You don't seem to be aware of what is under discussion here. You just raised a huge strawman.
Websites are not receiving your biometrics in this context, and your biometrics would be meaningless to the website if captured and somehow provided.
Your biometric signature is stored solely inside the Secure Enclave in the Apple device.
If and only if the Secure Enclave recognizes you via your biometrics will the Enclave uses a non-transferrable key stored only in the Enclave to attest to the website that you are the user "JoeAltmaier".
- The key is secret.
- The key is kept in only one place.
- The key can easily be discarded and a new one made.
- The key is never given to anything outside of the Enclave, so... I'm not sure how it could be traced to you, besides the whole fact that it is being used to authenticate you, which is necessary.
Sounds pretty acceptable to me as a password. The usability issue here is that a website needs to be able to accept a different password from each device you own, since the password is non-transferrable, and you might accidentally drop your iPhone to the bottom of the ocean.
Good news: FIDO2 is an entire standard built around this concept, originally intended for use on YubiKeys and similar FIDO2-compliant USB sticks.
Apple is building an implementation of FIDO2 that uses the iPhone that's already in the person's hand.
If the Secure Enclave is compromised (which does happen sometimes), then Bad Things could happen... but that's also what happens when a password manager tool is compromised.
All that's well and good until companies start implementing their own FaceID then forcing you to use it [0] on the back of trusting Apple, even CALLING it the same thing.
This app linked above (my bank) contains NONE of the security you've mentioned above.
And, incidentally, for me, biometrics STILL fail every test that matters to me: If I am dead, a bad actor can still gain access to my accounts. With a password, they cannot.
> This app linked above (my bank) contains NONE of the security you've mentioned above.
This misunderstanding is where you went wrong: your bank doesn’t have a choice about this. If they use FaceID, they don’t have a choice about implementing that - the app can ask it to perform the public-key authentication operation but there’s no way for the developer to choose to weaken the security of the system.
Similarly, you should read up about how these systems incorporate liveness checks. A dead body will not pass those and, if you weren’t aware, Apple’s implementation requires a password after a reboot or a small number of failed tries. It’s presumably possible for a well-resourced attacker to bypass those but you’d have to think about how much more vulnerable you are if you use only a password which is much easier for an attacker with that level of resources to capture. If you’re worried about Tom Cruise recording a mask from your still-cooling body, think about how much easier it’d be to get a camera to record you entering it - which you do a lot more in public if you don’t use biometrics - and how trivially this could be done without your knowledge.
I think you misunderstood (but I appreciate your reply)
This bank is NOT using FaceID, they invented their own version and are calling it the same thing. Your picture goes to their servers. Who knows what happens after that. And they're piggy backing on Apple's trust where FaceID is concerned in order to do it.
They are not the only company I have seen do this.
That's sophistry. The fact is, the laptop is 'secured' by biometrics, which can be spoofed. Having a key-to-the-key is not safe if the biometrics are not safe.
It is not sophistry, and sophistry is not a word I've ever seen used in a genuine conversation, so I immediately doubt your sincerity in this conversation.
If someone wants to fake biometrics on an iPhone, they have a very limited window of time to do so, and the user can lock out the biometrics in less than 3 seconds just by "squeezing" the phone. (power button + either volume key, 2 seconds later the biometrics are locked out.)
It's much harder to fake the biometrics in that very brief window of time (maximum 48 hours) than it is to shoulder surf a password.
Unless your threat model includes State Level Actors, biometric bypass is a very remote concern.
If your threat model includes State Level Actors, you're probably screwed either way, since they can easily afford to shoulder surf you.
For everyone else, the main concern is that someone not physically present will manage to acquire your password and log into your services. Passwords suck at this threat model. FIDO2 makes this scenario impossible without that remote person managing to execute a Secure Enclave 0day on your personal device... and even then, it's still way harder than acquiring your password. Not even the website you're authenticating against receives your FIDO2 key... websites always receive your password, which is awful for security.
Sure it was - sophistry is pretended an issue is simple by (deliberately) ignoring alternatives.
If biometrics are fallible, it matters zero how secure the digital system behind it is. That's obvious, and a comment belaboring the digital security is beside the point.
As for how hard to spoof, just google it. There are dozens of folks with techniques and hacks right now. It'll only get worse.
You are the one using sophistry, if anyone is using it. You are completely (and willfully!) ignoring how vulnerable passwords are in any threat model that invalidates a FIDO2 implementation of Face ID. No threat model invalidates the security of Face ID for the Web without similarly invalidating passwords. At least, you have chosen not to present such a threat model, which would help my (apparent) failure of imagination.
You cannot protect your passwords from someone who would physically take your iPhone before you can lock it and who would have a life-size reconstruction of your face ready and waiting. Such a person could shoulder surf your passwords with far less effort, or compromise one of the dozens of websites the average user re-uses their passwords on. At a certain point, the person in this threat model will just pull out a wrench and beat you with it until you help them get into your account. https://xkcd.com/538/
If you can show how some random person on the other side of the internet having your fingerprint helps them get into a website using your account... that would be interesting discussion. As it is, they must have physical access to your device. Your biometrics are useless without physical access and rapid action, since the biometrics quickly become useless as the device falls into a state that requires the user's passcode.
You're completely ignoring everything I actually said in my comments, so I'm done here.
Corroborating you point: Safari on iPhone will autofill passwords with just a biometric, so if you have an unlocked iPhone and a clone of the user's biometric, you can access websites and potentially even change their passwords. If it's timed out or user deliberately disabled the biometric, then you will need the passcode to be able to access anything.
