrics as login or as password ?

[taustin]

Toe prints are just as unique as fingerprints.

Makes logging into YouPorn a bit more of a challenge, though, what with your pants around your ankles and all.

Yes, let us make it worse.

[140Mandak262Jamuna]

Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

Re:Yes, let us make it worse.

[fluffernutter]

Maybe we could use a different hand expression per site. I know what I am using for Facebook!

Re:Yes, let us make it worse.

[timftbf]

They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.

Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.

Could you run this by a security department?

[Opportunist]

Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?

Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?

I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?

I have to ask again: Are you stupid?

Or do you just think I am?

Re: People don't even understand what they're losi

While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.

We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.

Can't wait to see my biometric data

[MerlinTheWizard]

leaking and widely available. I'm sure it's no big deal. :D

The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.

Re:https://xkcd.com/927/

You don't get it. Client certificates are anonymous. I can request as many as I want to use each for a dedicated site. This is not permitted under our feudal residentship in the corporate America. The corps need to know and connect you between all of them. That's why they are pushing for biometrics. But for fsck's sake, biometrics are usernames only, not usernames, passwords and second factor together like the corps are selling them to be. The only reason they are pushing for biometrics is that when enough people get used to the biometrics being showed down their throats, the will accept being chipped with an always on locator beacon with a serial number.

Re:People don't even understand what they're losin

[Archangel+Michael]

You'll only be permanently identifiable for the rest of your life

Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.

Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.

All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.

We've given up security for convenience, and the ramifications are really bad.

Re:https://xkcd.com/927/

[TheRaven64]

There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time). Second, the JavaScript APIs for generating and installing client certs are pretty horrible. It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when you're doing multiple requests to the same site.

This API is designed to make it easy to generate a keypair, provide the public key to the remote site, and lock the private key somewhere. In particular, it allows the private key to be stored in a separate process (e.g. the Keychain on macOS / iOS) and never given to the web browser, or stored in an entirely separate device (e.g. a UbiKey U2F device). The browser or other user agent then exposes a unified API to allow the server to request a keypair be generated for a particular site and to request that something be signed to verify that the client has the private key that matches the public key that the server stored the first time.

As I understand the API, it is designed so that the server never stores anything that might be reused across sites, so even if you use a single password / fingerprint / face scan / blood sample to log into everything, that never leaves your local device and each site gets a key that is uniquely associated with that {authenticator, user, site} triple, where the authenticator is one of a service provided by your OS, functionality provided by your browser, a U2F device, and so on.

Biometrics are NOT secure

It's astonishing that this is still not understood. Biometrics are a unique identifier, but you also can't change them. When they're breached, that's it. You can change a password; you can't change your fingerprints. And for whistleblowers or people in oppressive regimes, it's also much easier for a government to break into your accounts with biometrics than it is a password floating around in your head.

A strong passphrase + password managers (with different passwords for every account) + 2FA is still the best security you're going to get.

Re:https://xkcd.com/927/

[WaffleMonster]

There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI.

The problem with client certs there is no defined means of filtering out relevant certificate(s) for site one is visiting.

For example lets say I have 100 client certs for 100 different sites. Each time I visit a site I'm prompted for which of the 100 certs I want to use. If I pick the wrong one TLS handshake fails and I get to try again. If I pick a compatible one or chose none them I'm stuck with that decision until browser restart.

Most browsers don't even provide basic facilities to manage client certs such as remembering or internally applying filters such that the second time I visit site 54 I get site 54's client cert not a pick list of 100 certs.

They also fail to allow client cert selection to be modified while browser is running. If I'm visiting a site and chose not to use my client cert there is no way for me to upgrade to using a client cert. Or if I have multiple client certs for the same site there is no way for me to select a different cert. Each change normally requires complete restart of browser to facilitate.

These are all problems that can be trivially overcome with minimal effort.

UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time).

The browser has no clue to begin with what certs are applicable to what sites so whether you have 100 for the same site or 1 for each of 100 sites the browser can't tell the difference.

What is difficult is changing client certificates if you have multiple for a site as this requires a total restart of most browsers to facilitate.

Second, the JavaScript APIs for generating and installing client certs are pretty horrible.

The JavaScript APIs are pointless and should be ignored. Little point in not having sites issue certs directly during onboarding process.

It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when you're doing multiple requests to the same site.

Session resumption works the same regardless with no additional subsequent round trips.

Re:People don't even understand what they're losin

[Anne+Thwacks]

you can realize that identity is proof of who you are (and not someone else)

Exactly.

I may wish to prove who I am to my bank. I might not be so keen to prove it to www.randomwebsite.com and I sure as hell have no wish to prove it to www.porns.r.us.scam and goat.se

Also, I have no wish for hackers.ru to be able to prove they are me for the rest of my life.

YMMV

Re:Dongles?

[Anne+Thwacks]

Even worse....I'm at my parents house and need to login to one of my accounts but I left my dongle (or hardware key) at home. Now what?

You 3D print a Kaptain Krunch whistle - you don't think this system will actually be secure, do you?

New Yubico Security Tokens

[h4ck7h3p14n37]

The fingerprint scanner was just one example of a supported device. You can use hardware tokens too.

Yubico announced their new security tokens today, they ship on the 13th.