Around 2014, I read a security researcher's article stating that biometrics should be used as an identifier at best, but never as a password.
“You can change a password, but you cannot change your fingerprint”.
From that day on, I’ve never used biometrics system used as authentication.
With a increasing use of biometrics on phones, should I think differently in 2022?
> a security researcher's article stating that biometrics should be used as an identifier at best, but never as a password
Blanket statements like that are never true. It's usually about threat modelling, i.e. build your defences according to who might want to access your stuff and what are their capabilities.
Why? Because you will have to target a balance between convenience and security. If you don't use biometrics you might end up to have "QWERT1234" as a password to compensate for the loss of convenience.
Even if you have a strong password and you are ready to give up some convenience, you also risk false sense of security. Your password might be strong but there are many ways to extract passwords. As a result you might want to switch to certificates - which are convenient and secure to use but now you are responsible for it's upkeep or you might loss access to the systems when you loose your certificate. Also, you might think that certs are super secure but just yesterday it was revealed that there's a way to extract certificates from Intel and AMD machines through an attack called hertzbleed.
Hmm, maybe you need something even more secure. How about air gap? If your device doesn't have a network connection, you must be %100 protected, right? Wrong, there are multiple demonstrations about extracting information through sound, magnetic forces and light.
%100 security is impossible, better choose the right kind for you.
Don't use biometrics as a password if your threat model includes: Person cloning your finger print from a glass you left at a bar, manufacturing a fake fingerprint from it and getting physical access to your device to unlock it.
Otherwise for most people it's probably better than easy to guess passwords or not using a password at all. Especially if it's annoying to type every time (iPhone passkey). Many people didn't use a passkey before, since there's TouchID or FaceID everyone uses something and it's better against a random thief than nothing at all.
The threat model of sudo is a little different. You already have authenticated access and sudo is requesting elevated access. Even a static button on the computer would provide benefit since it alerts the user a program is attempting to obtain elevated privileges.
For comparison, Windows default configuration is a yes/no dialog (UAC).
If an attacker had unelevated access they probably stand a pretty good chance of getting elevated access on a workstation (replacing files, putting a shim in front of sudo, stealing SSH keys, access tokens, cookies, etc) anyway (if the regular user has those privileges)
I think this depends a lot on your threat model. (specifically referring to phones/mobile devices)
If you're at all concerned about being targeted, this is a very valid concern. On the other hand, I think using fingerprints/biometrics is "good enough" to prevent non-targeted attacks (theft, lost device) from retrieving sensitive info, and is far better than no password or a short numeric PIN.
Obviously, using a rotating alpha-numeric-symbol password is more secure, but unless you only very sporadically use your mobile device, is pretty inconvenient.
(of course, it'd probably be best to use MFA here and have a PIN code along with biometrics, but I'm not aware of any consumer devices like that)
Biometrics are not being used as a password directly. They are typically used as an identifier to unlock the secrets store on the device and then retrieve an access token (which has previously been obtained via username/password authorisation).
The biometric information never leaves the device.
Touch ID isn't really biometric authentication. It is hardware token authentication, and that hardware token is unlocked via biometrics. The end application then authenticates with the hardware token. It works similarly to a Yubikey Bio Series token. It is actually an additional layer of protection over what you'd have with most physical hardware tokens, which can be used by anyone who possesses them.
While you can't change your fingerprint, you can change which token is registered with the end application, so that concern is mitigated.
Short answer is all that advice is obsolete. Biometrics as used by secure enclaves have tradeoffs which are unrelated to the (again, obsolete) practice of storing biometrics as authentication per se.
The secure enclave holds biometrics, these are used to generate ordinary key pairs which are revokable.
If you have a device like this, try it! Register a finger, then un-register the finger: congrats, you've changed your fingerprint.
Every time you type a password or pin code into your phone in a public place it’s trivial for someone to see what it is over your shoulder. It’s doable for keyboards to though not quite as easy.
They can’t see it if you use your fingerprint or FaceID.
That’s actually a security improvement for some threat models.
I see touch ID for sudo as the equivalent of 2FA. I am on my computer, I'm logged in in the account that has admin permissions but we want to confirm that it's me and not someone else that is logged in to my account, so touchid for sudo acts as a 2fa.
There is certainly merit to this line of thinking, however that is the scenario where the password is literally the hash of the fingerprint or facial read - this is a use case that's closer to a login name rather than a password.
