Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Firefox Google Microsoft Mozilla Opera Privacy Safari Security

Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com) 161

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

This discussion has been archived. No new comments can be posted.

Biometric and App Logins Will Soon Be Pushed Across the Web

Comments Filter:
  • by Anonymous Coward

    https://en.wikipedia.org/wiki/Client_certificate

    • by Anonymous Coward on Tuesday April 10, 2018 @10:07AM (#56412271)

      You don't get it. Client certificates are anonymous. I can request as many as I want to use each for a dedicated site. This is not permitted under our feudal residentship in the corporate America. The corps need to know and connect you between all of them. That's why they are pushing for biometrics. But for fsck's sake, biometrics are usernames only, not usernames, passwords and second factor together like the corps are selling them to be. The only reason they are pushing for biometrics is that when enough people get used to the biometrics being showed down their throats, the will accept being chipped with an always on locator beacon with a serial number.

    • Re: (Score:3, Informative)

      by TheRaven64 ( 641858 )

      There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI. Actually, in most browsers, it's pretty hard to have multiple client certs for a single web site at all (try it some time). Second, the JavaScript APIs for generating and installing client certs are pretty horrible. It also requires that the client cert be used as part of every TLS handshake in every HTTPS connection, which adds some latency when

      • There are a few problems with client certs as used with HTTPS. The first is that it's difficult to integrate the selection of a client cert with the login UI.

        The problem with client certs there is no defined means of filtering out relevant certificate(s) for site one is visiting.

        For example lets say I have 100 client certs for 100 different sites. Each time I visit a site I'm prompted for which of the 100 certs I want to use. If I pick the wrong one TLS handshake fails and I get to try again. If I pick a compatible one or chose none them I'm stuck with that decision until browser restart.

        Most browsers don't even provide basic facilities to manage client certs

  • by Anonymous Coward on Tuesday April 10, 2018 @09:46AM (#56412145)

    Sure, go ahead and give your biometric data away. You'll only be permanently identifiable for the rest of your life.

    • by Anonymous Coward

      While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.

      We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.

    • by Archangel Michael ( 180766 ) on Tuesday April 10, 2018 @10:14AM (#56412315) Journal

      You'll only be permanently identifiable for the rest of your life

      Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.

      Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or consent shouldn't be YOUR problem, it should be theirs. They failed to do due diligence in ascertaining the person they gave $25,000 in credit isn't you.

      All of this is because we've reduced identity to knowledge of facts, and not personal references. It is much harder to prove that you are me, if you also have to come up with fake people who pretend to be my known associates. This is why Identity should be based on web of trust, and not publicly identifiable traits.

      We've given up security for convenience, and the ramifications are really bad.

      • you can realize that identity is proof of who you are (and not someone else)

        Exactly.

        I may wish to prove who I am to my bank. I might not be so keen to prove it to www.randomwebsite.com and I sure as hell have no wish to prove it to www.porns.r.us.scam and goat.se

        Also, I have no wish for hackers.ru to be able to prove they are me for the rest of my life.

        YMMV

        • I bet you can produce a person or two (maybe more) that can verify that you are who you say your are. That kind of "information" is based on "trust", not trusting that someone who can produce a list of facts is you. I doubt that a Russian can prove he is you if he also has to provide a number of people who are known associates of you, with their own list of associations.

          I have all sorts of documentation of my relationships with other people, spanning decades. That kind of information is much harder to forge

    • I've not read the latest draft, but the earlier version of this spec was basically U2F with enough abstraction to avoid tying it to a specific hardware implementation. The goal was to have the user agent generate authentication tokens and accept responsibility for identifying the user, possibly using a hardware token, possibly using a separate process that handles credentials. I don't think uploading biometric data is part of the spec (unless it's changed), but using biometrics locally to authorise access
    • just wait for pre existing conditions rules to go away then you will be blacklisted (USA ONLY does not apply to jail / prison system)

    • The fingerprint scanner was just one example of a supported device. You can use hardware tokens too.

      Yubico announced [yubico.com] their new security tokens [yubico.com] today, they ship on the 13th.

    • by Anonymous Coward

      You're not giving it away. The biometric data is used like the password to your private key. The entire thing is about standardizing the API for PKI authentication - certificate based.

    • by AmiMoJo ( 196126 )

      Why do you think this involves giving your biometric data away?

