Gary Buhrmaster wrote: > Arguably those with elevated access (provenpackagers(*)) > should be required to use a hardware token such > as a FIDO2 authenticators with biometrics and/or > PIN required I'm in favor of complementing the FAS passphrase with a second factor. I'm against any attempt to require biometrics. These are my reasons: · Biometric identifiers aren't cleanly separated from identity. They are more akin to your username than to your passphrase. A random key or a passphrase can be revoked and replaced if it gets out. Fingers and faces are very difficult to replace. And yes they can get out. Once your fingerprint has been scanned and turned into data, those data can be copied like any other secret. You also leave your fingerprints on everything you touch. · Such a requirement is unenforceable. A client can never prove to a server that it has a certain piece of hardware. It can only prove that it knows a certain secret – or two secrets since we're talking about two-factor authentication. Whether the secrets are stored on a hard disk, in a Yubikey, in somebody's brain or in somebody's retina, is unknown to the server. Before authentication it must be assumed that the client may be an attacker who is lying about everything they can lie about. Some protocol might allow the client to claim that it used a fingerprint reader, but as far as the server knows the attacker might just be using a stored scan of the real user's fingerprint. · Biometrics is low-grade security for use where convenience takes precedence. If somebody can't remember a good PIN, then it's better for them to unlock their phone with their fingerprint than to choose "0000" for their PIN. Strong crypto keys and hardware tokens are better where security requirements are higher, like in two-factor authentication. Requiring biometrics is effectively the same as prohibiting stronger authentication methods, which is a stupid thing to do. Björn Persson
Attachment:
pgpRH1vhtGKNo.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx