Couple comments already on "websites shouldn't accept biometrics as a password". They're totally correct, and that's not what is being shown here. This is "websites accept hardware or software generated FIDO logins that have access to them intermediated by a combination of several factors including device presence, session login, and biometrics".
The hard part is making that look and feel like "login with a fingerprint".
Yeah, this is a bad article leading to a really bad discussion. FIDO2 is basically proposing to replace passwords with U2F. How the keys are generated, exchanged, and challenged has nothing to do with biometrics[1].
That part of this appears to be MS and Google demonstrations of using biometrics to unlock what is essentially just an OS password manager for U2F keys, which wouldn't even raise an eyebrow if found in today's Android or iOS.
[1] The relevant part of the spec: "In order to provide evidence of user interaction, an external authenticator implementing this protocol is expected to have a mechanism to obtain a user gesture. Possible examples of user gestures include: as a consent button, password, a PIN, a biometric or a combination of these."
My LastPass vault is protected with a master password. If I lose all my devices, I can restore from online using that. I’m just wondering how that would work in a password less schéma.
We (IDPs in general, I can't quite speak to FIDO work) still have other account recovery methods, like email (eg Facebook lets you do fast IDV for password reset if you have a Gmail account associated). Part of this is a turtle tower - there's always going to be some more definitive IDP that we ask you to associate and fall back to, and hopefully that IDP will do the same. Our work (MSFT Identity) on decentralized ID in particular needs to take this into account - who's the last turtle there?
While it may be interesting from an ease of use point of view, I'm worried it is actually more of move from Google and Microsoft to get more lock-in on their OS and of the web.
Sorry, I didn't details enough. I mean biometric data are gathered from the hardware through system API. This is where system vendors can restrict things, for example by exposing the API to some framework only (e.g. UWP) or even making them private.
Unless system vendors discriminate other browsers from their own browser in terms of the said restrictions, I would say that it is fair game.
Following your example, if Microsoft were to require browsers use UWP framework to utilize the biometric authentication API, implementing the feature to Edge and not to Internet Explorer, would that be problematic?
This is nothing new, although there's perhaps no common standard implemented by all the players. However, while the process may be "simpler, securer ways to grant login access" from the users' perspectives, often these sorts of protocols become many times more complex to get right on the server side of things.
Another worry is that this sort of approach will effectively hide the authentication mechanism from the user. So while I may make the choice to use notional biometric login to a Facebook app on my phone, knowing all the risks and compromises that come with having a Facebook account, I may not wish to use a Facebook login for other authenticated services unrelated to Facebook (when I'm confronted with the option to log in with Facebook, I always choose the other option, whatever it is, even if it's "give up on using this system/service").
Authentication and Federated login shouldn't become the same thing, and FIDO doesn't move us closer to that. There's not a scenario where this becomes "silently login to Facebook and silently provide consent by clicking login" - users will still have to consciously click on "login with Facebook" at which point they can use FIDO to login to a Facebook property.
Yubico wants people to go "passwordless" too -- and was also at RSA to pitch "passwordless login" [0] -- but wants you to use their new "Security Key" [1] (which supports both U2F and FIDO2) instead.
Personally, I'd be more inclined to go this route (hardware key versus an app on my phone that uses my fingerprint or a facial scan).
It sounds like a terrible idea. What if you don't have Android, Microsoft, Apple, or Amazon products, or even a smartphone at all? Smartphones collect too much information and it shouldn't be required to link all that data just to log in to websites.
Plenty of sites provide multiple auth options. Like social login or email/pass. There's something to be said for not trusting ever site in the world to know how to secure a password database. In fact, many are outsourcing auth to companies like auth0 behind the scenes.
As long as you're still logging into the device using some form of information that can't be collected from you unconsciously its fine.
Is that what it is? I hope that's what it is otherwise I'm going to need to buy some gloves.
As others have already mentioned, this article is a bit misleading. However, I'd like to point out the good work that Microsoft is already doing to enable "passwordless" logins. You can log in to your Windows PC with a PIN or biometrics, and you can log into many Microsoft web services using the Authenticator app on your smartphone. The upshot to this, is that you can set a much stronger account password knowing that you won't have to type it in that often. Google and Apple are lagging behind in this space - both require you to type in your full password way too often which leads customers to using weaker, easier to type passwords instead. Still a lot to improve in this space.
