WingNews logo WingNews
top | item 32327206

(no title)

37 | 3 years ago

>Passkeys use Touch ID or Face ID for biometric verification

I was under the impression it was very poor security to use something like a face or fingerprint as a password... Okay for a username, but should be avoided at all costs for passwords.

discuss

order

BeefWellington|3 years ago

There have been a few DEF CON talks about the security of biometrics but the most recent probably gives the best demos IMO.[1]

[1]: https://www.youtube.com/watch?v=hJ35ApLKpN4

herbturbo|3 years ago

Interesting but in the Apple case you'd need a cast of your intended victims face or finger to even attempt this attack.

It's easy to use a mask (or occlusion) to prevent a system from detecting your real face, but spoofing a specific person's face is a much bigger task. Any decent modern face rec system is going to use liveness detection as part of its analysis.

paulryanrogers|3 years ago

Yes for legal and practical reasons: you can be compelled to unlock biometrically and cannot change biometrics when the server side leaks.

wahern|3 years ago

At least for Apple's system, biometrics aren't used server-side. Biometrics are used to authenticate to the local system (e.g. your laptop or phone) and authorize use of a local private ECC key for further authentication to other services. The T2 secure enclave mediates all of this. The private ECC key never leaves the T2 chip. Biometric data is never stored unencrypted outside the T2, although like a password may be susceptible to capture when input. (The fingerprint scanner might be hooked up directly to the T2 chip, though, in which case attackers would need to resort to more direct methods for capturing fingerprints.)

anonuser123456|3 years ago

The biometric authorizes the use of a key stored in secure enclave. The biometric is not used as a key.

isitmadeofglass|3 years ago

It’s not using touch or Face ID as the password. That’s just to access your phone, and the proof of ownership of the private key is the “password”

If you prefer a pin or password to protect your phone you can use that instead.