I was saying for a long time that a new protocol for a biometric driven login scheme should become the new default. We use biometrics to log into our phone, then a password manager uses the same biometric to authenticate on the same device to log me into a website by auto populating the username + password for me. Afterwards I'll get a 2FA confirmation on the same device which again I'll have to confirm via the same biometric. Instead of having so many moving parts which all boil down to authenticate via a single vector (my fingerprint or eye) on a single device we might as well have a new auth scheme and get away with insecure passwords and expensive password managers and replace them all with a new biometric driven login scheme.
Yes, there are still some issues that biometrics don't solve, but they should not be a concern to most websites. If everything authenticates me via my AppleID (which uses FaceID or Fingerprint) then I only need to remember one password for Apple - which is just the same as remembering one password for a third party password manager - except it's overall much safer and better for me as a user as I don't have to upload all my online identities to yet another third party that I don't know anything about (= password managers).
Biometrics are just fine as a username or one factor of a MFA, but they are terrible for usage as a password due to the simple fact that if they are ever compromised, they cannot be changed.
The truth is though that everyone is using biometrics to log into their device which controls everything from emails, to password managers and 2FA codes. Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
It's a good point which you raise, but ultimately biometrics will be the best way to authenticate someone. It might have to evolve and get smarter and better, but one day if someone is able to reproduce all your unique attributes of who you are then nothing will probably hold them back to reset your password manager, email and what not either. They will socially engineer whatever they need and even when a human will verify that you are you they will probably be able to provide enough believable evidence at which point it doesn't matter anymore if they hacked a biometric login or socially engineered your password manager.
> The truth is though that everyone is using biometrics to log into their device which controls everything from emails, to password managers and 2FA codes. Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
No, because the device is only using that to protect local storage and anything which leaves the device is using strong keys which can be rotated. If they don't have the device, the fingerprint doesn't matter. If they do have the device (and are within the timeout period, etc.), it's like any other credential compromise: you get a replacement, rotate passwords, etc. but the replay value is sharply capped because at no point is a network service depending on the component which can't be changed.
(If you have an attacker who gets a scan of your fingerprint/face and keeps stealing phones you need a restraining order; that's reasonably outside of the threat model for consumer devices)
This is also important since there's a subset of users who won't be able to use biometrics for some reason and the decoupled approach avoids making it impossible for them to use.
> Does it mean if your fingerprint gets compromised
Technically, your fingerprint is probably already compromised, just nobody's bothered to put the pieces together yet because you're not a high-enough value target.
Check out some of the CCC conference videos on youtube, where they show how easy it is to reproduce someone's fingerprints to fool most biometrics.
However, once it becomes possible to do this at a low enough price point, that's when it realistically becomes a problem for the majority.
> The truth is though that everyone is using biometrics to log into their device
Not to be pendantic, but not _everyone_ uses biometrics to log into their device, either due to lack of hardware or due to lack of trust in said hardware.
>Does it mean if your fingerprint gets compromised that you'll be unable to use the biometric feature of any device for the rest of your life?
No, it just means that it shouldn't be treated as a password in a username+password setup. It's still perfectly usable for a MFA setup.
>if someone is able to reproduce all your unique attributes of who you are then nothing will probably hold them back to reset your password manager, email and what not either
This is exactly why everyone really ought to be using MFA - biometrics are a good identifier and are strongest in conjuncture with a knowledge or physical-item-based authentication. These too can be defeated, but having to nick a physical object, trick the user into revealing a password or similar knowledge-based key, and reproducing a fingerprint/facial/retinal/whatever scan is much more time-consuming.
You acknowledge that biometrics have some issues they don't solve. Not being easy to steal is one of them. The problem is that you leave your fingerprint all over the place, including all over your phone, there are likely multiple pictures of you publicly available that can be used to construct a model to fool Face ID etc. Most biometrics only provide really minimal security, and the ones that provide anything more don't provide much and are inconvenient.
I use my fingerprint to prevent people casually browsing my phone if I leave it on the table while I pee, but I wouldn't rely on it for more than that, and neither should other people.
You need something else (a key, password or something) to secure most things as well as just your fingerprint.
You miss a crucial point though, if you fake my fingerprint you still need my personal device to authenticate with it. You can't just use a copy of my fingerprint and set up a new iPhone with it without confirming at least on one other previously confirmed device or a second factor. So when you need to fake my biometric AND get hold of my personal device then you have to solve the exact same problem asnif I was using a password+ password manager.
WebAuthn doesn't preclude the use of biometrics locally. Whether you securely store and use a private key in a discrete hardware key like a U2F token, or in a computing device's TPM chip secured (locally!) by a biometric access check; it boils down to the same mechanism WebAuthn describes.
WebAuthn rightly does not push biometrics beyond what you can do with them on a local device. It would be a privacy nightmare!
Biometry for service login is about the worst idea ever. The problem of biometric attributes not being secrets has already been mentioned by others, but what is at least as important is that I want to be able to use computers, and computers don't have biometric attributes. I want to be able to task my computer with watching my bank accounts, for example, and for that my computer needs to be able to log into my bank account. Using biometric authentication essentially means that corporations get a monopoly on using computers to scale the work they are able to accomplish, while they force me as an individual to do everything myself, or at best to have another corporation run a computer on my behalf.
Yes, there are still some issues that biometrics don't solve, but they should not be a concern to most websites. If everything authenticates me via my AppleID (which uses FaceID or Fingerprint) then I only need to remember one password for Apple - which is just the same as remembering one password for a third party password manager - except it's overall much safer and better for me as a user as I don't have to upload all my online identities to yet another third party that I don't know anything about (= password managers).