Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com) 161
Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.
"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
Biometrics are NOT secure (Score:3, Insightful)
It's astonishing that this is still not understood. Biometrics are a unique identifier, but you also can't change them. When they're breached, that's it. You can change a password; you can't change your fingerprints. And for whistleblowers or people in oppressive regimes, it's also much easier for a government to break into your accounts with biometrics than it is a password floating around in your head.
A strong passphrase + password managers (with different passwords for every account) + 2FA is still the b
Re: (Score:2)
A password manager is still a security risk and has been proven to be a weak point in the past.
A strong passphrase + paper notepad* + 2FA is the best security.
If someone has access to your paper notepad, it means he's in your house and you have more to worry about than passwords.
Re: (Score:2)
Strange, you never access online services from outside your home?
The rest of us do.
Re: (Score:2)
RTFA? You must be new here.
https://xkcd.com/927/ (Score:1)
https://en.wikipedia.org/wiki/Client_certificate
Re:https://xkcd.com/927/ (Score:4, Insightful)
You don't get it. Client certificates are anonymous. I can request as many as I want to use each for a dedicated site. This is not permitted under our feudal residentship in the corporate America. The corps need to know and connect you between all of them. That's why they are pushing for biometrics. But for fsck's sake, biometrics are usernames only, not usernames, passwords and second factor together like the corps are selling them to be. The only reason they are pushing for biometrics is that when enough people get used to the biometrics being showed down their throats, the will accept being chipped with an always on locator beacon with a serial number.
Re: (Score:2)
Any company that implements this as a requirement loses my business. Simple as that.
Re: (Score:3, Informative)
There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time). Second, the JavaScript APIs for generating and installing client certs are pretty horrible. It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when
Re: (Score:3)
There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI.
The problem with client certs there is no defined means of filtering out relevant certificate(s) for site one is visiting.
For example lets say I have 100 client certs for 100 different sites. Each time I visit a site I'm prompted for which of the 100 certs I want to use. If I pick the wrong one TLS handshake fails and I get to try again. If I pick a compatible one or chose none them I'm stuck with that decision until browser restart.
Most browsers don't even provide basic facilities to manage client certs
People don't even understand what they're losing (Score:4, Insightful)
Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.
Re: People don't even understand what they're losi (Score:2, Insightful)
While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.
We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.
Re:People don't even understand what they're losin (Score:5, Insightful)
You'll only be permanently identifiable for the rest of your life
Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.
Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.
All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.
We've given up security for convenience, and the ramifications are really bad.
Re: (Score:3)
Exactly.
I may wish to prove who I am to my bank. I might not be so keen to prove it to www.randomwebsite.com and I sure as hell have no wish to prove it to www.porns.r.us.scam and goat.se
Also, I have no wish for hackers.ru to be able to prove they are me for the rest of my life.
YMMV
Re: (Score:2)
I bet you can produce a person or two (maybe more) that can verify that you are who you say your are. That kind of "information" is based on "trust", not trusting that someone who can produce a list of facts is you. I doubt that a Russian can prove he is you if he also has to provide a number of people who are known associates of you, with their own list of associations.
I have all sorts of documentation of my relationships with other people, spanning decades. That kind of information is much harder to forge
Re: (Score:2)
just wait for pre existing conditions rules to go (Score:2)
just wait for pre existing conditions rules to go away then you will be blacklisted (USA ONLY does not apply to jail / prison system)
New Yubico Security Tokens (Score:3)
The fingerprint scanner was just one example of a supported device. You can use hardware tokens too.
Yubico announced [yubico.com] their new security tokens [yubico.com] today, they ship on the 13th.
Re: (Score:1)
You're not giving it away. The biometric data is used like the password to your private key. The entire thing is about standardizing the API for PKI authentication - certificate based.
Re: (Score:2)
Why do you think this involves giving your biometric data away?
Your computer/phone scans your fingerprint and then tells the web site that you authenticated, with a token to prevent impersonation. The biometric data never leaves your local control.
For most people it's a massive win. No more crappy passwords. For experts we can more easily use security tokens.
