this post was submitted on 22 Nov 2023
499 points (98.6% liked)

Technology

59314 readers
4603 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] psudojo@infosec.pub 10 points 11 months ago (1 children)

im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth

[–] Herowyn@jlai.lu 18 points 11 months ago (1 children)

The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.

[–] MostlyHarmless@sh.itjust.works 17 points 11 months ago (2 children)

Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.

https://xkcd.com/538/

[–] Saik0Shinigami@lemmy.saik0.com 9 points 11 months ago (1 children)

And yet, as a service member that was part of the 2013 OPM data breech, my finger prints (and an estimated 5.5 million other peoples) were part of the dataset that was stolen.

So... What's your point about "Global Internet"? If my data was stolen, and sent to the "Global Internet"(The fuck does this even mean?)... There's no functional difference to an exposed password.

[–] MostlyHarmless@sh.itjust.works 2 points 11 months ago (1 children)

My point is that I'm not worried about the relatively few people who could steal my fingerprint. I'm worried about the millions of people around the world who will try to steal my passwords and access my online accounts.

If everyone secured their accounts with a biometrically secured security key, they would be far more secure than if they continue to just use a password.

Tgose who go around spreading misinformed FUD over biometrics ensure people who don't know better continue to use weak passwords.

Even if someone gets your fingerprints from the OPM breach still can't use them because they also need your phone. You are still protected from all of the hackers around the world.

[–] Saik0Shinigami@lemmy.saik0.com 1 points 11 months ago (1 children)

My point is that I’m not worried about the relatively few people who could steal my fingerprint.

This group is much larger than you're assuming.

I’m worried about the millions of people around the world who will try to steal my passwords and access my online accounts.

Bio doesn't stop people from setting bad passwords.

If everyone secured their accounts with a biometrically secured security key, they would be far more secure than if they continue to just use a password.

Except you should know better than this... They will simply do BOTH. Set a terrible password because they will be required to make one from the get-go AND use bio. There is no service on the face of the planet that strictly accepts tokens from Bio tools. Simply using Bio doesn't stop those online from bruteforcing the underlying password.

Tgose who go around spreading misinformed FUD over biometrics ensure people who don’t know better continue to use weak passwords.

No. I "Spread FUD" because I understand that a good password MUST be revocable. Which Bio CANNOT be. Bio is a username.

Even if someone gets your fingerprints from the OPM breach still can’t use them because they also need your phone. You are still protected from all of the hackers around the world.

No... I'm protected because I use functionally impossible passwords to break that are truly randomly generated and of sufficient length. Further to protect things I use a Yubikey, when supported. Further I use services that monitor breeches and actively change those affected passwords. Bio adds nothing to my protection and in my case (and the case of millions of other people) would actively hinder it.

You have the premise backwards though. It's now, if someone has your device at all... you cannot presume it to be capable of securing anything since your prints are likely on the device itself anyway, oops...

[–] MostlyHarmless@sh.itjust.works 2 points 11 months ago* (last edited 11 months ago) (1 children)

There is no service on the face of the planet that strictly accepts tokens from Bio tools. Simply using Bio doesn't stop those online from bruteforcing the underlying password.

https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43

https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/

https://techcrunch.com/2022/09/12/apple-passkey/

No. I "Spread FUD" because I understand that a good password MUST be revocable. Which Bio CANNOT be. Bio is a username.

Incorrect because your bio is not the password, the private key is. The private key is revocable. Your bio just unlocks your hardware key store and makes the private key accessible to the software.

This is what I mean when I say people do not understand biometric authentication.

[–] Saik0Shinigami@lemmy.saik0.com 1 points 11 months ago* (last edited 11 months ago) (1 children)

https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43

Uh huh...

Once you remove your password from your account, you will need to sign in using a passwordless method like the Microsoft Authenticator app, Windows Hello, physical security keys, or SMS codes.

SMS

So which 2fa method do we NEVER ask users to use anymore? You know... because lying to a phone carrier and getting a new sim card sent to someone who isn't on the account is the hardest thing in the world to do! Or cloning a sim card.

Windows Hello

Which just had some leaks about how insecure it is.

You're going to have to do way better than this...

Regardless all three of these would then rely on your specific device to login, which MUST have a recovery method. Since you know... devices break, get reformatted, etc... What does that process look like? With a password... I simply change the password. Can you guarantee that I can revoke the key and replace it without having to buy new hardware?


https://techcrunch.com/2022/09/12/apple-passkey/

They sync shit using iCloud... The private key is not secure. I don't care what your argument is if it's in relation to apple. If you need further argument on this topic... Just look at all the leaked videos from Tesla cars. Big companies DO NOT DESERVE YOUR TRUST.


