undefined | Better HN

0 pointsStavrosK6y ago0 comments

> biometric data (used by WebAuthn) will never be used as the single factor for authentication

WebAuthn doesn't use biometric data, the authenticator does. You can just as easily use a PIN or whatever you want.

> Also, single encryption key is risky (in the way as using the same password across all websites) as it could be hacked or leaked

The difference is that one compromised site can't leak your encryption key, someone would have to physically get it from your computer or steal your security key (and, probably, need to guess the PIN in three tries).

0 comments

3 comments · 1 top-level

dane-pgp6y ago· 2 in thread

> WebAuthn doesn't use biometric data, the authenticator does. You can just as easily use a PIN or whatever you want.

Except the standard permits sites to only trust authenticators with specific features, or rather from a specific whitelist of manufacturers/models:

https://www.imperialviolet.org/2019/01/01/zkattestation.html

Of course, not every site will make use of this DRM-like anti-feature, but I can well imagine that a lot of sites/industries will adopt policies that treat non-biometric authenticators as insecure.

dwaite6y ago

There is typically a significant UX impact on identifying the authenticator, some of which is effectively baked into the spec.

This is partially because it serves as a fingerprinting vector for authenticating users, and limits functionality (such as reusing the authenticator to access multiple accounts on the same site). This UX penalty will most likely dissuade people from limiting authenticators in cases where they aren't trying to meet AAL3 or rough equivalent.

Once you have an authenticator attestation, you can tie it to metadata on features, certification, and security incidents.

However, I actually don't suspect that real-world policy will rely on such dynamic metadata. Instead, organizations will limit the allowed authenticators to a static set of models, most likely models they issue to users.

So you'll see things such as banks allowing large money transfers only when you use the bank-issued authenticator, or having government contractors only able to authenticate into systems using the key fob they were issued.

tialaramex6y ago

I agree with you that we likely won't see this feature used much in the real world. I always tell Firefox to deny knowing which device model I have if asked. None of your damn business.

For personal accounts at least my experience was that a very large transfer (hundreds of thousands of dollars in a single transaction) required talking to two random employees. The first was a random call center worker who answered my call & the second was randomly chosen by the bank to run the whole process with me again to confirm. The web UI was clear that I would not be able to perform my transaction without talking to a human. Using two at random defuses the risk of internal collusion to defraud a customer. But I did use my good bank, maybe a mediocre bank would accept something a bit less stringent.

j / k navigate · click thread line to collapse