Web Authentication

[Ahhzz]

Not technically Hardware, as it refers to a new proposed standard, but does require hardware for functionality, and I didn't see a "Security" in software

Has anyone looked at this proposal, which basically wants to eliminate passwords in favor of biometrics? I am NOT impressed. The courts already have ruled that you can be required, without a warrant, to unlock devices with biometrics. The main reason my Pix2 doesn't use the fingerprint reader. I've got nothing on it that would even remotely get me in trouble (with the possible exception of my ex-wife, if she saw some of the comments between myself and Mrs. Ahhzz heheh), but I would prefer that if the cops want to see in my phone, they have reasonable reason to do so, and have gone thru the process of law to do it. I understand the court's decision makes it "Legal", and indeed, "the process of law" to access my phone via biometrics, I just disagree. If they legitimately feel that there's something on my phone they want to see, they can get a judge to agree.

I'll stick with my passwords, thanks.

 

[Bill_Bright]

I think you are focusing on the minor point and not the bigger picture. Everything you say about law enforcement is true. But that is really a minor point in all this. You (assuming you are telling the truth here! ) are like the vast majority of the rest of us here - that is, law abiding folks with nothing to hide that would be of interest to law enforcement or the courts.

The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc.

One of the problems I see with biometrics, however, is they almost always are backed up with an alternative authentication process - one that uses a password!

 

[qubit]

Couldn't agree more @Ahhzz

I've never liked that the phone can be unlocked while you're asleep, say, with your face or finger. It's like giving someone the key. Having to guess a tough password on a secure system on the other hand, they can go whistle.

 

[Bill_Bright]

Having to guess a tough password on a secure system on the other hand, they can go whistle.

If they some how got possession of your phone and are trying to manually guess your "tough" password, I agree. But that is not what that proposal is about. It's about "web" authentication.

Bad guys can and do use automated tools to hack passwords. That's a problem.

And "on a secure system"? What's that? Equifax? Yahoo/Verizon? Uber? eBay?

 

[qubit]

The OP also talks about his smartphone, so it's in context for that. It also applies to web authentication too though as apps can use a smartphone's biometric features for authentication too.

And yeah, "secure" passwords can be cracked on a non-secure system too when the company running it is sloppy. Nothing's perfect, unfortunately.

 

[Aquinus]

It looks like some people didn't learn their lesson with SAML the first time.

 

[moproblems99]

The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc.

I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?

 

[Bill_Bright]

I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?

I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?

Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be.

A neighborhood kid can often guess a password if they know you. You cannot guess a thumb print.

I am also guessing you haven't seen how biometric technologies have improved significantly in the last couple years either?

Yes, finger prints can be stolen then manipulated and used to gain access. But not likely by the whizkid next door. And facial recondition scanners have been fooled hi-rez photos and even 3-D printers. But note I also said "retina scans" in my comment. Those are much more difficult to hack.

Regardless, biometrics, when implemented properly, offer much better security than passwords. The problem is, we aren't there yet - at least when it comes down to consumer's every day computing devices.

Here's a good and current read on biometrics. I like it because it also spells out the potential pitfalls too.

 

[Crusti]

I was wondered when Facebook asked me to end my new picture in order to prove it's me. When I think it over it turned out that we're totally controlled. All our pics are linked to our internet accounts. And now you tell about fingerprints, etc.. I feel like someone is watching me all the time.

 

[StrayKAT]

I don't use biometrics anywhere. And I don't think anyone is cracking my passwords all that easily. So I'm cool.

I'm not exactly paranoid about the tech, but I don't think it's for me. It's for people who are too lazy and or have bad memories with passwords (good passwords).

 

[dorsetknob]

I was wondered when Facebook asked me to end my new picture in order to prove it's me.

Please upload a Scan of your passport or SS ID and Notarized by a Court Official to Confirm Your ID ( Please note this info is shared with the NSA/FBI).
We value Your privacy and will ....................

 

[DeathtoGnomes]

After biometrics the next step is your complete identity tatoo'd under your skin. Not sure if thats right before, or right after, the anti-christ makes an appearance.

 

[newtekie1]

The courts already have ruled that you can be required, without a warrant, to unlock devices with biometrics.

What ruling allows this without a warrant?