To use touchid/faceid as an example:
- it requires that the password was recently entered
- it's not the password, but a means of accessing a temporary token
- that token is easily purged from memory by triggering SOS or failing touchid/faceid repeatedly
- a range of conditions will also automatically purge the token, such as usage that doesn't match the user's behaviour, unusual movement such as scuffles, certain combinations of location/time/movement, and of course not being used for several hours (this also seems to vary based on certain conditions.)
In this sense a biometric read can provide a useful level of security for most scenarios and definitely better than entering a 4-digit pin repeatedly, and infinitely better than gestural passwords which are comically easy to guess.
For secure applications it's not useful, nor is a 4 or 6 digit pin, but such implementations also engage a range of security enhancements such as internet/voip via an encrypted VPN, locked down device profiles, limited access to networks and so-on. Sometimes the discussion about biometric data use in authentication tends to over-borrow from this level of security need.
When fingerprint readers were first starting to appear in Thinkpads, I enabled it so I could log in. I was demo'ing it to a co-worker who said "what's to keep someone from cutting your finger off to log in". I responded "if we've reached the point that they are willing to cut off my finger, I'm going to give them my password".
They continue to be correct, the major difference when it comes to phones is that
you're constantly typing a number in plain view of everyone around you.
So you're making a tradeoff and with phones it works out slightly better if you unlock with biometrics most of the time; but you should know the five clicks method for disabling the biometric unlock temporarily.
I'm not sure whether this applies to sudo, but for device access, a biometric like a fingerprint is neither an identifier nor a password. It is closer to a session key. In any finger print system I have used, you must login with a username and password, then you have a session of access. The finger print can extend that session for some hours or days. Eventually the session rules require you to login again. Without having a recent session, your fingerprint does not provide access.
Yes, like any session-based access, it is a compromise between convenience and security. For frequent usage like phone access, I feel like it is a reasonable compromise.
My phone (android) doesnt let me use the fingerprint forever - every once in awhile I have to enter the passcode. And on bootup of course I have to enter the passcode. So while my passcode is quite long (and secure) the fingerprint adds a ton of convenience.
I think this is a good compromise - at worst if I were to lose the device and someone were to cut off my finger at best it would only work for a few days. But that scenario seems quite rare.
Being able to change a credential only matters of it's a clonable credential like a key or a password. Assuming whatever device you're using is able to distinguish between the real thing and a copy, it doesn't matter if your fingerprint/face/iris... is "compromised" so there's no need to change it. That is, however, an assumption that has been made many times in the past and proven untrue.
I could agree, on the other hand though it would become very hard hiding your true identity if you were using a thumbprint to identify yourself, not to mention the ability to have multiple unlinked accounts, or signing in with someone else’s account (eg your children or your partner’s) on the same service.
One advantage of TouchID/FaceID for me is that I can use a long, strong passphrase on my phone - one much longer than I otherwise would if I had to use it to unlock every time. The passphrase is still required for highlky sensitive stuff like keychain access and turning off Find My
for me this is not the reason you should be careful using fingerprints for security. I don't use touch ID because I'm concerned that if I'm ever arrested, the police could a) force me to unlock it, b) unlock it while I sleep. The same goes for people I sleep in the same room as.
I think it's silly to have a security measure that can be passed while you're not even conscious
I'd tend to agree to be honest. Consider this: a group of thieves jump you and pin you down, they want to perform a banking transaction on your phone. They grab your hand, extend your finger and press it against the phones sensor. They're in. On some mobile banking apps, they can perform the same.
The use of a password only known to you cannot be physically taken from you as your mind controls that authentication mechanism.
Speaking from personal experience, don't do this on a machine you'll ever access remotely, because then you're stuck waiting for the biometric check to time out before you can authenticate via another method.
I love using sudo with Touch ID and have been using this trick for years. The only inconvenience is that the PAM configuration always gets reverted by OS updates.
It will ask for smart card first but if a smart card is unavailable or authentication fails the touch mechanism will be requested. If you invert those parameters the order also gets changed.
But one annoyance is that on macOS Monterey, the authentication pop-up dialog doesn't have focus when it appears. You first need to click on it before you can use Touch ID. That slows the whole process down to the point where it's probably just quicker and easier to use your password.
Is there any way to make the pop-up automatically get focus, or is that itself a security risk somehow?
(Side note: the same module enables authentication by Apple Watch too! But again, having to take your hands off the keyboard to tap the Apple Watch to approve the request slows down the process so much that it's hardly worth it)
on macOS Monterey, the authentication pop-up dialog doesn't have focus when it appears
Good.
