> And just a daily reminder that biometrics are usernames, they are not passwords.
I think you should stop giving out this daily reminder. This meme has outlived its usefulness.
Using face id to unlock a local key store to enable my device to sign a signed challenge from a site I want to log into with the private key stored on my device is not a 'username' in any meaningful sense.
The problem is, the metaphor about passwords and usernames is not a good, structure-preserving simplification of the actual problem of authentication.
The biometric data and/or pin code are not being used to prove that you are you to Gmail, it's being used to unlock the set of private keys you have on your device. This doesn't fit into the metaphor at all.
If my non-technical parents said they were migrating all their accounts to passkeys, I would be very pleased. I wouldn't be worried about their inability to change their biometrics and that causing a problem following some sort of breach in the future. I am highly worried about their extreme susceptibility to phishing, especially in their inability to distinguish phishing sites from real sites, or real account maintence contacts via email and SMS from phishing contacts, their reuse of very simple passwords that are probably circulating in combolists already, and their general inability to retain username/password pairs. I have a lot of sympathy for them when I try to talk them through something like logging in to an Apple device with their apple id, when their appleid username is their email, which ends with @gmail.com. "But...why would i log in to apple with my gmail?" nevermind how confused they are about 'log in with google', 'log in with facebook', etc.
Moving to a model where their devices store webauthn credentials and guard them with a pin or faceid-style biometric shortcut is a _massive_ improvement in practical resistance to account takeover for my parents, and I don't think continuing to say 'biometrics are usernames in authn' is accurate or helpful.
> If my non-technical parents said they were migrating all their accounts to passkeys, I would be very pleased. I wouldn't be worried about their inability to change their biometrics
My 76 yr old dad can't do it. His phone is some shitty android trash that when he's setting up his biometrics, he shakes a bit, and it never stores the finger data correctly. I have to hold his finger and his phone at the same time to even scan it. Then, unlocking is also super unreliable because of the shaking. He refuses to get a better phone cause this one "works well enough."
This is so true - most older people I've worked with have major problems with touch devices. No one has come up with a satisfactory solution. This is not a new problem - I remember working with my grandfather in his 80's on a 286 equipped with a mouse - his arthritis prevented him from accurately positioning the mouse. Today's touch interfaces are far worse. And fingerprint scans are very difficult to get right and use with older people. Maybe face scans are fine but I've never trusted them. Regardless of security logins, there are a host of other issues - complex navigation, complex and confusing layouts (especially desktop), and hard to manipulate controls. One example, a simple zoom or skype call - why hasn't anyone ever developed a simple device to allow for same without having to use intricate controls. I've always imagined something similar to the video enabled nest or alexa devices but with physical knobs and push buttons. There's a very large market being ignored for some reason.
> There's a very large market being ignored for some reason.
It's no surprise that the tech industry, which largely employs urban, educated 20-somethings and 30-somethings, tends to produce products aimed at urban, educated 20-somethings and 30-somethings.
> No one has come up with a satisfactory solution.
Stick your finger inside of a dynamically sizing aperture, or clip a finger reader onto your finger? If both the finger and the reader shake the same there shouldn't be a problem.
That doesn't solve the general touch issue, but it solves this particular case.
It might not be that the android is crappy. Some people's fingerprints stop being readable as they age, and there are various injuries and diseases that have that result.
Essentially every biometric has a population they won't function well with.
It's 100% accurate. And I get why it may not seem helpful, but I think this is simply due to this industry trying too hard to cater to people who want things to be 6-year-old level easy.
Security is HARD. There's no getting around that. Your data is valuable and protecting it is not an easy task. At some level, security and convenience is a zero-sum game.
As for old people, my dad writes down his passwords on a text file in his laptop and has a printed backup in the house.
And, yes, he does have to bug me sometimes to re-login or change a password, but we've never had a security problem, which is way more than can be said for a lot of people who tried the INHERENTLY unsafe "3rd party manager" thing.
The security triad is "something you are", "something you
know", and "something you have". Fingerprints are something you are. Usernames are something you claim to be.
The username is the "claim" you are this person. The password is the "proof" you are.
If I'm fingerprinted by any federal agency today (and my fingerprints have been on file with the government since the 90's for a security clearance), then my fingerprints can serve as absolute proof of my identity. This is helpful to me should my identity ever be stolen and I need to show absolute proof of who I am.
Good point, you're right. And with e.g. federal agencies, this fine.
But given the relatively high level of laziness, capriciousness, and general failure all around that is "IT security by means of companies who are rarely held accountable," it's good to point out that this is what makes biometrics worse than usernames and should probably mostly be avoided, or at least optional.
Your points are taken, but I do believe that the "something you are" is better than the "something you know" and "something you have" pieces -- as the knowledge or the thing you have can be stolen.
Sure fingerprints, face scans, and iris scans can be stolen as well. But certain things are really hard to fake, including potentially, scans of faces and an iris scan at the same time -- unless you can somehow graft a new iris and grow a new face.
Put it like this: a dead victim is found naked along the side of the road. Which leg(s) of the security triad can the police use to prove the identity of the victim?
If convenience plus precision are your only goals, sure. But this requires probably too much trust in the systems. I'm fine with the FBI having that power and information.
Google, who I don't pay and doesn't owe me much, not so much.
Those are all factors in multi-factor authentication. If a service does not require the "something you are" there's still good security if they require the other two factors. If the only required factor is "something you are" that's bad security.
I think you should stop giving out this daily reminder. This meme has outlived its usefulness.
Using face id to unlock a local key store to enable my device to sign a signed challenge from a site I want to log into with the private key stored on my device is not a 'username' in any meaningful sense.
The problem is, the metaphor about passwords and usernames is not a good, structure-preserving simplification of the actual problem of authentication.
The biometric data and/or pin code are not being used to prove that you are you to Gmail, it's being used to unlock the set of private keys you have on your device. This doesn't fit into the metaphor at all.
If my non-technical parents said they were migrating all their accounts to passkeys, I would be very pleased. I wouldn't be worried about their inability to change their biometrics and that causing a problem following some sort of breach in the future. I am highly worried about their extreme susceptibility to phishing, especially in their inability to distinguish phishing sites from real sites, or real account maintence contacts via email and SMS from phishing contacts, their reuse of very simple passwords that are probably circulating in combolists already, and their general inability to retain username/password pairs. I have a lot of sympathy for them when I try to talk them through something like logging in to an Apple device with their apple id, when their appleid username is their email, which ends with @gmail.com. "But...why would i log in to apple with my gmail?" nevermind how confused they are about 'log in with google', 'log in with facebook', etc.
Moving to a model where their devices store webauthn credentials and guard them with a pin or faceid-style biometric shortcut is a _massive_ improvement in practical resistance to account takeover for my parents, and I don't think continuing to say 'biometrics are usernames in authn' is accurate or helpful.