• Luci@lemmy.ca
    link
    fedilink
    English
    arrow-up
    56
    arrow-down
    20
    ·
    edit-2
    1 year ago

    Stop using biometrics for authentication!!!

    Edit: lots of opinions below. Biometrics are a username, a thing you are. Finger printed can be taken from your laptop with a little powder and masking tape.

    Use an authentacator app or security key kids!!

    • TORFdot0@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      1 year ago

      Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.

      • MostlyHarmless@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        3
        ·
        1 year ago

        Biometrics are two factor, because you need the fingerprint and the device they unlock.

        You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.

        • _s10e@feddit.de
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          1 year ago

          You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

          Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.

          If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.

          When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.

          Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).

          That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.

          • barsoap@lemm.ee
            link
            fedilink
            English
            arrow-up
            9
            ·
            edit-2
            1 year ago

            Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

            A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.

            Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.

            The good news? You can use ordinary gloves, no need for tinfoil.

          • MostlyHarmless@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            1
            ·
            edit-2
            1 year ago

            No, wrong. Still two factor because your fingerprint plus your device.

            These authentication methods aren’t as simple as the two factor Google Authenticator 6 digit number. They are cryptographically secure keys. Even if someone finds out what the token is, they still cannot send a valid request because they cannot generate a digitally signed request using the private key locked in your device’s hardware, unlocked by your biometrics.

            Passwords are inherently insecure and relatively easy to break. Digital signatures and secure tokens are almost unbreakable

        • TORFdot0@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          You’re right. By most definitions of MFA biometrics would pass. A biometric is something you are, and the device is something you have. My comment is more for privacy zealous people, who are concerned that they could be compromised by governments without a “something you know” component.

    • Name is Optional@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints

        • Name is Optional@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          No… I get it totally. That why I know my girl’s worth my time, she’s willing to potentially give up her arm for me to still play DOOM 8 days a week

    • 0xD@infosec.pub
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      1 year ago

      A username is not something “you are”, it’s something “you know”. Biometrics are not nearly the same as usernames.

      • Luci@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        4
        ·
        1 year ago

        A username is something you are. It’s you! You are 0xD.
        A password is something you know. A security key is something you have.

        When we interview security analysts you don’t get past the first round if you disagree.

        • feddylemmy@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          If your interview involves telling me a username is “something you are” rather than “something you know”, I’m running away from that job as fast as I can.

          • Luci@lemmy.ca
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            5
            ·
            1 year ago

            Other people know your username.

            How hard is this?

            • Blueteamsecguy@infosec.pub
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              1
              ·
              1 year ago

              I guarantee you I know thousands of people’s passwords as well, I just don’t know the username associated.

            • sirfancy@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              3
              ·
              1 year ago

              By this same logic, other people could know your fingerprint since it’s “something you are”. No, other people cannot know your fingerprint. It’s a complex mathematical equation to a computer. This is such a terrible take.

              Source: CASP+ certified.

        • 0xD@infosec.pub
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          1 year ago

          No, this username is one of the names I’ve chosen for the accounts I use on lemmy. It does not identify me, it identifies the lemmy accounts that I just so happen to know the password for. I was just about to create an account with your username on another instance but meh, that’s too much work. Just imagine me having done that and think about what you just wrote.

          I would be vary of the people agreeing with you on something so basic yet so wrong.

          An authentication factor is a unique identifier that shows that you possess something that others don’t. Biometrics are something you are because your fingerprints, your retinas, or your DNA are (mostly) unique to you. A security key is something you have because unique cryptographic material is saved on the hardware device that cannot be replicated somewhere else (which is why many mobile authenticators really aren’t). And a password is something you know because… Bla bla bla.

          To be pedantic, a username is not a factor in this sense at all; It is an identifier for an account that you have to prove authorization for by presenting some kind of factor, sometimes multiple.

      • BorgDrone@lemmy.one
        link
        fedilink
        English
        arrow-up
        29
        arrow-down
        1
        ·
        edit-2
        1 year ago

        As with all things security, it depends entirely on your thread model and the value of what you’re trying to protect.

        Biometrics can be a much more secure option than using a PIN or password, depending in circumstances.

        For example: when I’m working on my laptop on the train or in a coffee shop and I need to log into some website I’d rather use my fingerprint to unlock the passkey than type in a password in a public place where I have no idea who is observing me entering my password.

        Same goes for paying with your phone, you can either enter your phone PIN in a crowded supermarket or you unlock with FaceID.

        Also, for phones, for a lot of people the alternative to biometrics wouldn’t be a PIN, it would be no authentication whatsoever. Biometrics lowers the barrier to having a form of authentication at all.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          4
          ·
          1 year ago

          for a lot of people the alternative to biometrics

          Full password Android user representing here… It’s surprising how few people bother to even stop any amount of snooping on their phones. but I guess it’s only surprising in that I wished more from society in general.

        • seaQueue@lemmy.world
          link
          fedilink
          English
          arrow-up
          21
          arrow-down
          3
          ·
          1 year ago

          Biometrics can be spoofed, or the body part stolen in extreme cases.

