Biometric and App Logins Will Soon Be Pushed Across the Web (vice.com) 64
Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.
"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
RTFA? You must be new here.
While I understand and share your concern, at this point it's pretty much unavoidable. Society has accepted biometric authentication and doesn't care about privacy.
We've accepted cameras everywhere, which with facial detection alone, is pretty inescapable. You can forget any 5th amendment rights in the future when it comes to technology evidence: biometrics is law enforcement's permanent shoe-in to the cryptography problem they face since they can easily access devices once your entire body is in custody.
You'll only be permanently identifiable for the rest of your life
Go live in a cave for the rest of your life. Then nobody will have to identify you, and you won't have to prove your identity to anyone.
Or, you can realize that identity is proof of who you are (and not someone else). The problem ISN'T identity theft, that is just a symptom of the problem. The REAL problem is that we have systems that make your identity your problem when you have no control over that information. A bank giving a loan out to someone who is not you, in your name, without your knowledge or con
Authentication != identification (Score:5, Insightful)
All these finger prints and retina scanning or even social security number are just identifiers. They identify a person. The authentication is different. Authentication is like a signature, of the old pen and ink era. It should be at the control of the person.
Can people be this idiotic?
Yes. And it is probably even worse than that.
How is this any better really?
I can change passwords, I can have a unique password for every login. But I have only one set of fingerprints. And I can't change those if compromised. Furthermore, there is a number of ways to swipe biometric data from people, in some cases without their knowledge or by force, which a password is immune to.
Biometrics as login or as password ? (Score:3, Insightful)
I do hope they'll use these fingerprint scanners only as a login and not as a password, otherwise ppl will have a hard time changing their password next time a database is breached.
Well, you should be good for 9 changes. The tenth could be a bit hard unless you're from Alabama.
00000000 (Score:2)
Say, how exactly do you connect to the internet? Could it be that your modem connects using a username and password? You might not have seen it, ever, but that doesn't mean it ain't there. And can be abused for nefarious activities that will finally be pegged to you, the rightful user of that account.
Your main point is correct, but...
Most modems nowadays (Sat, Cable, DSL) don't bother with a user/pass from you just to get itself online, because it originates from a physical point-of-presence - specifically, your home address.
Now the built-in wifi** is a different story, sure - but nothing prevents me from using ethernet-only in the house (well in my case I might have to bury some fiber to get out from the house to the home office and shop, but...)
** built-in wifi is not a given. My Exede/ViaSat modem do
They get your password, you just change it. (Score:2)
Yes, let us make it worse. (Score:5, Insightful)
Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.
So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.
They're not doing that, unless I'm missing something. The one "password" (fingerprint) is used to unlock your local secure key store, which contains many "passwords" (keys) for many sites.
Reads to me like it's a standardised interface to a password manager (LastPass, KeePass, etc) with some verification, anti-replay, etc on top, and using longer and better-generated secrets than a handful of typeable characters.
Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site.
So the solution is to remove the passwords and replace it with something unchangeable if hacked. You know, whatever hash they use to store the immutable personal characteristics like fingerprints and retinal scans and brain wave Fourier transforms and voice print hash can never be hacked, not in a lifetime of the person. Yeah, sure.
Not to mention that, legally speaking, in many countries passwords are protected by your right to silence. Biometrics typically aren't; you can be legally compelled to provide a fingerprint, say, to unlock an account or a device.
Could you run this by a security department? (Score:3)
Or are you afraid of going deaf because of the volume of the "OH HELL NO!" that will be yelled at you?
Are you nuts? Seriously, I'm asking. Are you nuts? Who is idiot enough to, after the past YEARS of identity theft and privacy abuse, even suggest something like this? And how much faith in the idiocy of humanity does it take to expect people to actually WANT this?
I'm not even going for the obvious "identification != authentication". It's been shown time and again that it's trivially easy to bypass biometric scans, at least user-grade devices that do it. And you want me to trust my banking to something like this?
I have to ask again: Are you stupid?
Or do you just think I am?
I don't see how (Score:1)
Just changes the password to a piece of hardware that you must always have on you or you must carry 5 around with you
Also, fingerprint scanning sucks IMO. My phone will not read it unless the sensor is completely clean, and then only works 3 out 10 times. YMMV thou.
Msmash, Stop the bullshit posting (Score:2)
You need to be taken out back and beaten with reeds.
Can't wait to see my biometric data (Score:3)
The fact that passwords, just like physical keys, are not linked to an identity is actually a very big plus in terms of security IMO. Of course they can get stolen (and there are schemes to make it less likely to matter, such as multi-factor authentification.) But the very fact that one could steal both your passwords AND identity at the same time (which will inevitably happen at some point when both are linked) is much, much worse.
Start off with false assumptions, add a bad idea (Score:2)
"People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs"
Not in my circle of tech literate friends and colleagues.
1) Many realise that biometrics == username and not an authentication 'password'
2) Fingerprint & face technologies are not robust and can be fooled. False negatives will turn people off the idea so expect the pattern matching to be loose at best.
3) Biometrics can't be changed easily (if at all)
4) Many people don't have/want phones / laptops with fi
um, no (Score:2)
People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them
Um, no. First of all, "people everywhere" do not use those, only a subset of them, and I suspect a small subset.
Secondly, access to an object normally in your physical control is not the same as access to remote websites.
What we need is a OTP that uses public keys... (Score:2)
What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.
We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar w
Dongles? (Score:2)
What if it breaks or gets stolen? From what I see it is basically a password manager. I would need several of them as I have several computers.
At this moment I am typing this at my PC at work during my break. I would not be able to use the dongle on this PC.
I would also need a dongle for each and every PC that I own, as I might want to use that specific one. It is not convinient to move them fropm one to the next one as I often use two at the same time. And some are even accessed remotely.
And I must not for
It does seem to suggest that they expect out-of-band authentications to be possible. e.g. the password manager lives on your phone. When you log in from your PC, a request is sent to your phone asking if you want to allow access from the that PC (with some kind of fingerprinting info that would let you make a reasonable confirmation that you're authenticating your connection, and not a random hack attempt being made at the same time). You unlock the password manager and authenticate on the phone, and tha
Sharps (Score:2)
So you don't want to give up your fingerprint willingly? No worries, I have a knife or scissors or I'll just kill you and drag your body to the scanner. Much easier than trying to beat a password/phrase/answer out of you.
RTFSpec (Score:2)
The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.
This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.
When you register with a site, you and the
How Orwellian! (Score:2)
Slowly the frog boils.
And - (Score:2)
How are my access data protected and stored across the board?
Thinking about this Facebook crap, I just want to start vomiting.
And
All the other browser just do it, and who uses it without even asking for permission.
Is any politician in this country (USA) even remotely aware about this abuse and doing (or can) something about it? Hardly...
And - don't give me th