> please use the FaceID/TouchID protected platform authenticators for passwordless authentication.
No, thank you, I don't wear my passwords on my face or my fingers because they need to be secret to serve their purpose. I don't really feel like wearing a balaclava and gloves all the time.
Also sometimes I need to change them (if they get compromised, if computing progress made them easier to bruteforce, etc.), and I don't really want to have to use cosmetic surgery when that happens.
Biometrics are closer to a username than a password in this regard.
> Don't do passwords by memory.
We can agree on this (and the disaster that SMS OTP is due to lousy carrier security mostly), you will still need a password for that password manager usually though. You can have a key based setup but you still need a way to store/remeber that key. So passwords will not die just based on this, they might become less ubiquitous.
It sounds like you want to trivialize a problem that has existed for way longer than computer science and systematically relies at some point on human memory if you want a certain level of security and secrecy.
Obviously if you decrease these requirements, you can get away with weaker authentication mechanisms... but you will not secure whatever that password was securing as well then.
To clarify, biometrics are only used for local authentication against the platform authenticator. An attacker still needs the authenticators private data, too. The authentication against the service is using public key crypto.
Also, you should be able to use a platform authenticator with a PIN.
I think understanding this distinction is going to be one of the main challenges for mainstream WebAuthn adoption over passwords as the default authentication method.
You can be scammed into entering your password into a random textbox and then relayed on the actual website/app. This is too basic. In case of FaceID/TouchID, the acquiring platform (your mobile phone) has secure device binding and FaceID/TouchID is a local authenticator on that device to use that secure device binding to authenticate. If FaceID/TouchID becomes fakeable, we will move on to some other more secure local authenticator. The point is, you have a rich multi-sensor mobile device as your authenticator.
> Also sometimes I need to change them (if they get compromised, if computing progress made them easier to bruteforce, etc.), and I don't really want to have to use cosmetic surgery when that happens.
That's not how it works. Each hardware device that acquires your FaceID or TouchID (or Iris ID etc) do it in a way that's unique to them. Even mission impossible style face mask can't fool these modern FaceIDs. Like all things in security, it is a game of making it really expensive to break it and not really about it being impossible.
I didn’t know Jason Bourne posted on HN. In all seriousness, where’s the threat of someone taking extremely high resolution scans of your iris unless you are truly rich/powerful/connected.
Fingerprint scanning is going mainstream, heres a post about Amazon using palm scans on point of sale systems [1]. It seems reasonable that point of sale systems will get hacked or skimmers will get installed (common problems impacting normal people today). The current fix is to issue a new card. Unfortunately, you cannot have a new finger/palm print issued, so the threat appears unmitigated.
The problem is not the high resolution scan of black hats it's that every company and your mom wants to store your biometric data in the future... and as we see with passwords most of them can't be trusted.
The bad guys don't need to scan your biometrics. Every site you log into with TouchID or whatever already has. Passwords get leaked all the time, and when you find out, you change them. You can't change your biometrics.
You’re fundamentally misunderstanding how TouchID or FaceID work.
The biometrics authenticate you with the Secure Enclave in your phone. The enrolled biometric data is stored within the Secure Enclave and practically unrecoverable. Authentication is done directly within the Secure Enclave. The connection between the sensor (fingerprint, camera) and Secure Enclave is direct and encrypted.
Conceptually, this is identical to using a passcode or password to unlock your device.
Once the Secure Enclave is unlocked, your phone can use it to sign requests, decrypt data (e.g., stored passwords), etc. The signed request or decrypted password is what’s transmitted to the app, website, or whatever else you’re authenticating against.
Your biometric data never leaves a secure encrypted channel between the sensor and Secure Enclave, and within the Secure Enclave’s own storage.
It’s some seriously cool hardware and the lengths it goes to to mitigate a lot of common and uncommon attacks is impressive. (It has a separate built in voltage and clock monitor with a wider operating envelope so if you try and voltage glitch it, it can lock and disable itself and require a reset. Bet Nintendo wishes they had thought of that.)
There are a _lot_ of details published about this.
> It sounds like you want to trivialize a problem that has existed for way longer than computer science and systematically relies at some point on human memory if you want a certain level of security and secrecy.
Assuming the "problem" you are referring to is authentication, this is not necessarily true. "Something you know" is just one auth factor of several. Using a thumbprint (something you are) to grant access to a private key stored on a device to sign a challenge does not rely on human memory, and is probably more secure than using a password in most cases.
An argument can also be made that using a password manager implies that you are specifically doing the opposite of relying on human memory for authentication.
That said, I also disagree with the premise of the original comment that "Passwords should be dead soon and this article should be irrelevant soon after." They will be around for a while, although I hope passwordless mfa can soon replace them as the default choice.
No, thank you, I don't wear my passwords on my face or my fingers because they need to be secret to serve their purpose. I don't really feel like wearing a balaclava and gloves all the time.
Also sometimes I need to change them (if they get compromised, if computing progress made them easier to bruteforce, etc.), and I don't really want to have to use cosmetic surgery when that happens.
Biometrics are closer to a username than a password in this regard.
> Don't do passwords by memory.
We can agree on this (and the disaster that SMS OTP is due to lousy carrier security mostly), you will still need a password for that password manager usually though. You can have a key based setup but you still need a way to store/remeber that key. So passwords will not die just based on this, they might become less ubiquitous.
It sounds like you want to trivialize a problem that has existed for way longer than computer science and systematically relies at some point on human memory if you want a certain level of security and secrecy.
Obviously if you decrease these requirements, you can get away with weaker authentication mechanisms... but you will not secure whatever that password was securing as well then.