For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340
It makes the conclusions of types 1 and 4 very different.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.
The linked WSJ article is a bit hyperbolic and typical journalism overreach by calling it an Apple "security vulnerability", which is bullshit IMO. If you watch the interview with the guy in jail, the main method by which he got people's security code is he asked them. That is, he would tell people he had drugs to sell them and wanted to give them info, so he would get their phone and ask them for their code to unlock it.
At least the WSJ report is honest when it says "The biggest loophole: You".
And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.
Passkeys are an improvement over passwords. Security keys have a place for high security applications like enterprise deployments or the security paranoid. Passkeys stored on security keys can be trivially made worse by allowing users to set bad PINs (like 0000). If you use an iPhone and iCloud Keychain, iOS won’t permit you to store or use Passkeys with such an obvious passcode, but a Yubikey 5 will.
Everything else, including hardware tokens, is marketing vendor lock-in.
https://www.youtube.com/watch?v=tJw2Kf1khlA
(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)
I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.
The auth is using a password still. The password is just indexed on your face or fingerprint ID and only locally, on-device.
That means the attacker would need the device to ever get at the password in the first place. Then they'd need to be able to break into the device. The latter you can argue is easy or hard, depending on perspective, but they'd need both your faceprint or fingerprint, and a reliable way to replicate it that can fool the reader.
If your fingerprint or faceprint leaks to the world. The attacker would still need your physical device, and would still need to find a way to fool the physical reader with a replica of your faceprint or fingerprint.
In that sense, it's more secure than a password.
First of all, like the other commenter said, these days biometrics are rarely used as a key itself (which is how they are often portrayed in old movies). Instead, they are used as a method to gain access to the key. This is quite literally the case with some biometric Yubikeys - the key is the Yubikey, but to get it to work it needs your biometrics. Are you saying it would be better to have a key with no access control at all? Or one with a passcode (just watch the linked WSJ article from TFA - the guy was able to steal data from phones with passcodes, but biometrics would have made that attack vector much more difficult). Phones work pretty much the same way, perhaps the downside being that people often don't consider their phones as something that needs the same level of guarding as an actual key.
And just as importantly, what these kinds of YouTube videos often miss is the old adage "I don't need to outrun the bear - I just need to outrun you." That is, unless you are a particularly high-value target (and you would know if you are), any security that makes you much more difficult to hack than the person using Princess123 as their password means thieves give up and go to the easier target first.
(1) Their use of public-key cryptography is not quantum safe (against quantum computing). In contrast, passwords are very much quantum safe.
(2) They are tied to the provider. Why on Earth would I want to have the provider own my passkeys? Why would I want this vendor lock-in for my authentication?
(3) What if I want multiple accounts for a site? Some passkey vendors may support them, while others may not.
2. By definition this isn’t true
3. Again not true, don’t confound whatever terrible implementation you have used with what is allowed or capable
2. It is risked in practice.
3. It too is risked in practice.
If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?
Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.
I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.
Individual apps I use biometrics except on reboot if they support that.
pxeger1•10h ago
wintermutestwin•9h ago
Thank you for breaking it down like this. The bottom line is that if you don’t have your phone, you can’t access your accounts. That is a massive risk factor - particularly while traveling. That tells me that passkeys and password managers are not a viable security solution.
rkrisztian•9h ago
okanat•8h ago
zarzavat•7h ago
If you need to manage non-trivial amounts of money through your phone, having a specific device to do that is a no-brainer.
frollogaston•5h ago
fsflover•8h ago
toast0•8h ago
fsflover•8h ago
toast0•7h ago
fsflover•7h ago
toast0•6h ago