Il giorno sab, 26/12/2020 alle 23.53 +0100, Björn Persson ha scritto: > Gary Buhrmaster wrote: > > Arguably those with elevated access (provenpackagers(*)) > > should be required to use a hardware token such > > as a FIDO2 authenticators with biometrics and/or > > PIN required > > I'm in favor of complementing the FAS passphrase with a second > factor. > > I'm against any attempt to require biometrics. These are my reasons: I totally agree with you, for the reasons you explained below. > · Biometric identifiers aren't cleanly separated from identity. They > are more akin to your username than to your passphrase. A random key > or > a passphrase can be revoked and replaced if it gets out. Fingers and > faces are very difficult to replace. And yes they can get out. Once > your fingerprint has been scanned and turned into data, those data > can > be copied like any other secret. You also leave your fingerprints on > everything you touch. > > · Such a requirement is unenforceable. A client can never prove to a > server that it has a certain piece of hardware. It can only prove > that > it knows a certain secret – or two secrets since we're talking about > two-factor authentication. Whether the secrets are stored on a hard > disk, in a Yubikey, in somebody's brain or in somebody's retina, is > unknown to the server. Before authentication it must be assumed that > the client may be an attacker who is lying about everything they can > lie about. Some protocol might allow the client to claim that it used > a > fingerprint reader, but as far as the server knows the attacker might > just be using a stored scan of the real user's fingerprint. > > · Biometrics is low-grade security for use where convenience takes > precedence. If somebody can't remember a good PIN, then it's better > for > them to unlock their phone with their fingerprint than to choose > "0000" > for their PIN. Strong crypto keys and hardware tokens are better > where > security requirements are higher, like in two-factor authentication. > Requiring biometrics is effectively the same as prohibiting stronger > authentication methods, which is a stupid thing to do. Guido Aulisi
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