      Your computer/phone scans your fingerprint and then tells the web site that you authenticated, with a token to prevent impersonation. The biometric data never leaves your local control.

      For most people it's a massive win. No more crappy passwords. For experts we can more easily use security tokens.

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday April 10, 2018 @09:47AM (#56412147) Journal
    So if these things get hacked or stolen, there is no way for you to change the user name, or password.. Can people be this idiotic?

    All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.

    • Can people be this idiotic?

      Yes. And it is probably even worse than that.

    • by Greyfox ( 87712 )
      Can't be hacked and can easily be forced if law enforcement or the Russian mafia decides they want to see your information. Of course, with a password the Russian mafia will just beat you with a wrench until you log in, anyway, so YMMV.
    • Of course you can. Did you ever read the damned FIDO specification?!

      If you did, you'd realize that FIDO does not directly bind the biometric with the webpage. Rather it creates a asymmetric key pair (separate for each verifier) that allows the verifier to do a challenge response. This lets the verifier verify that the person trying to log in is the same person that associated the public key with the account at the time of enrollment.

      The biometric part only enters into the stage in terms of protecting the pr

    • The API is not about providing biometrics to the remote server, it is about generating keypairs and attestations. When you register a device with a site, you generate a key pair associated with the {authenticator, site, user} triple. The authenticator (U2F device, keychain, whatever) stores the private key, you upload the public key. When you want to log back in, the server provides you with some data, which you then sign with the private key and upload. The server can then check it with the public key

    • I think you are misunderstanding how this could be implemented. The fingerprint is not sent to the site you are authenticating too. The site would likely create a very long cookie or auth code once you log in normally. To access that auth code to send to the website you would use the biometric login which would then send that encrypted auth code to the website. This is similar to how thumbprint works on existing phones. The thumbprint isn't sent outside the security context of the phone. It only unloc

    • by AmiMoJo ( 196126 )

      Can people be this idiotic?

      PROTIP: When something coming from people with a good track record on security seems stupid, it's probably because you didn't understand it. Best to try to figure it out, rather than going for the easy +5 first outraged-at-the-stupidity post on Slashdot because your mistake will get very publicly pointed out.

  • by Anonymous Coward on Tuesday April 10, 2018 @09:47AM (#56412151)

    How is this any better really?

    I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.

    • by taustin ( 171655 )

      Er, dude, passwords can (and are, often) certainly be brute forced without the victim's knowledge.

      And passwords can certainly be beaten out of someone as easily as a finger cut off and taken.

    • The fingerprint information is only stored on your device and does not get sent to the website you are logging into. Someone cannot use your thumbprint to get access to the website from another device. They would have to login to your specific device and use your thumbprint on it to get access. Essentially the website login information is just stored inside a security container that gets unlocked with your fingerprint. Think of it kind of like a password manager but using your thumbprint to use it. The

    • by AmiMoJo ( 196126 )

      The fingerprint is only used to control access to a token that gets sent to the site. If the token gets compromised just generate a new one. If your fingerprint gets compromised they still need your laptop to get the token. If both get compromised you are screwed anyway.

  • noscript?! (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 10, 2018 @09:48AM (#56412159)

    "if website developers want to take advantage of this new standard they should start building support for the JavaScript API into their login capabilities"

    the last thing we need for better security is more javascript :(

  • by Anonymous Coward on Tuesday April 10, 2018 @09:49AM (#56412163)

    I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.

    • Well, you should be good for 9 changes. The tenth could be a bit hard unless you're from Alabama.

      • by taustin ( 171655 )

        Toe prints are just as unique as fingerprints.

        Makes logging into YouPorn a bit more of a challenge, though, what with your pants around your ankles and all.

    • Neither. You use a user name as a login. You use the fingerprint scanner to authorise your device to provide an attestation. The attestation is something signed with a private key, where you have previously updated a (unique) public key to the site. You may store a set of keys identified by {user, site} pairs, or you might generate the private keys from a {user, site, secret} triple and provide the associated public key on demand. The latter is what most U2F devices do, so if someone steals the device

    • Just gotta watch out for Nicolas Cage...

  • I don't have any internet accounts worth securing
    • Say, how exactly do you connect to the internet? Could it be that your modem connects using a username and password? You might not have seen it, ever, but that doesn't mean it ain't there. And can be abused for nefarious activities that will finally be pegged to you, the rightful user of that account.

      • Your main point is correct, but...

        Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

        Now the built-in wifi** is a different story, sure - but nothing prevents me from using ethernet-only in the house (well in my case I might have to bury some fiber to get out from the house to the home office and shop, but...)

        ** built-in wifi is not a given. My Exede/ViaSat modem do

        • Cable, DSL is tied to the modem ID

        • Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

          Cable is a shared medium. It uses BPI+ yet the initial handshake is still very much faith based.

          DSL in some ways is more physically secure because unlike cable there is no shared medium. Every link is point to point. They often use MAC or PPPoE schemes with crummy authentication protocols. This is done more for management purposes than actual security.

        • by flink ( 18449 )

          Your main point is correct, but...

          Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.

          Every DSL setup I've ever used has had some flavor of CHAP running over PPP or PPPoE. If you are using an ISP-supplied modem, then the tech probably put the credentials in there for you, but if you are bringing your own device to the table, you definitely had to get your account username and password from the ISP in order to be able to get your modem online.

          Cable modems, I believe, have a more sophisticated authentication setup, requiring the device itself to be authorized.

          Either way, you can't just stick

        • ...if your provider lets you control it. More and more you're forced to use your provider's modem and they, not you, decide whether your WiFi is on.

  • But if they get your 'biometrics', you um... Use a different finger? Use a different face?
    • But if they get your 'biometrics', you um...Use a different finger?Use a different face?

      Halloween mask? I can see a brisk trade in thimbles with false fingerprints - a different one for every occasion.

  • by 140Mandak262Jamuna ( 970587 ) on Tuesday April 10, 2018 @09:50AM (#56412173) Journal

    Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

    So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

    • But they use fingerprint authentication in TV and movies all the time! It HAS to be a good idea, all the best movie safes have them!
    • It gets even stupider when you realize they are breaking one of the 1st rules of passwords, use a different one for each account.
      • Maybe we could use a different hand expression per site. I know what I am using for Facebook!
      • by timftbf ( 48204 )

        They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.

        Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.

    • by Jahta ( 1141213 )

      Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.

      So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.

      Not to mention that, legally speaking, in many countries passwords are protected by your right to silence. Biometrics typically aren't; you can be legally compelled to provide a fingerprint, say, to unlock an account or a device.

    • I think you're the tenth person to attack the same straw man that has absolutely nothing to do with how the WebAuthn design actually works. Do you get some kind of prize?
  • by Opportunist ( 166417 ) on Tuesday April 10, 2018 @09:56AM (#56412203)

    Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?

    Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?

    I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?

    I have to ask again: Are you stupid?

    Or do you just think I am?

    • by bws111 ( 1216812 )

      Could you at least make a feeble attempt to understand what this actually is prior to ranting?

      This is NOT identifying OR authenticating you with biometrics. Identification is still done with some sort of userid. Authentication is done with public key encryption.

      When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign

      • When you sign up for a service, you get a userid, and YOU generate a public/private key pair. You send the PUBLIC key to the service and keep the PRIVATE key private. When the site later wants to authenticate you, it sends a challenge. You sign the challenge with your private key and return it. If your signature is successfully matched with the previously stored public key, you are authenticated. If someone intercepts the conversation they get nothing useful, because next time the challenge will be different, and no actual keys were exchanged. If someone hacks the service all they get is a bunch of PUBLIC keys.

        In other words reinventing client certificates poorly and mistaking it for progress.

        Now, how to protect your PRIVATE key is totally up to you. You could keep it in an encrypted file that is unlocked with biometrics. Or, you could keep it in a hardware cryptography module in a PC protected with 4096 bit encryption, inside a steel cage. Or anything in between. It is up to YOU, not the service.

        Until you lose your key and go whining to the operators of the service.

        • by bws111 ( 1216812 )

          Why, exactly, is it a 'poor implementation'? Where is a 'good implementation', and why isn't it being used anywhere?

          Losing your key is no different than losing/forgetting your password.

          • Where is a 'good implementation', and why isn't it being used anywhere?

            TLS mutual certificate authentication has been widely deployed in corporate environments for creeping up on two decades now.

            TLS mutual password authentication using ZKP/PAKE is able to securely authenticate passwords with no information leakage and no external sources of trust. This technology is widely deployed across all the major TLS stacks.

            Both sources of trust contribute to and are cryptographically bound to underlying communications channel.

            Why, exactly, is it a 'poor implementation'?