          Also, in the US at least, biometrics aren’t protected by the same rights that allow you to not incriminate yourself. IIRC they’re considered a thing you have, which you can be compelled to surrender or use to unlock a device, vs something you know (like a password or pattern) which you can withhold if it would be incriminating. Check with a lawyer on this one, I haven’t paid attention to the case law here for a bit.

          • Squeak@lemmy.world
            link
            fedilink
            English
            arrow-up
            21
            arrow-down
            3
            ·
            edit-2
            1 year ago

            If someone is stealing my body parts, what they access on my devices is the least of my worries!

            • wmassingham@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              1
              ·
              1 year ago

              They don’t have to be stolen. Imagine some clever thief drugging your drink, then when you’re incapacitated they take your phone and press your finger to it or hold it up to your face to unlock it, then transfer all your money out of Venmo or whatever money transfer app you have on your phone.

              • Squeak@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                1
                ·
                1 year ago

                The comment I replied to said stolen, which is what I was getting at.

                There’s also nothing to stop someone watching over your shoulder to see your PIN for your phone/laptop. Nothing is infallible.

            • Imgonnatrythis@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              Really? Would be up there for me. Sucks to miss a finger or eyeball, but if they’ve also drained my bank account and my credit card - I’m going to be even more pissed for sure.

        • snooggums@kbin.social
          link
          fedilink
          arrow-up
          16
          arrow-down
          1
          ·
          edit-2
          1 year ago

          If it is low detail enough to consistently ‘work’, it isn’t complex enough to be better than something like a chip and pin approach.

          They are repeatedly bypassed with easy hacks like silly putty and photographs. People’s biometrics are not unchanging. Burned fingers, swollen eyes, and sore throats are things that can change enough to make biosecurity unreliable. That is before cold and heat and how they effect biological things!

          That is all before you take into account the fact that some people don’t have whatever is being used. Have fun using eye based biosecurity on someone with cataracts or is missing their eyes entirely due to injury or just being born without them fully developed. Or they have a physical issue that makes it hard for them to interact with the bio reader. Stephen Hawking needing to lean towards a mounted eye scanner would be impossible for example.

          So either you have mediocre security that allows for a lot of false positives to get through or you end up having to add a bypass system for when it fails, and now you have two ways that security can be defeated! A non-biological solution with two factor authentication of an item and a PIN or other knowledge piece is far more secure than biosecurity can ever be.

          So already insecure, but in addition to that anyone with physical access to the person can force them to do the biosecurity. Police are able to force someone to put their finger on their phone, or look at the screen for a face unlock. Maybe they aren’t legally able to, but it is a good example of not being secure.

        • TORFdot0@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          2
          ·
          1 year ago

          They aren’t 100% reliable and it has its’ challenges based on its implementation but I wouldn’t consider it fundamentally insecure. It’s as secure as a NFC token, TOTP, or a push notification as a form of authentication. It’s like birth control, no method is 100% safe and effective, but plain username and password auth is like pulling out, anything is better than that.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      1 year ago

      Not on my Lenovo. Fingerprint reader requires a swipe, no print left behind.

      • atrielienz@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        I have a lot of questions about what this guy thinks the rest of your device is covered in. Because spoiler, it’s fingerprints.

      • derpgon@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Mine does not work at all. I’d like to see the guy trying to take fingerprints for a few hours and realizing it won’t do shit lol.

    • MostlyHarmless@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      5
      ·
      1 year ago

      Biometrics are perfectly fine! We probably don’t even live in the same country, I’m not going to get a hold of your fingerprints.

      There seems to be a fundamental misunderstanding of what the biometrics actually do. The biometrics only unlock the device and give access to the security key. Once unlocked it’s exactly the same as using a yubikey, and far better than an authenticator app, as they use a crypto key, not a 6 digit number.

      • _s10e@feddit.de
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        Well

        The biometrics only unlock the device

        Yes

        and give access to the security key

        This is the goal, sure, but what does this actually mean on device that’s mostly governed by software?

        There’s a chip (like a yubikey) in the device that can hold cryptographic keys.

        That’s good because the key cannot (easily) be extracted from the device.

        That’s good as long as no one has physical access to your device.

        With physical access, you hope that the device’s unlock mechanism is reasonably secure. That’s biometrics OR password/pin.

        The ‘or’ is the problem. For practical reasons you don’t want exactly one method hard-wired. You have a fingerprint scanner (good enough), the secure element (good enough) and lots of hard- and software in between (tricky).

        I’m not against biometrics (to unlock a device) because it’s convinient and much better than not locking the device at all. I’m also not against device trust (which you need if you want to store crypto keys sonewhere without separate hardware), but the convience of a single-device solution (laptop or phone) comes with a risk.

        If an attacker can bypass the unlock method or trick you into unlocking or compromise the device, your secrets are at risk. Having the key stored in the secure enclave (and not in a regular file on the hard disk) prevents copying the key material, but it does not prevent using the key when the attacker has some control over the (unlocked) device.

        A yubikey is more secure because it’s tiny and you can carry it on your keychain. The same chip inside your laptop is more likely to fall into the hands of an attacker.