 

[R-T-B]

The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc.

A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.

I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?

The answer to this is education, not switching to an even more flawed and brainless standard.

Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be.

No, it's simpler. There's a mythbusters episode covering this. It is RIDICULOUSLY easy.

That said...

Has anyone looked at this proposal, which basically wants to eliminate passwords in favor of biometrics?

This is simply a proposed method for accessing credentials via biometrics. What makes you think it's supposed to replace anything?

 

[Ahhzz]

What ruling allows this without a warrant?

https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/

lower court, appeals court, state supreme court.

Haven't seen a SCOTUS on fingerprints yet, but they did rule that a warrant was required in certain cases regarding law enforcement attempting to access location data from a phone.

 

[DeathtoGnomes]

https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/

lower court, appeals court, state supreme court.

Haven't seen a SCOTUS on fingerprints yet, but they did rule that a warrant was required in certain cases regarding law enforcement attempting to access location data from a phone.

It still a 4th amendment violation until the SCOTUS rules on it. If his lawyer argued only the 5th, he/she was worth shit as a lawyer.

 

[Frick]

I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?

Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be.

A neighborhood kid can often guess a password if they know you. You cannot guess a thumb print.

I am also guessing you haven't seen how biometric technologies have improved significantly in the last couple years either?

Yes, finger prints can be stolen then manipulated and used to gain access. But not likely by the whizkid next door. And facial recondition scanners have been fooled hi-rez photos and even 3-D printers. But note I also said "retina scans" in my comment. Those are much more difficult to hack.

Regardless, biometrics, when implemented properly, offer much better security than passwords. The problem is, we aren't there yet - at least when it comes down to consumer's every day computing devices.

This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.

I'm not exactly paranoid about the tech, but I don't think it's for me. It's for people who are too lazy and or have bad memories with passwords (good passwords).

So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind bad password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.

A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.

2FA is a pain in the butt though. It depends a bit on the implementation, but on the whole it is awful.

 

[StrayKAT]

This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.



So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind good password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.

I wouldn't call myself a savant by any means. Just a mix of capitals/lowercases/numbers and at least one symbol. I sometimes reuse them.. but not all. But once you type something dozens of times, it sticks.

 

[DeathtoGnomes]

This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.



So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind good password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.

I use a password manager, Keepass, so I need to remember just 1 password. I use the password generator for every site and forum and game. Nothing less than 12 characters, which is on the weak side, but I usually stick to 16.

 

[StrayKAT]

All my security problems are mostly someone else's fault actually. Merchants getting my CC number stolen. It's happened multiple times. My fault is saving it on some sites. :\

 

[Frick]

I wouldn't call myself a savant by any means. Just a mix of capitals/lowercases/numbers and at least one symbol. I sometimes reuse them.. but not all. But once you type something dozens of times, it sticks.

And you have a different string for everything? How many logins do you have to keep track off? Here are the ones I keep track off:

• Bank pin
• Bank authentication login, mobile. Luckily most of the "official" stuff (governments, loan applications, phone account, education) can use this
• Bank authentication, physical
• Main mail adress
• Three work mail accounts
• One semi-serious mail account
• Wordpress blog
• Five rental ques (apartments)
• Steam
• GOG
• Humble Bundle
• Paradox Studios (same account for the store and the forums)
• Two battle.net accounts
• Evernote
• Like ten or so accounts to a work-related site (web portal for power management)
• A bunch of work related VPN stuff
• Work related virtual machine management
• A host of online shops
• My power provider
• At least two grocery shops
• Facebook
• Tumblr
• One or two forums which require complicated passwords

And most of them are being good citizens and requires at least eight characters, with a mix of capital letters and numbers and some even require symbols. And this is just my official stuff. I have two trash mail accounts to which is tied a bunch of forum accounts and store accounts for which I reuse a good password I've used for twenty years now, where I never really buy anything but no store would dream of letting you buy anyhing without an account.

Password managers are essential today. Everything's done online and every single thing require an account.

All my security problems are mostly someone else's fault actually. Merchants getting my CC number stolen. It's happened multiple times. My fault is saving it on some sites. :\

Excellent point and very true, and again: everything is done online and everything require accounts that can be compromised. The best you can do is mitigation.

