Another Step Toward a Password-Free Future

Originally published at: Another Step Toward a Password-Free Future - TidBITS

Apple, Google, and Microsoft have committed to expanding support for the FIDO Alliance’s passwordless login technology over the course of the coming year. With luck, we’ll see it in the next versions of Apple’s operating systems.

Perhaps I am mistaken, but I believe replacement technology for password logins already exists, for free, through Steve Gibson and GRC’s SQRL (pronounced Squirrel).

Steve’s website for SQRL looks far to complicated for me. And, I don’t see macOS listed.
Apple’s development looks enticing but lots of us are still using keyboards and computers without faceid or fingerprint, so I guess that’s out too, at least for now.

Passwords can be a pain, but touch can be fallible for some people. My wife was unable to record a usable fingerprint on a screen for an employer identification system, and required special processing. I don’t know the failure rate, but the technician said it was not zero.

Hope this is not too much of a tangent…

One thing that always made me feel a bit uneasy about biometrics is that it’s firmly tied to me. For one, it pretty much uniquely identifies me, but also, it cannot be revoked. User/pass can be complete anonymized garbage and I can still throw it away and redefine at any time should that become necessary (eg. a breach, leak, hack, etc.). My face or fingerprint I can neither redefine nor discard. However, would I be correct in assuming that as long as I stick with my M1’s TouchID and my A14’s FaceID, I don’t really need to worry about identification/revocation because the actual biometric information is held within Secure Enclave and that does not allow reading out the biometric information by anybody (or any software)?

My bank implemented some sort of hand scanner and we couldn’t easily get my hand scanned in. I told them to forget it and I’ll continue to give them paper deposit slips. Apparently it’s supposed to open my account for them from the other side of the counter.

Diane

I’ve always worried about false negatives and false positives with biometrics.

TouchID: What if your finger is missing or disfigured? Maybe I’ve watched too many scifi movies, but what about using a rubber fingertip impression?

FaceID: What about disfigurement? I don’t know what indicia FaceID uses, so I don’t know how it copes with injuries, eyeglasses, beards, masks, photos.

Some businesses I deal with have offered to let me authenticate myself using my voice. I’ve declined. Voice can be spoofed. And I don’t like samples of my voice being saved (which is why I don’t use Siri, Alexa, or Google).

And, expanding on something Simon said, if your account is hacked, you can’t very well change your fingerprint or face.

I would hope there would also be support for something like a Yubikey. There still needs to be some way of authenticating if you don’t have a Mac, iPhone, or iPad.

Weren’t we supposed to have drones delivering packages by now? Touch-id was huge failure for me but it isn’t necessary. Biometrics can only work when it’s one of multiple ways of “logging in.” It’s good to have low expectations.

I vaguely recall reading somewhere that TouchID required a ‘living’ touch. A wax/rubber impression would fail and - as I understand it - so would cutting someone’s finger off to try and operate it.

I certainly don’t recall there being a date associated with that and never expected to see it here by now. My understanding is that the technology has been proven for some time now, but there’s a lot more to fielding such things that take time. Making a business case for it is probably the biggest hurdle now, but I suspect there are still regulatory issues involved to allow it in all areas of the country. If you are actually interested in following it’s progress, here’s a recent summary: Drone Delivery: Benefits, Use Cases, & Retailer Examples.

As far as TouchID is concerned, it’s been working close to perfectly for me on both my iPhone 7 and 10.5" iPad Pro.

Since my wife uses me a lot for support, I have set up her iPhone and iPad with TochID using one finger from me and one from her. She does not have any devices that use FaceID so I have not tried that. I wonder if that is possible? (Currently I am out traveling, so I can not test to set up an alternate FaceID with her.)

I doubt they’re storing a recording of your voice. More likely they’re running the recording through an audio analysis and storing the result. Kinda like a SHA-256 hash. It can’t be reversed into the original recording. When you subsequently use your voice as your password they run it through the same processing and compare the results.

I have no idea how reliable this really is. It requires trusting that whoever implemented this knows what they’re doing. We read stories weekly about companies’ security measures being anything but secure so I can certainly understand not wanting to participate on those grounds.

“ If you’re wearing a face mask or potentially other face coverings, Face ID with a mask can analyze the unique characteristics around your eyes. When using Face ID with a mask, you can still use Face ID to authenticate apps, unlock your iPhone, and use Apple Pay.

This feature is available on iPhone 12 and later with iOS 15.4 and later.”

Of course Apple et. al. are trying to get this universally implemented. It will require everyone to own a cell phone, which adds significant revenue. It also means that in order to use my computer, I will not be able to simply log in, I will have to associate a new cell phone with it. Not an overwhelmingly happy situation.

What will be done for accessing a deceased person’s online accounts? When my father died, I had all his usernames and passwords for his accounts to use to manage his estate. If access is tied to his body, how will estate trustees manage the legacy online holdings?

I am generally 10 years, maybe even 20, behind the curve, I don’t use fingerprints or face-recondition or anything. I don’t take my phone with me everywhere I go, and I pay cash or at the most, use a credit card. I wouldn’t give these “advances” a second thought if they weren’t so strict and undemocratic. There are already places that don’t accept cash, and for now I can ignore them and move on, but the prospects of being forced to use all these identifying one-way technologies is really alarming to me.

It seems most here seem to have misunderstood the significance of this development. Rather than you supplying a secret (e.g. a password) to the other party to identify yourself, you just give them a public key. It doesn’t matter if a hacker somehow obtains your public key because it’s useless without the corresponding private key, which always stays on your devices. That’s a big change because people traditionally have used weak passwords and it eliminates the problem of having passwords stolen when a company’s systems are breached.

When your device needs access to the private key, that’s when FaceID, TouchID, etc., comes into play. On your phone, you’ll likely still be able to use your passcode to give access, just like the way ApplePay works now, and on your Mac or PC, you’ll probably be able to use your password to unlock your keychain. Those are just implementation details.

Right now, I can use TouchID on my Mac to log in to Apple’s websites if I’m using Safari. If I’m using Brave or Firefox, I can’t. To get into my Fastmail account, I could use a Yubikey if I’m on Firefox or Brave but, until recently, I couldn’t with Safari. The current situation is a mess. Apple, Microsoft, and Google are hoping to make the more secure authentication method work seamlessly across systems, devices, and browsers so that people will actually use it.

The companies would be shooting themselves in the foot if they put in unnecessary obstacles which slowed adoption. I highly doubt Apple would require the use of FaceID or TouchID since that would be a showstopper for a lot of people.

I think you are missing that people do not like all the arm-twisting to adopt technologies that aren’t ready or right for them.

What arm twisting?