Biometric and App Logins Will Soon Be Pushed Across the Web

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

Yes, let us make it worse.

[140Mandak262Jamuna]

Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

Re:People don't even understand what they're losin

[Archangel+Michael]

You'll only be permanently identifiable for the rest of your life

Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.

Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.

All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.

We've given up security for convenience, and the ramifications are really bad.

Re: Authentication != identification

[Anubis+IV]

Actually, authentication is identification.

No, it's not. They may be handled as part of the same step in some implementations (e.g. providing your username and password at the same time), but claiming to be X (i.e. identification, e.g. "Hi, I'm Joe") is not the same as proving one is X (i.e. authentication, e.g. "Here's my driver's license") is not the same as consenting to an action (i.e. authorization, e.g. "And here's my signature on the dotted line"). Put differently:
- Identification: Let's make sure we know who we're talking about
- Authentication: Let's make sure you're who you claim to be
- Authorization: Let's make sure we have your consent

Identification must always precede authentication must always precede authorization. The fact that these three are conflated is a large part of why there are so many security issues with logins today. Biometrics are great at identification (each person has a unique identifier), but they're a bit hit-and-miss at authentication (bad actors can intercept or replicate them with varying degrees of ease), and their usefulness for authorization differs wildly based on implementation, since some of them are starting to stray into the territory of passive actions, rather than purposeful actions. For instance, Apple's Touch ID requires a purposeful action, making it clear that the user consents to the request, but Face ID seems as if it could be activated inadvertently, making it less clear whether authorization was actually intended to be granted.