Authentication != identification (Score:5, Insightful)
All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.
Re: (Score:2)
Can people be this idiotic?
Yes. And it is probably even worse than that.
Re: (Score:2)
Re: (Score:2)
Of course you can. Did you ever read the damned FIDO specification?!
If you did, you'd realize that FIDO does not directly bind the biometric with the webpage. Rather it creates a asymmetric key pair (separate for each verifier) that allows the verifier to do a challenge response. This lets the verifier verify that the person trying to log in is the same person that associated the public key with the account at the time of enrollment.
The biometric part only enters into the stage in terms of protecting the pr
Re: (Score:2)
Don't confuse them with facts!
I've been testing the Yubico devices, they work great! I just put an order in for their new security tokens [yubico.com].
Re: (Score:3)
The API is not about providing biometrics to the remote server, it is about generating keypairs and attestations. When you register a device with a site, you generate a key pair associated with the {authenticator, site, user} triple. The authenticator (U2F device, keychain, whatever) stores the private key, you upload the public key. When you want to log back in, the server provides you with some data, which you then sign with the private key and upload. The server can then check it with the public key
Re: (Score:2)
I think you are misunderstanding how this could be implemented. The fingerprint is not sent to the site you are authenticating too. The site would likely create a very long cookie or auth code once you log in normally. To access that auth code to send to the website you would use the biometric login which would then send that encrypted auth code to the website. This is similar to how thumbprint works on existing phones. The thumbprint isn't sent outside the security context of the phone. It only unloc
Re: (Score:2)
Indeed... this is how it is recommended to get implemented...
https://www.w3.org/TR/2018/CR-... [w3.org]
Re: (Score:2)
Can people be this idiotic?
PROTIP: When something coming from people with a good track record on security seems stupid, it's probably because you didn't understand it. Best to try to figure it out, rather than going for the easy +5 first outraged-at-the-stupidity post on Slashdot because your mistake will get very publicly pointed out.
Re: (Score:2)
Re: (Score:2)
How exactly does Cambridge Analytica fit into this? Cambridge Analytica had nothing to do with identification/authentication issues. It had to do with an aspect of Facebook, sharing. ...
With biometrics, Facebook and hence Cambridge Analytica would also get to know my fingerprint. With that, they (or people they sold it to) could then follow wherever else I went on the internet (including the IoT). My various identities (like "Nukenerd" here and "John Smith" on FB for example) could could then all be identified as one and the same by them for whatever nefarious purposes, to get a much fuller picture of what I do and who I am...
Re: (Score:3, Informative)
Your biometric info is only used (if at all) to unlock your local keystore in order that your private key (for that site) can be used to sign a challenge. Your biometric data is not transferred to the site in any way.
Re: (Score:2)
Facebook etc will not have your fingerprint. There are may different biometric models, but they don't actually store a copy of your fingerprint and then check the whorls against your thumb.
For example, a model may use a hash of key points in the thumbprint and that hash is used in a challenge/response from the server. A model may use the biometrics to generate a derived key or to unlock a local key store.
Any website or OS worth their salt (pun intended) doesn't store your password, they store a salted hash
Re: Authentication != identification (Score:5, Insightful)
Actually, authentication is identification.
No, it's not. They may be handled as part of the same step in some implementations (e.g. providing your username and password at the same time), but claiming to be X (i.e. identification, e.g. "Hi, I'm Joe") is not the same as proving one is X (i.e. authentication, e.g. "Here's my driver's license") is not the same as consenting to an action (i.e. authorization, e.g. "And here's my signature on the dotted line"). Put differently:
- Identification: Let's make sure we know who we're talking about
- Authentication: Let's make sure you're who you claim to be
- Authorization: Let's make sure we have your consent
Identification must always precede authentication must always precede authorization. The fact that these three are conflated is a large part of why there are so many security issues with logins today. Biometrics are great at identification (each person has a unique identifier), but they're a bit hit-and-miss at authentication (bad actors can intercept or replicate them with varying degrees of ease), and their usefulness for authorization differs wildly based on implementation, since some of them are starting to stray into the territory of passive actions, rather than purposeful actions. For instance, Apple's Touch ID requires a purposeful action, making it clear that the user consents to the request, but Face ID seems as if it could be activated inadvertently, making it less clear whether authorization was actually intended to be granted.