Incorrect because your bio is not the password, the private key is. The private key is revocable. Your bio just unlocks your hardware key store and makes the private key accessible to the software.

And you say I don't have an understanding... It doesn't matter how many keys deep you have to go. If the end of the line is an item that has been compromised, it DOESN'T MATTER how many steps you take after that. The compromised item is already obtained when you obtained the device.

Now... Can you tell me the process to revoke the private key from your fingerprint reader on your phone? You claim it's revocable. Revoke it. Show me. I'll wait. Can you prove that the blob in your phone is doing that? These chips are written once at the manufacturer with no oversight or validation. I'm not an idiot. I know your literal fingerprint isn't sent up to the cloud. It's used to tell a local chip to authenticate a public key against the private one contained within that typically never leaves the chip (except that the passkey standard actually allows key mobility, so it's actually worse than the FIDO standard that it's built upon). It's a blob that you have no insight into and no control over.

If I were to bump into you, and lift your phone. I'd likely have your fingerprint just by lifting it off your phone and can sign into your phone. That's it... It's like you didn't have a password at all because I simply HAVE it. I've found that theft is actually much greater risk in my life than my digital footprint. But that's only because I can actually mitigate the digital stuff by not being retarded and putting everything into the internet. Theft on the other hand... Can't do much about someone who willingly knocks me the fuck out (gasp! the XKCD comic strikes again!). But I can make sure that if they knock me the fuck out, they don't just get to take my shit and unlock it without my brain remaining functional.

None of that even matters. This is a chain of trust that I can't actually audit... So it's worthless. This requires that I trust Google (android), Samsung(or other device manufacturer), their vendors(whoever makes the fingerprint reader), etc... You know who I have to to trust for my password? My password manager and myself. The fun part is that my password manager is actually audited... and opensource, AND I've looked at it enough to be happy with it. Who audited Windows Hello? https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability Ooops.

It's funny, because you know what this does to authentication? It puts all the power into another companies hands... and takes ALL of it out of yours. Which is interesting that someone on Lemmy is gung-ho about this.

Let's look at a real world example of something you might ACTUALLY have to do. You're crossing the border into a country. You have data you really don't want the government snooping into like hot nudes from your significant other. So you wipe your device before you cross the border to ensure the government can't violate your rights. Oops, you no longer can access ANY account you own because you relied on that device to be what unlocks everything.

Also, whats more likely... that you break a device or that a user CANNOT learn how to use a password manager?

Edit: For shits and giggles I logged into my Google account to see what the passkey setup even looks like for them... Turns out that it's automatically created keys for devices I've logged into... Including devices I don't own anymore.

Really secure that is! Nothing screams security like creating methods to access my account without my fucking knowledge. What a joke.

[–] MostlyHarmless@sh.itjust.works 2 points 11 months ago (1 children)

Which just had some leaks about how insecure it is.

Windows Hello didn't. The hardware wasn't implemented correctly allowing the authentication to be bypassed. You misunderstood the issue here

They sync shit using iCloud...

They sync the public key with iCloud, not the private key. You misunderstood how it works.

It doesn't matter how many keys deep you have to go.

There is no "keys deep" there is a public/private key pair that authenticates a single device with a single account. You have misunderstood how a local key store works.

The compromised item is already obtained when you obtained the device.

Which means someone trying to access my account requires physical access to my device. Passwords, no matter how strong leave you open to remote attack.

Can you tell me the process to revoke the private key from your fingerprint reader on your phone?

Open the authencator app and remove the account. Or uninstall the authenticator app. Or delete your local phone account. Or factory reset if you want to go nuclear.

Alternatively if you lost your phone, go to the account online. Browse to the security section and delete the device from the list. Most services have the ability to sign out remotely. All that's doing is revoking the key. The phone doesn't have to do anything. The fact you think something needs change in the "blob" shows you do not understand how encryption works.

If I were to bump into you, and lift your phone.

Again physical access, not remote access. Much smaller attack vector than a password.

It puts all the power into another companies hands... and takes ALL of it out of yours.

You think passwords take power from the company that stores your passwords remotely? You have no idea how they are storing that password. You don't have to trust the company, you just have to trust the open standard these companies are implementing and that public/private key encryption is the standard used to secure the entire Internet.

Also, whats more likely... that you break a device or that a user CANNOT learn how to use a password manager?

Virtually no one uses a password manager. It's too much hassle.