 

[StrayKAT]

And you have a different string for everything? How many logins do you have to keep track off? Here are the ones I keep track off:

• Bank pin
• Bank authentication login, mobile. Luckily most of the "official" stuff (governments, loan applications, phone account, education) can use this
• Bank authentication, physical
• Main mail adress
• Three work mail accounts
• One semi-serious mail account
• Wordpress blog
• Five rental ques (apartments)
• Steam
• GOG
• Humble Bundle
• Paradox Studios (same account for the store and the forums)
• Two battle.net accounts
• Evernote
• Like ten or so accounts to a work-related site (web portal for power management)
• A bunch of work related VPN stuff
• Work related virtual machine management
• A host of online shops
• My power provider
• At least two grocery shops
• Facebook
• Tumblr
• One or two forums which require complicated passwords

And most of them are being good citizens and requires at least eight characters, with a mix of capital letters and numbers and some even require symbols. And this is just my official stuff. I have two trash mail accounts to which is tied a bunch of forum accounts and store accounts for which I reuse a good password I've used for twenty years now, where I never really buy anything but no store would dream of letting you buy anyhing without an account.

Password managers are essential today. Everything's done online and every single thing require an account.



Excellent point and very true, and again: everything is done online and everything require accounts that can be compromised. The best you can do is mitigation.

I guess I juggle half as much. Less work related stuff.

I guess I could improve passwords.. The poster above said he used 16 characters. I don't go that far.

 

[newtekie1]

https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/

lower court, appeals court, state supreme court.

Haven't seen a SCOTUS on fingerprints yet, but they did rule that a warrant was required in certain cases regarding law enforcement attempting to access location data from a phone.

None of those are rulings that allow law enforcement to force you to unlock your phone or use biometrics in anyway without a warrant. The rulings were all that a judge can order you to do it, if you are at the stage of a judge ordering it, you are past the warrant stage of the investigation.

It still a 4th amendment violation until the SCOTUS rules on it. If his lawyer argued only the 5th, he/she was worth shit as a lawyer.

It is not a 4th amendment violation, because a judge is ordering it. So it is not an illegal search under the 4th amendment.

The 5th amendment, self incrimination, is really where the argument comes from. So far the legal precedent has been it is not a violation of the 5th amendment, because your biometrics are not protected by the 5th amendment. Giving your fingerprint to unlock your phone is no different than giving a hair sample for DNA or fingerprints for comparison to fingerprints found at the scene. But that won't be solid law until we see case go to the SCOTUS. For right now, it is really going to depend on what judge you get in the case, and how he feels that day...

 

[Ahhzz]

None of those are rulings that allow law enforcement to force you to unlock your phone or use biometrics in anyway without a warrant. The rulings were all that a judge can order you to do it, if you are at the stage of a judge ordering it, you are past the warrant stage of the investigation.


..

That's a good point; the rulings I've read do all refer to a warrant forcing that cooperation, not just police acting on their own. I stand corrected. I still think that if it arrives at the SC, they will rule blue, esp with the conservative shift. They allow police to obtain fingerprints (something you "are", but not something you "know") without a warrant, and I don't see the SC ruling any other way. But, I guess it's something we'll see when we get there. My only hope is that the phone manufacturers beat the cases in a timeline. If the OS allows easy changes to settings (change the 48 hour window to maybe 6), or better support for forcing a passkey, it will make it a completely different ball game...

 

[Bill_Bright]

I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?

A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.

First, 2FA changes the scenario so IMO, invalidates the argument.

And Mythbusters? Come on! That was 10 years ago! But not just that, it involved covertly stealing a copy of the fingerprint from the user, then making the copies.

OF COURSE biometrics can be foiled. But it takes a tremendous amount of hands-on time to do it. Hacking a password requires a badguy click a mouse button then he or she can move on to something else while the program crunches.

And again, a badguy would need physical access to a copy of your fingerprint. They don't with a password - reminding readers this thread is about "web authentication" and not stealing a person's phone then lifting a "viable" fingerprint from the phone, making a copy of the fingerprint and then using that to access the phone.

So I stand by what I said,

biometrics, when implemented properly, offer much better security than passwords. The problem is, we aren't there yet - at least when it comes down to consumer's every day computing devices.