Re: (Score:2)
Yes. the current way is much better, have to remember 8,000 different passwords from many websites, each with their own requirements, oh also have to change them every X months.
I'll tell you a secret. For 7995 of the 8000 websites I visit I use the same password. So (OMG!) an admin from another website could start posting crap here under my ID. But would you notice the difference?
The 5 websites with different PWs are my bank etc. And I've never been asked to change a password except at work, monthly, but they pay for my time anyway.
Dike move, but expected (Score:4, Insightful)
How is this any better really?
I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.
Re: (Score:2)
Er, dude, passwords can (and are, often) certainly be brute forced without the victim's knowledge.
And passwords can certainly be beaten out of someone as easily as a finger cut off and taken.
Re: (Score:2)
The fingerprint information is only stored on your device and does not get sent to the website you are logging into. Someone cannot use your thumbprint to get access to the website from another device. They would have to login to your specific device and use your thumbprint on it to get access. Essentially the website login information is just stored inside a security container that gets unlocked with your fingerprint. Think of it kind of like a password manager but using your thumbprint to use it. The
Re: (Score:2)
The fingerprint is only used to control access to a token that gets sent to the site. If the token gets compromised just generate a new one. If your fingerprint gets compromised they still need your laptop to get the token. If both get compromised you are screwed anyway.
noscript?! (Score:3, Insightful)
"if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"
the last thing we need for better security is more javascript :(
Biometrics as login or as password ? (Score:4, Insightful)
I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.
Re: (Score:3)
Well, you should be good for 9 changes. The tenth could be a bit hard unless you're from Alabama.
Re: (Score:3)
Toe prints are just as unique as fingerprints.
Makes logging into YouPorn a bit more of a challenge, though, what with your pants around your ankles and all.
Re: (Score:3)
Neither. You use a user name as a login. You use the fingerprint scanner to authorise your device to provide an attestation. The attestation is something signed with a private key, where you have previously updated a (unique) public key to the site. You may store a set of keys identified by {user, site} pairs, or you might generate the private keys from a {user, site, secret} triple and provide the associated public key on demand. The latter is what most U2F devices do, so if someone steals the device
Face/Off (Score:2)
Just gotta watch out for Nicolas Cage...
00000000 (Score:2)
Re: (Score:2)
Say, how exactly do you connect to the internet? Could it be that your modem connects using a username and password? You might not have seen it, ever, but that doesn't mean it ain't there. And can be abused for nefarious activities that will finally be pegged to you, the rightful user of that account.
Re: (Score:2)
Your main point is correct, but...
Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.
Now the built-in wifi** is a different story, sure - but nothing prevents me from using ethernet-only in the house (well in my case I might have to bury some fiber to get out from the house to the home office and shop, but...)
** built-in wifi is not a given. My Exede/ViaSat modem do
Cable, DSL is tied to the modem ID (Score:2)
Cable, DSL is tied to the modem ID
Re: (Score:2)
Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.
Cable is a shared medium. It uses BPI+ yet the initial handshake is still very much faith based.
DSL in some ways is more physically secure because unlike cable there is no shared medium. Every link is point to point. They often use MAC or PPPoE schemes with crummy authentication protocols. This is done more for management purposes than actual security.
Re: (Score:2)
Your main point is correct, but...
Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.
Every DSL setup I've ever used has had some flavor of CHAP running over PPP or PPPoE. If you are using an ISP-supplied modem, then the tech probably put the credentials in there for you, but if you are bringing your own device to the table, you definitely had to get your account username and password from the ISP in order to be able to get your modem online.
Cable modems, I believe, have a more sophisticated authentication setup, requiring the device itself to be authorized.
Either way, you can't just stick
Re: (Score:2)
...if your provider lets you control it. More and more you're forced to use your provider's modem and they, not you, decide whether your WiFi is on.