            Primarily it's the wrong layer. It doesn't leverage itself

        • Until you lose your key and go whining to the operators of the service.

          I have several of the Yubikeys and in the user guides they explicitly tell you to (a) have a spare and (b) make a backup.

  • This is really doesn't seem to fix anything.
    Just changes the password to a piece of hardware that you must always have on you or you must carry 5 around with you
    Also, fingerprint scanning sucks IMO. My phone will not read it unless the sensor is completely clean, and then only works 3 out 10 times. YMMV thou.
  • You need to be taken out back and beaten with reeds.

  • by MerlinTheWizard ( 824941 ) on Tuesday April 10, 2018 @10:03AM (#56412249)
    leaking and widely available. I'm sure it's no big deal. :D

    The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.

  • by Anonymous Coward

    With all the massive hacks happening daily, the last thing I would want is to rely on a password I cannot change.

  • "People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"

    Not in my circle of tech literate friends and colleagues.

    1) Many realise that biometrics == username and not an authentication 'password'

    2) Fingerprint & face technologies are not robust and can be fooled. False negatives will turn people off the idea so expect the pattern matching to be loose at best.

    3) Biometrics can't be changed easily (if at all)

    4) Many people don't have/want phones / laptops with fi

    • by elcor ( 4519045 )
      OP is working for a brainstorming group, fishing for ideas to refine his biometric rational.
  • by Anonymous Coward

    I am against slippery slopes, but:
    Want to purchase food? Need to use your fingerprint. Don't want to give fingerprint? No food. Use fingerprint? Hmm, you're purchasing too much junk food. Your insurance company has been notified, your rates go up accordingly.

  • People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them

    Um, no. First of all, "people everywhere" do not use those, only a subset of them, and I suspect a small subset.

    Secondly, access to an object normally in your physical control is not the same as access to remote websites.

  • What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.

    We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar w

  • Comment removed based on user account deletion
    • by timftbf ( 48204 )

      It does seem to suggest that they expect out-of-band authentications to be possible. e.g. the password manager lives on your phone. When you log in from your PC, a request is sent to your phone asking if you want to allow access from the that PC (with some kind of fingerprinting info that would let you make a reasonable confirmation that you're authenticating your connection, and not a random hack attempt being made at the same time). You unlock the password manager and authenticate on the phone, and tha

  • So you don't want to give up your fingerprint willingly? No worries, I have a knife or scissors or I'll just kill you and drag your body to the scanner. Much easier than trying to beat a password/phrase/answer out of you.

  • The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.

    This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.

    When you register with a site, you and the

  • Slowly the frog boils.

  • what's the privacy on this?
    How are my access data protected and stored across the board?
    Thinking about this Facebook crap, I just want to start vomiting.

    And ... using Tor, at least I get a warning ... attempted to extract HTML5 canvas data ... uniquely identifying your computer.
    All the other browser just do it, and who uses it without even asking for permission.

    Is any politician in this country (USA) even remotely aware about this abuse and doing (or can) something about it? Hardly...
    And - don't give me th
    • There isn't any. You have no expectation of privacy on public services
      • by no-body ( 127863 )
        <quote>There isn't any. You have no expectation of privacy on public services</quote>

        Total BS you utter here, shows the usual uncritical wimp behavior getting fucked over.

        I have expectations against abuse and exploit of my privacy. Apparently, in other countries something like that exists and there are attempts to hold the bigger players - Google, Facebook, Twitter etc. somewhat accountable.

        For starters - you are not allowed to take a picture of a person without getting permission to do so and
  • But make my identity easier to steal in the case of a data breach. This doesn't solve the problem.
    • by bws111 ( 1216812 )

      How will it make that easier? In case of a breach, all they get is a bunch of public keys.

  • What a brilliant idea. Lets all come up with a "secure" web authentication feature that doesn't actually allow for secure password authentication.

    Just for fun lets toss in "User Consent" and "User Presence" because "security".

    And to complete our incompetence... channel bindings? What channel bindings?

  • My bank app, my paypal app, my amazon app, ... has been doing that for years now.

    Since I'm an old fart here and ergo I can't possible read neither THA nor TFS, what's actually new here?

  • I once had to postpone getting my fingerprints taken for my job at NASA for a week because some of my fingers/prints were cut, calloused and beaten-up from car and house work. Anyone want chance getting locked out of your computer and the web for a week?

No spitting on the Bus! Thank you, The Mgt.

Working...