But isn't it still a stronger form of authentication than the average password?
I would not use it for authentication against the missile launch system, but my ex will probably not chop of my finger to access my Facebook account, nor will random bots trying to access my Gmail account.
She can, but the threat model here is so amazingly different than traditional threat models for username/pw that it is ridiculous to say that biometrics are usernames. Biometrics are biometrics. They are simply different. They have different threat models and failure modes than passwords. They are neither better nor worse.
It's an analogy that captures the essence of the problem framed in a way most people can understand it: with biometrics there is no shared secret, just a high entropy, non-revocable and very public UID.
Yes, public in a different model, with a different set of threats, but that's irrelevant to what the analogy is trying to convey.
It's a human trait to evaluate and disseminate new concepts though existing concepts. Everything is unique, if you want to refine or disprove the analogy it's not enough to call it wrong repeatedly, you need to accept that specific frame of reference is suggestive to those who chose it, and formulate your arguments from that perspective.
Biometric data is a form of identity, as is the combination of username and password. Different forms of identity have different security trade-offs and removing nuance by comparing it to a single component of different form of identity is always counter-productive. Biometric authentication is its own thing with its own security characteristics that need to be understood outside the context of what we know about usernames and passwords.
Well, I think that's what people are mostly concerned about. The current considerations regarding biometrics is that it ultimately results in an immutable means of identification that cannot be revoked. With IRL identification (passports, driver's licenses, state issued IDs), these all have means of being revoked in some way with varying degrees of efficacy.
Therein lies the issue with Biometric data being both username and password, for the most part. That most of the data is easily replicable aside, the fact is that you cannot control the cycle of your "credentials regeneration" since you're tied to the aging process. On top of that, the regeneration is even fairly predictable with current and past technology, and even non-technical solutions could accurately predict the physical changes in a person as they age.
Biometric data is a matter of convenience, not really security. Combine with an additional password, it at least serves the role of a Username well. For low-value items, it can make sense, provided proper pre-cautions are taken for actually sensitive data. (e.g., unlocking your phone is fine provided that sensitive data is protected with additional precautions).
I completely agree with some of what you said. But the point is that we should stop trying to make biometric security issues more accessible by making false equivalencies with well-understood authentication methods like username/password. It loses nuance and just causes problems.
With a username, I can abandon the account and sign up for a new one with a new username. I can't do that with biometric auth. And unlike a username, it requires an advanced adversary to be able to fake it, so it's also unlike traditional usernames in that way. Unless, of course, you somehow have an unconscious principal, in which case biometric authentication can be significantly less secure than a username and password, which wouldn't be divulged by someone unresponsive.
Biometric auth can also be much more secure under certain circumstances. When you combine it with, for example, a security guard that ensures that someone is using their own fingerprint/eye/face/etc, biometric authentication can make more sense than username and password. It's entirely situational which one works best.
There's entirely too many people who think it's clever to notice differences between biometric authentication and passwords and to say that it's, instead, a username. And it's just flat wrong and needs to be called out. It's also flat out wrong for Apple to have equated it with a password in the first place, so that should also be called out. It's all identity and the security of identity validation is always situational. There are no universals and exploitable flaws hide the empty space when we try to put square pegs in round holes.
You would generate a new package, with the same biometrics, but with a timestamp after the revocation date of the previous package, just like today you can get a new passport with the same data as the old one.
It seems to me that biometric passwords are convenient and better than a weak password, but much easier to compromise. Fingerprints can be lifted. Faces can be photographed.
Authentication should always require something you know. Adding something you have/possess like a crypto device is a great way to enhance security, but it should always be a supplement to something you know - your password.
Passwords are bad. Fingerprints and face-recognition worse.
I'm strongly in favour of very-near-field chips, at < 1cm range preferably. In a wearable form factor, these are replaceable but difficult to misplace or lose.
Works virtually anywhere (Except iOS) since it's a "keyboard" that generate a one-time-password for verification. And it also have NFC built in on the better keys.
Just encrypt the signal and have the receiving device decrypt. You could set it up as a one time thing as part of configuring your devices, and then the receiving device itself would manage access to everything else.
The hard part is making that look and feel like "login with a fingerprint".