That's you not understanding the security model, not sophistry. The application is granting access based on a public-key exchange, which the key stored in a hardware store which cannot be retrieved even in the event of a system-level compromise[1]. The remote application does not see the biometric data or even know that it was involved in the process.
It's also important to note that this does not mean anyone who grabs a laptop gets access to everything. The device still uses a password to unlock — you're forced to enter the password on boot before you can use biometrics later — and someone who stole an unlocked laptop could, for most users, have auto-fill supply the passwords _except_ on devices with biometrics which usually require that check every time (as iOS users have been reminded in this year of mask wearing).
So let's walk through some common threats:
1. Password re-use: a major source of compromises, blocked by this system
2. Phishing: a major source of compromises, completely blocked by this system
3. Compromised email: also popular, blocked by this system except for the services which allow email-based MFA resets, in which case it'd be the same as a password.
4. Local system compromise (user or root-level): passwords are vulnerable, biometrics present a barrier when the attacker can't just do something like reuse the credentials stored in your browser's cookie store. Biometric data and FIDO keys cannot be extracted.
5. Stolen device, locked: both are probably secure as long as you don't have your password taped on the keyboard
6. Stolen device, unlocked: passwords are vulnerable if you have a password manager which doesn't require e.g. FaceID checks (which is what Safari does on supported devices), FIDO MFA is not usable if Touch ID or Face ID is configured. Biometric data and FIDO keys cannot be extracted.
You're missing the point of biometrics. Something you are is a form of authentication that only you can use. Your face, fingerprints, blood, retinas are all public but try as you might you can't make another living human with the same features.
If your view of fingerprint auth is "a picture of your face is the password" then of course it sounds stupid. It's actually "a face with the correct features attached to an alive human" which is much harder to fake.
The whole point of biometric auth and all the advancements in the industry are about correctly identifying alive humans and the strength of any system that uses biometrics is directly related to that. You can say current systems aren't good enough at this yet for your personal thread models but it's real security, and beats the hell out of a 4/5 digit lock screen passcode.
That's trivially refutable. Fingerprints are left everywhere, and can be lifted and reproduced with common household substances (tape, glue etc). A face can be photographed, printed and presented trivially.
And so far, biometrics falls far short of a 4/5 digit lock passcode. The entropy in most fingerprint sensors is a few bits. They are famously defeatable.
Nothing will change the fact that you cannot keep your face and fingerprints secret, cannot/won't change them, and they are always, always traceable to you. Using them to secure a 'better' key is not security at all.
You need to learn how these systems work before commenting further. First, you're wrong about the current biometric systems' sensor design — Touch ID and Face ID are not simple single frame cameras[1] so while spoofing is not impossible it's nowhere near as easy as you're claiming — and, more importantly, you're missing that the biometric is used to authenticate to the local device, not the remote service. If someone steals your phone, as soon as it's removed from your account the attacker has no access or way to gain access to your resources and they also do not have a copy of your biometric data. If I do get a full biometric from you, I cannot use that to add a new key-pair to your account without already having fully compromised it.
That means that you're left with really unusual situations like someone stalking you with drones with 3-D infrared scanners who can't figure out how to have the same drone record your password when you type it in many times per day.
It doesn't matter since your fingerprint isn't secret. It's not enough to have a picture of my fingerprint, you have to produce a convincing enough fake of a real human with the right fingerprint.
Take this to meatspace for a second. If you had a security guard sitting at a desk inspecting your hands and taking fingerprints you couldn't trick them with pictures. You can't hold up a picture of my face to a guard and expect that they'll suddenly think you're me. Biometric auth systems are trying to the same thing but without the human.
> They are famously defeatable.
And most locks in wide-use today are also defeatable by amateur locksmiths, that's not really the point. There are sophisticated biometric auth systems that aren't fooled by pictures. FaceID is one example.
Let's suppose someone goes to all the effort to duplicate your biometrics in a real world scenario (e.g., going to the DMV). They put on their mask and their fake fingerprint and get a new driver license with your name and picture. Then they open bank accounts with it, get loans, and buy cars. What then? Suicide I guess.
Biometrics fail every test for a password, but, assuming sufficient accuracy, work pretty well for Authentication, which is the actual purpose of a password.
Biometrics are closer to a public key than a password.
It falls short, because biometrics <> passwords. As I said, biometrics == identity.
Compare biometrics with identity:
1) Your identity is not secret. Your mother knows you, your entire school knows you, your neighbour knows you, when you go anywhere the police may ask for your ID at any time and knows you. Biometrics is the same.
2) You don't hide every day from the world. You don't cover your face (ok maybe before COVID) when entering a shop ;)
3) You cannot change who you are. You shouldn't have to and shouldn't want to. Same for biometrics.
4) If your identity is discovered then of course they know who you are. Same applies for biometrics.
So yes, biometrics isn't passwords, it's identity. Username + Password is a workaround to establish a person's identity and will never be as good as a biometric. The fact that you can have multiple usernames but only the same right index fingerprint is proof that biometrics is superior in establishing your identity than username + password.
> It falls short, because biometrics <> passwords. As I said, biometrics == identity.
This is just dogma, it's not based on the actual implementation details.
TouchID for the web requires: Something you are (biometric), and something you have (Your phone/ computer).
If someone "Discovers" my fingerprints, they are worthless without the phone/ computer which has the Secure Enclave I've matched them to. If my phone is stolen, I can invalidate the entire device as a method of authentication.
I see what you’re saying about real world identity but digital identities don’t [have to] share those constraints. Digital identities can be instantiated and discarded at will.
1) A password is secret
2) You don't leave copies of it lying around everywhere
3) You can change it periodically
4) If discovered, it can't be traced back to you
No, biometrics can only be a username. It can never be an acceptable password.