Focus has really become a problem on Macs.
When I switched from Windows to Macs, programs were not allowed to steal focus from what you were doing. To me, it was an amazing thing to not be interrupted for every little piddly thing that some background process deemed to be the most important thing in the world. I was so much more productive when I wasn't being constantly interrupted, as I was in Windows.
Then, not too long after Snow Leopard, that changed. Programs here and there started asserting themselves. Now it's like Windows days, and it's awful.
Even Apple is guilty of this. A few days a week, I plug in four encrypted drives. It takes about five minutes for them to mount, so I go work on other things. I'll be happily typing away at something, and then suddenly find what I'm writing is being typed into the password field to unlock one of the drives.
Finder — perpetually awful — can't even keep focus on itself in the middle of some tasks. Even on a brand new M1 machine, 90% of the time, when I Shift-Command-N to create a new folder, focus will land in some random window or pane. The new folder was created, but it's just "untitled folder" all by itself, because Finder decided to go scratch its butt. Or sometimes the name of the folder is the first few characters I wanted it to be, because in the middle of typing the name, Finder switched focus to something else. Or when I switch to some other program, and then switch back to Finder a good percentage of the time, I find out that none of the windows are in focus, and none of them are focusable with Command-~ at all. So, I have to go back to the trackpad to select the right window. The window I was using twelve seconds ago, the last time I was using Finder.
I think allowing any pop-up to demand focus is a serious security flaw. I've sometimes found myself typing a password into a browser, or a word processor, because they've decided that they are the most important thing in my life at that moment.
For people complaining that this gets reset by macOS updates, I think this should work (I haven't tested this on macOS, but it works for me on Arch Linux):
1. Copy /etc/pam.d/sudo to /etc/pam.d/customsudo and add "auth sufficient pam_tid.so" to that file instead.
2. Create the directory /etc/sudoers.d/ if it does not exist
3. Create the file /etc/sudoers.d/customtouchid with the following content:
Defaults pam_service=customsudo
You may need to set the right permissions on /etc/sudoers.d/customtouchid before sudo will accept it.
I lock my computer when not near it. If my computer is breached, having user level access of the one account permitted sudo is pretty much Crown Jewels. If you really wanted to privesc you could sniff X11 keystrokes or back door bashrc, but either way even user level access screws me so whatever do what you want after that.
Does anyone know why Apple doesn’t make this standard? I’ve been using this on and off for many years and only stop because I get frustrated after an OS update reverts it. Are there licensing/security/compatibility reasons this may be the case? Seems like an easy fix.
For some reason, this only seems to accepts my Apple Watch as authentication, but not the fingerprint sensor... any idea why? (fingerprint works to authenticate in System Preferences, etc.)
iTerm 2 password manager is a close no hacks required solution that's slightly more involved but not all that much - add your password and on sudo prompt hit cmd+shift+f, touch id and enter.
The touch id part is once per iterm session so overall it's not too bad and reasonably secure as it uses built-in keychain to store passwords I think.
I think there is a filesystem extended attribute that marks that file as part as the rootless system. If you exclude that attribute it might prevent it from being overwritten. I haven't tested it tho.
This is what I'm trying to do but under Windows and Debian + preferably with a mechanical keyboard. Well the mechanical keyboard w/ fingerprint reader is the bigger ask cause there aren't many choices. There is a decently good one with Cherry MX switches from Taiwan but pretty much impossible to order one to Europe (they sell their other keyboards but not the one with fingerprint reader) https://www.i-rocks.com/web/product/product_in.jsp?pd_no=PD1...
[+] [-] pil0u|3 years ago|reply
From that day on, I’ve never used biometrics system used as authentication.
With a increasing use of biometrics on phones, should I think differently in 2022?
[+] [-] mrtksn|3 years ago|reply
Blanket statements like that are never true. It's usually about threat modelling, i.e. build your defences according to who might want to access your stuff and what are their capabilities.
Why? Because you will have to target a balance between convenience and security. If you don't use biometrics you might end up to have "QWERT1234" as a password to compensate for the loss of convenience.
Even if you have a strong password and you are ready to give up some convenience, you also risk false sense of security. Your password might be strong but there are many ways to extract passwords. As a result you might want to switch to certificates - which are convenient and secure to use but now you are responsible for it's upkeep or you might loss access to the systems when you loose your certificate. Also, you might think that certs are super secure but just yesterday it was revealed that there's a way to extract certificates from Intel and AMD machines through an attack called hertzbleed.
