Closed brendonjwilson closed 9 years ago
mxxcon
commented
10 years ago Personally, I'm a bit iffy on using fingerprint as authentication method. I consider fingerprint to be similar to my username, not my password..
Having said that, this brings up an interesting topic.
Would it make sense to add bio(metric): Yes|No field or are we fine with existing fields?
If we are fine with existing fields then, @brendonjwilson, I think the current PayPal entry addresses this fingerprint method.
brendonjwilson
commented
10 years ago @mxxcon : I would agree in the case of server-side validated biometrics, but that is not the model in FIDO. The fingerprint itself is used for local authentication to gate access to a private key stored on the device. Think of this approach more similar to a smart card that is unlocked with a fingerprint rather than a PIN. Also, be aware that the FIDO Alliance approach is independent of the user verification method - while on the S5 devices it's a fingerprint, on other devices it could be a voice biometric, iris biometric, or simply a PIN.
To understand what's being done in this case, here's a nice little video: https://www.youtube.com/watch?v=gHDM4Yv3u18
mxxcon
commented
10 years ago I understand how the system works as a whole. It's just at this point in time I don't trust fingerprint scanners to be versatile enough to work consistently and have enough entropy not to confuse my fingerprint with somebody else. :smile:
brendonjwilson
commented
10 years ago That's the great part - you don't have to. The FIDO Ready™ approach employed by PayPal (and now Alipay in China) is a multi-factor authentication model - simply having a copy of the user's fingerprint is not enough for an attacker to defeat the system. An attacker also needs to possess the user's device (on which they've registered their fingerprint and from which they've registered their fingerprint sensor with PayPal).
The approach defeats the kind of remote scalable attacks that are possible not only with usernames and passwords, but also with many of the "strong" authentication approaches advocated on this list (such as SMS OTP, which are trivial to defeat with phishing and social engineering, both of which can be performed by a remote attacker, as illustrated by the likes of Hesperbot and other mobile + phishing attacks). And of course, device-centric authentication solutions will continue to improve in their security, ability to defeat local attacks, liveness detection (in the case of fingerprint, and other biometric authentication methods), and can be easily incorporated and driven by a service provider's FIDO server policy.
gpoul
commented
10 years ago @mxxcon what I wanted to discuss in #856 was to add a FIDO U2F field. When looking at what's discussed here I think it might make sense to maybe add a FIDO UAF and a FIDO U2F field. Details of these two approaches are available on https://fidoalliance.org/specifications and I think this would add value to the list.
Although maybe it would also make sense to separate the FIDO support out into a separate list showing the level of support for the different sites, but I think keeping all on one list would be easier and more transparent. (?)
The reason I think this makes sense is that it would be great for someone with a FIDO U2F token to know which sites actually support it and to be able to request others to add support for them.
RichJeanes
commented
10 years ago I don't think FIDO really needs it's own column. All FIDO does is restructure how the second factor interacts with the site asking for authentication, making it flexible on what the second factor actually is. Technically, any app that is locked by PIN is still only two factor. The "factors" are one of three things:
jamcat22
commented
9 years ago So... No column then?
PayPal also supports another strong authentication option - the new FIDO Alliance protocol - though admittedly support is limited to the Samsung Galaxy S5, S5 mini, Galaxy Tab S, and Alpha devices (with a fingerprint sensor).
https://www.paypal-pages.com/samsunggalaxys5/us/index.html https://fidoalliance.org/news/item/the-fido-alliance-announces-first-authentication-deployment-paypal-samsung
This approach actually ends up being easier than SMS/OTP based 2FA solutions, while also providing stronger security (the approach is not phishable like SMS, and there are no symmetric secrets stored on the server, waiting to be stolen). It's multifactor auth because the user must posses the device (which is provisioned with a public/private key pair during registration), and authenticate with their fingerprint (biometric) to the device to unlock access to the private key. Authentication is performed by the user unlocking the private key with their fingerprint, and using the private key to sign a challenge provided by the server.
The same approach is also now used by Alipay in China, and a number of other financial institutions are investigating the approach. If you look at the FIDO Alliance web site, you'll see a number of the heavy hitters involved in the effort (Google, Microsoft, Lenovo, Samsung, Bank of America, Visa, MasterCard, Discover, many more).