They get your password, you just change it. (Score:2)
Re: (Score:2)
But if they get your 'biometrics', you um...Use a different finger?Use a different face?
Halloween mask? I can see a brisk trade in thimbles with false fingerprints - a different one for every occasion.
Yes, let us make it worse. (Score:5, Insightful)
Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.
So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.
Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.
Re: (Score:2)
Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.
So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.
Not to mention that, legally speaking, in many countries passwords are protected by your right to silence. Biometrics typically aren't; you can be legally compelled to provide a fingerprint, say, to unlock an account or a device.
Re: (Score:2)
Could you run this by a security department? (Score:3)
Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?
Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?
I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?
I have to ask again: Are you stupid?
Or do you just think I am?
Re: (Score:2)
Could you at least make a feeble attempt to understand what this actually is prior to ranting?
This is NOT identifying OR authenticating you with biometrics. Identification is still done with some sort of userid. Authentication is done with public key encryption.
When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign
Re: (Score:2)
When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.
In other words reinventing client certificates poorly and mistaking it for progress.
Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.
Until you lose your key and go whining to the operators of the service.
Re: (Score:2)
Why, exactly, is it a 'poor implementation'? Where is a 'good implementation', and why isn't it being used anywhere?
Losing your key is no different than losing/forgetting your password.
Re: (Score:2)
Where is a 'good implementation', and why isn't it being used anywhere?
TLS mutual certificate authentication has been widely deployed in corporate environments for creeping up on two decades now.
TLS mutual password authentication using ZKP/PAKE is able to securely authenticate passwords with no information leakage and no external sources of trust. This technology is widely deployed across all the major TLS stacks.
Both sources of trust contribute to and are cryptographically bound to underlying communications channel.
Why, exactly, is it a 'poor implementation'?
Primarily it's the wrong layer. It doesn't leverage itself
Re: (Score:2)
Do you not realize that the mechanism itself does actually authenticate and verify that it is talking to the correct website?
When you enroll your device with the website in the first place, mutual trust is established.
This process depends on PKI to protect the integrity of initial handshake rather than standing alone.
If initial account creation and "device enrollment" are the same things then the effective difference between providing a password and enrolling is academic otherwise see below.
Often in security sensitive situations account creation has an offline component where one must appear in person with appropriate papers or they are otherwise provided with initial credentials out of band such as when showing up for
Re: (Score:2)
Until you lose your key and go whining to the operators of the service.
I have several of the Yubikeys and in the user guides they explicitly tell you to (a) have a spare and (b) make a backup.
Re: (Score:2)
As long as we let idiots run our companies and even the world, how could you resist?
I don't see how (Score:1)
Just changes the password to a piece of hardware that you must always have on you or you must carry 5 around with you
Also, fingerprint scanning sucks IMO. My phone will not read it unless the sensor is completely clean, and then only works 3 out 10 times. YMMV thou.
Msmash, Stop the bullshit posting (Score:2)
You need to be taken out back and beaten with reeds.
Can't wait to see my biometric data (Score:4)
The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.
I'll never use them (Score:1)
With all the massive hacks happening daily, the last thing I would want is to rely on a password I cannot change.
Start off with false assumptions, add a bad idea (Score:2)
"People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"
Not in my circle of tech literate friends and colleagues.
1) Many realise that biometrics == username and not an authentication 'password'
2) Fingerprint & face technologies are not robust and can be fooled. False negatives will turn people off the idea so expect the pattern matching to be loose at best.
3) Biometrics can't be changed easily (if at all)
4) Many people don't have/want phones / laptops with fi
Re: (Score:1)
Slippery slope... (Score:1)
I am against slippery slopes, but:
Want to purchase food? Need to use your fingerprint. Don't want to give fingerprint? No food. Use fingerprint? Hmm, you're purchasing too much junk food. Your insurance company has been notified, your rates go up accordingly.
um, no (Score:2)
People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them
Um, no. First of all, "people everywhere" do not use those, only a subset of them, and I suspect a small subset.