Hmm, maybe you need something even more secure. How about air gap? If your device doesn't have a network connection, you must be %100 protected, right? Wrong, there are multiple demonstrations about extracting information through sound, magnetic forces and light.
%100 security is impossible, better choose the right kind for you.
[+] [-] dewey|3 years ago|reply
Otherwise for most people it's probably better than easy to guess passwords or not using a password at all. Especially if it's annoying to type every time (iPhone passkey). Many people didn't use a passkey before, since there's TouchID or FaceID everyone uses something and it's better against a random thief than nothing at all.
[+] [-] nijave|3 years ago|reply
For comparison, Windows default configuration is a yes/no dialog (UAC).
If an attacker had unelevated access they probably stand a pretty good chance of getting elevated access on a workstation (replacing files, putting a shim in front of sudo, stealing SSH keys, access tokens, cookies, etc) anyway (if the regular user has those privileges)
[+] [-] spijdar|3 years ago|reply
If you're at all concerned about being targeted, this is a very valid concern. On the other hand, I think using fingerprints/biometrics is "good enough" to prevent non-targeted attacks (theft, lost device) from retrieving sensitive info, and is far better than no password or a short numeric PIN.
Obviously, using a rotating alpha-numeric-symbol password is more secure, but unless you only very sporadically use your mobile device, is pretty inconvenient.
(of course, it'd probably be best to use MFA here and have a PIN code along with biometrics, but I'm not aware of any consumer devices like that)
[+] [-] coding_unit_1|3 years ago|reply
The biometric information never leaves the device.
[+] [-] kube-system|3 years ago|reply
While you can't change your fingerprint, you can change which token is registered with the end application, so that concern is mitigated.
[+] [-] samatman|3 years ago|reply
The secure enclave holds biometrics, these are used to generate ordinary key pairs which are revokable.
If you have a device like this, try it! Register a finger, then un-register the finger: congrats, you've changed your fingerprint.
[+] [-] lathiat|3 years ago|reply
They can’t see it if you use your fingerprint or FaceID.
That’s actually a security improvement for some threat models.
Just a thought :)
[+] [-] gommm|3 years ago|reply
[+] [-] quitit|3 years ago|reply
To use touchid/faceid as an example:
- it requires that the password was recently entered
- it's not the password, but a means of accessing a temporary token
- that token is easily purged from memory by triggering SOS or failing touchid/faceid repeatedly
- a range of conditions will also automatically purge the token, such as usage that doesn't match the user's behaviour, unusual movement such as scuffles, certain combinations of location/time/movement, and of course not being used for several hours (this also seems to vary based on certain conditions.)
In this sense a biometric read can provide a useful level of security for most scenarios and definitely better than entering a 4-digit pin repeatedly, and infinitely better than gestural passwords which are comically easy to guess.
For secure applications it's not useful, nor is a 4 or 6 digit pin, but such implementations also engage a range of security enhancements such as internet/voip via an encrypted VPN, locked down device profiles, limited access to networks and so-on. Sometimes the discussion about biometric data use in authentication tends to over-borrow from this level of security need.
[+] [-] btm1971|3 years ago|reply
[+] [-] dijit|3 years ago|reply
So you're making a tradeoff and with phones it works out slightly better if you unlock with biometrics most of the time; but you should know the five clicks method for disabling the biometric unlock temporarily.
[+] [-] Tagbert|3 years ago|reply
Yes, like any session-based access, it is a compromise between convenience and security. For frequent usage like phone access, I feel like it is a reasonable compromise.
[+] [-] sexy_panda|3 years ago|reply
[+] [-] zitterbewegung|3 years ago|reply
When you reboot a Mac you have to type in the password to login still.
The easiest way to authenticate to a Mac is actually your Apple Watch.
[+] [-] Melatonic|3 years ago|reply
I think this is a good compromise - at worst if I were to lose the device and someone were to cut off my finger at best it would only work for a few days. But that scenario seems quite rare.
[+] [-] franga2000|3 years ago|reply
[+] [-] obert|3 years ago|reply
[+] [-] Angostura|3 years ago|reply
[+] [-] jw1224|3 years ago|reply
I’ve never understood this argument.
I could just as easily say “someone else can use your password, but they cannot use your fingerprint”.
