• TORFdot0@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    ·
    1 year ago

    Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.

    • MostlyHarmless@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      3
      ·
      1 year ago

      Biometrics are two factor, because you need the fingerprint and the device they unlock.

      You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.

      • _s10e@feddit.de
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        1 year ago

        You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

        Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.

        If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.

        When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.

        Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).

        That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.

        • barsoap@lemm.ee
          link
          fedilink
          English
          arrow-up
          9
          ·
          edit-2
          1 year ago

          Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.

          A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.

          Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.

          The good news? You can use ordinary gloves, no need for tinfoil.

        • MostlyHarmless@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          edit-2
          1 year ago

          No, wrong. Still two factor because your fingerprint plus your device.

          These authentication methods aren’t as simple as the two factor Google Authenticator 6 digit number. They are cryptographically secure keys. Even if someone finds out what the token is, they still cannot send a valid request because they cannot generate a digitally signed request using the private key locked in your device’s hardware, unlocked by your biometrics.

          Passwords are inherently insecure and relatively easy to break. Digital signatures and secure tokens are almost unbreakable

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        You’re right. By most definitions of MFA biometrics would pass. A biometric is something you are, and the device is something you have. My comment is more for privacy zealous people, who are concerned that they could be compromised by governments without a “something you know” component.