Secondly, access to an object normally in your physical control is not the same as access to remote websites.
What we need is a OTP that uses public keys... (Score:2)
What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.
We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar w
Re: (Score:2)
Re: (Score:2)
It does seem to suggest that they expect out-of-band authentications to be possible. e.g. the password manager lives on your phone. When you log in from your PC, a request is sent to your phone asking if you want to allow access from the that PC (with some kind of fingerprinting info that would let you make a reasonable confirmation that you're authenticating your connection, and not a random hack attempt being made at the same time). You unlock the password manager and authenticate on the phone, and tha
Re: (Score:3)
You 3D print a Kaptain Krunch whistle - you don't think this system will actually be secure, do you?
Sharps (Score:2)
So you don't want to give up your fingerprint willingly? No worries, I have a knife or scissors or I'll just kill you and drag your body to the scanner. Much easier than trying to beat a password/phrase/answer out of you.
RTFSpec (Score:2)
The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.
This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.
When you register with a site, you and the
Re: (Score:2)
Again, skimming, but the spec seems fairly abstract in terms of "Authorization Gestures" and "Ceremonies" without mandating how these are done.
There is some mention of biometric specifics, but only (as far as I can find so far) in letting the requesting site specify acceptable false-positive and false-negative rates for the client-side Authorization Gesture.
I'm not clear yet how the site goes about validating that an Authenticator behaves as per the spec. Perhaps the onus is on the user if they use a clien
Re: (Score:2)
Seems a reasonable request, although I think you can get some of the way there with 'keep me logged in', appropriate use of cookies, and the sites making sensible UX decisions about how often to authenticate.
I'm happy if my many web forum accounts only ask me to authenticate the first time on a new device, or maybe every 30, 60, 90 days. Perhaps I can browse Amazon on a cookie, but I need to authenticate again to buy something? (Above a limit?) My bank should authenticate me when I log in, and again for
Re: (Score:2)
It seems to me that with this method it could be entirely up to the client how often you need to 'authenticate'. In other words, your key manager could have settings for each site, ranging from 'just reply without asking me' (for forums, etc) to 'ask me every 10 minutes' (for banking, etc).
How Orwellian! (Score:2)
Slowly the frog boils.
And - (Score:2)
How are my access data protected and stored across the board?
Thinking about this Facebook crap, I just want to start vomiting.
And
All the other browser just do it, and who uses it without even asking for permission.
Is any politician in this country (USA) even remotely aware about this abuse and doing (or can) something about it? Hardly...
And - don't give me th
Re: (Score:1)
Re: (Score:2)
Total BS you utter here, shows the usual uncritical wimp behavior getting fucked over.
I have expectations against abuse and exploit of my privacy. Apparently, in other countries something like that exists and there are attempts to hold the bigger players - Google, Facebook, Twitter etc. somewhat accountable.
For starters - you are not allowed to take a picture of a person without getting permission to do so and
This would solve the problem of passwords (Score:1)
Re: (Score:2)
How will it make that easier? In case of a breach, all they get is a bunch of public keys.
More BS from cyber stalking firms (Score:2)
What a brilliant idea. Lets all come up with a "secure" web authentication feature that doesn't actually allow for secure password authentication.
Just for fun lets toss in "User Consent" and "User Presence" because "security".
And to complete our incompetence... channel bindings? What channel bindings?
Soon? (Score:2)
My bank app, my paypal app, my amazon app, ... has been doing that for years now.
Since I'm an old fart here and ergo I can't possible read neither THA nor TFS, what's actually new here?
Ya, no. Fingerprints can be damaged. (Score:2)
I once had to postpone getting my fingerprints taken for my job at NASA for a week because some of my fingers/prints were cut, calloused and beaten-up from car and house work. Anyone want chance getting locked out of your computer and the web for a week?
Re: (Score:2)
Re: WTF? (Score:1)
This.
I would bet 10 BTC that the same people who were 'shocked' that Facebook was having their info will be the first to use this.
Then they'll be surprised in 5 years to realize it ties all their activity to their bio data.