this post was submitted on 22 Nov 2023
498 points (100.0% liked)
Technology
70285 readers
2917 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth
The main issue with biometrics is that you can't change them. If your fingerprints or retina are compromised you're fucked.
Unless I meet you in person, I'm not going to get your biometrics. The point of these is to protect your accounts from the global Internet.
https://xkcd.com/538/
My point is that I'm not worried about the relatively few people who could steal my fingerprint. I'm worried about the millions of people around the world who will try to steal my passwords and access my online accounts.
If everyone secured their accounts with a biometrically secured security key, they would be far more secure than if they continue to just use a password.
Tgose who go around spreading misinformed FUD over biometrics ensure people who don't know better continue to use weak passwords.
Even if someone gets your fingerprints from the OPM breach still can't use them because they also need your phone. You are still protected from all of the hackers around the world.
https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43
https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/
https://techcrunch.com/2022/09/12/apple-passkey/
Incorrect because your bio is not the password, the private key is. The private key is revocable. Your bio just unlocks your hardware key store and makes the private key accessible to the software.
This is what I mean when I say people do not understand biometric authentication.
Windows Hello didn't. The hardware wasn't implemented correctly allowing the authentication to be bypassed. You misunderstood the issue here
They sync the public key with iCloud, not the private key. You misunderstood how it works.
There is no "keys deep" there is a public/private key pair that authenticates a single device with a single account. You have misunderstood how a local key store works.
Which means someone trying to access my account requires physical access to my device. Passwords, no matter how strong leave you open to remote attack.
Open the authencator app and remove the account. Or uninstall the authenticator app. Or delete your local phone account. Or factory reset if you want to go nuclear.
Alternatively if you lost your phone, go to the account online. Browse to the security section and delete the device from the list. Most services have the ability to sign out remotely. All that's doing is revoking the key. The phone doesn't have to do anything. The fact you think something needs change in the "blob" shows you do not understand how encryption works.
Again physical access, not remote access. Much smaller attack vector than a password.
You think passwords take power from the company that stores your passwords remotely? You have no idea how they are storing that password. You don't have to trust the company, you just have to trust the open standard these companies are implementing and that public/private key encryption is the standard used to secure the entire Internet.
Virtually no one uses a password manager. It's too much hassle.
It doesn't need to be physical breach. If it's stored somewhere it can (and might) be accessed by someone else and reconstructed.
And still useless unless they also steal your phone. You are still safe from the hackers on the other side of the planet