[–] Saik0Shinigami@lemmy.saik0.com 1 points 11 months ago* (last edited 11 months ago)

Windows Hello didn’t. The hardware wasn’t implemented correctly allowing the authentication to be bypassed. You misunderstood the issue here

Except I didn't. I outlined a real fucking issue and you're waiving it away without addressing how it's wrong. You realize that Microsoft's own branded laptops have this issue right? If Microsoft cannot create a product that isn't compromised to their own standard then don't you think there's a problem with it?

Here's the relevant quote if you would have read the article instead of yapping about how "I" don't know anything and misunderstand everything.

and Microsoft Surface Pro X all fell victim to fingerprint reader attacks

If Microsoft can't implement their own security standard of Windows Hello. You CANNOT trust it to do anything reasonable let alone be secure. Period.


They sync the public key with iCloud, not the private key. You misunderstood how it works.

You cannot validate a public key without a private key to sign for it, public keys are definitionally public and cannot be used to secure anything. This is like saying that the key in you see in an SSL cert is the only thing you need to prove you're the server... Not even close. You MUST have the private key for the sync to do anything useful. I've misunderstood nothing. The alternative here is that one device simply signs or validates another device being added so now there's 2 sets of keys to an account... The more passcodes/passwords that can access an account the more likely someone can bruteforce in. Either way this becomes more and more of a risk.

There is no “keys deep” there is a public/private key pair that authenticates a single device with a single account. You have misunderstood how a local key store works.

I've not, because I've explained literally in the same post how it actually works. You're being obtuse.

Open the authencator app and remove the account. Or uninstall the authenticator app. Or delete your local phone account. Or factory reset if you want to go nuclear.

This assumes you trust the chip.... which implies trust in the manufacturer, parts vendors, and software lying on top of it.

Alternatively if you lost your phone, go to the account online.

You can't... you've lost your phone to authenticate you into the account. Actually... better yet, login to your google account now... Head over to "your devices", looking at mine, I see 2 devices in there that it REFUSES to let me remove.

All that’s doing is revoking the key.

Yes... a Session key... Not public/private key. You can simply use the same public/private keys to instantiate a new session! And since you've lost your phone and can't authenticate yourself anymore... The person who found your phone certainly can.

Again physical access, not remote access. Much smaller attack vector than a password.

So you've chosen to limit one vector of attack at the risk of completely opening another one... Genius! Especially in this day and age where first party repair shops regularly get found out for stealing customer data...

You think passwords take power from the company that stores your passwords remotely? You have no idea how they are storing that password. You don’t have to trust the company, you just have to trust the open standard these companies are implementing and that public/private key encryption is the standard used to secure the entire Internet.

Companies store password hashes... not the passwords remote... and you want to tell me I don't understand cryptography. Since passwords are transparent and known to me... I can take actions based on that. I can prove that keys aren't being shared across different platforms, etc... I can see exactly what's being passed because I'm the one passing it. And remember... these companies fuck up regularly.

Virtually no one uses a password manager. It’s too much hassle.

So there's no password manager built into browsers... and companies that don't make millions providing that exact service? Lastpass, Bitwarden, dashlane, etc?

I'll stick to passwords that I can track and operate(which are likely to be more secure than whatever data they're passing as a key). I'll stick to actually functional 2fa tokens via TOTP, and yubikey (which doesn't have sole access to do anything on it's own, unlike a phone). I will not give up my passwords. Trading off 100% of your physical security for what is arguably at worst sidegrade in digital security seems insane to me.

I realize I made an edit to my previous post you might not have seen. Please refer to that as well. But finally I noticed you've completely skipped answering any of the actual scenarios I've posted. Almost like you realize that there's a huge flaw here...

Lastly... I actually taught, researched, and created cryptography at an academic level for a while. I have a feeling I have a deeper knowledge of cryptography than most people do. If you still want to tell me I "misunderstand" everything I would suggest you actually go through my post and actually address the problems I've brought up, then realize that yes... "passkeys" can minimize risk for those who do passwords lazily... but well done passwords and 2fa, are significantly better than passkeys alone. Forcing people into passkeys forces people to only operate under a specific platform that must be trusted to work further eliminates other valuable security features in the process as well. As someone who's security conscious... as you present yourself to be... you should not be de-facto trusting these organizations at all... but for some reason you are. And that's odd.

[–] Herowyn@jlai.lu 7 points 11 months ago (1 children)

It doesn't need to be physical breach. If it's stored somewhere it can (and might) be accessed by someone else and reconstructed.

[–] MostlyHarmless@sh.itjust.works 3 points 11 months ago

And still useless unless they also steal your phone. You are still safe from the hackers on the other side of the planet