[+] [-] nurumaik|3 years ago|reply
[+] [-] permo-w|3 years ago|reply
I think it's silly to have a security measure that can be passed while you're not even conscious
[+] [-] netheril96|3 years ago|reply
[+] [-] Spooky23|3 years ago|reply
[+] [-] brainphreeze|3 years ago|reply
The use of a password only known to you cannot be physically taken from you as your mind controls that authentication mechanism.
[+] [-] delogos|3 years ago|reply
[+] [-] yuriyguts|3 years ago|reply
I wrote a small tool to mitigate this by configuring PAM on system startup: https://github.com/YuriyGuts/persistent-touch-id-sudo
[+] [-] irusensei|3 years ago|reply
[+] [-] Reason077|3 years ago|reply
But one annoyance is that on macOS Monterey, the authentication pop-up dialog doesn't have focus when it appears. You first need to click on it before you can use Touch ID. That slows the whole process down to the point where it's probably just quicker and easier to use your password.
Is there any way to make the pop-up automatically get focus, or is that itself a security risk somehow?
(Side note: the same module enables authentication by Apple Watch too! But again, having to take your hands off the keyboard to tap the Apple Watch to approve the request slows down the process so much that it's hardly worth it)
[+] [-] reaperducer|3 years ago|reply
Good.
Focus has really become a problem on Macs.
When I switched from Windows to Macs, programs were not allowed to steal focus from what you were doing. To me, it was an amazing thing to not be interrupted for every little piddly thing that some background process deemed to be the most important thing in the world. I was so much more productive when I wasn't being constantly interrupted, as I was in Windows.
Then, not too long after Snow Leopard, that changed. Programs here and there started asserting themselves. Now it's like Windows days, and it's awful.
Even Apple is guilty of this. A few days a week, I plug in four encrypted drives. It takes about five minutes for them to mount, so I go work on other things. I'll be happily typing away at something, and then suddenly find what I'm writing is being typed into the password field to unlock one of the drives.
Finder — perpetually awful — can't even keep focus on itself in the middle of some tasks. Even on a brand new M1 machine, 90% of the time, when I Shift-Command-N to create a new folder, focus will land in some random window or pane. The new folder was created, but it's just "untitled folder" all by itself, because Finder decided to go scratch its butt. Or sometimes the name of the folder is the first few characters I wanted it to be, because in the middle of typing the name, Finder switched focus to something else. Or when I switch to some other program, and then switch back to Finder a good percentage of the time, I find out that none of the windows are in focus, and none of them are focusable with Command-~ at all. So, I have to go back to the trackpad to select the right window. The window I was using twelve seconds ago, the last time I was using Finder.
I think allowing any pop-up to demand focus is a serious security flaw. I've sometimes found myself typing a password into a browser, or a word processor, because they've decided that they are the most important thing in my life at that moment.
[+] [-] pxeger1|3 years ago|reply
1. Copy /etc/pam.d/sudo to /etc/pam.d/customsudo and add "auth sufficient pam_tid.so" to that file instead.
2. Create the directory /etc/sudoers.d/ if it does not exist
3. Create the file /etc/sudoers.d/customtouchid with the following content:
You may need to set the right permissions on /etc/sudoers.d/customtouchid before sudo will accept it.[+] [-] hsbauauvhabzb|3 years ago|reply
As a result, I just enable passwordless sudo.
[+] [-] paulcole|3 years ago|reply
Spoiler alert: Essentially nobody’s threat model includes that.
[+] [-] georgelyon|3 years ago|reply
[+] [-] fastball|3 years ago|reply
[1] https://akrabat.com/add-apple-watch-authentication-to-sudo/
[+] [-] Reason077|3 years ago|reply
No need for the third party pam module!
[+] [-] DavideNL|3 years ago|reply
[+] [-] willis936|3 years ago|reply
https://github.com/nullpo-head/WSL-Hello-sudo
[+] [-] zakk|3 years ago|reply
Is there a permanent solution, that does not involve cron scripts or other hacks?
[+] [-] blinkingled|3 years ago|reply
The touch id part is once per iterm session so overall it's not too bad and reasonably secure as it uses built-in keychain to store passwords I think.
[+] [-] irusensei|3 years ago|reply
[+] [-] inopinatus|3 years ago|reply
[+] [-] duplabe|3 years ago|reply
[+] [-] corderop|3 years ago|reply
[+] [-] haunter|3 years ago|reply
[+] [-] urbandw311er|3 years ago|reply
[+] [-] dt2m|3 years ago|reply
[+] [-] mshockwave|3 years ago|reply
[+] [-] eatmyshorts|3 years ago|reply