# Web Authentication



## Ahhzz (Jun 7, 2018)

Not technically Hardware, as it refers to a new proposed standard, but does require hardware for functionality, and I didn't see a "Security" in software 

Has anyone looked at this proposal, which basically wants to eliminate passwords in favor of biometrics? I am NOT impressed. The courts already have ruled that you can be required, without a warrant, to unlock devices with biometrics. The main reason my Pix2 doesn't use the fingerprint reader. I've got nothing on it that would even remotely get me in trouble (with the possible exception of my ex-wife, if she saw some of the comments between myself and Mrs. Ahhzz heheh), but I would prefer that if the cops want to see in my phone, they have reasonable reason to do so, and have gone thru the process of law to do it. I understand the court's decision makes it "Legal", and indeed, "the process of law" to access my phone via biometrics, I just disagree. If they legitimately feel that there's something on my phone they want to see, they can get a judge to agree. 

I'll stick with my passwords, thanks.


----------



## Bill_Bright (Jun 7, 2018)

I think you are focusing on the minor point and not the bigger picture. Everything you say about law enforcement is true. But that is really a minor point in all this. You (assuming you are telling the truth here! ) are like the vast majority of the rest of us here - that is, law abiding folks with nothing to hide that would be of interest to law enforcement or the courts. 

The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc. 

One of the problems I see with biometrics, however, is they almost always are backed up with an alternative authentication process - one that uses a password!


----------



## qubit (Jun 7, 2018)

Couldn't agree more @Ahhzz

I've never liked that the phone can be unlocked while you're asleep, say, with your face or finger. It's like giving someone the key. Having to guess a tough password on a secure system on the other hand, they can go whistle.


----------



## Bill_Bright (Jun 7, 2018)

qubit said:


> Having to guess a tough password on a secure system on the other hand, they can go whistle.


If they some how got possession of your phone and are trying to manually guess your "tough" password, I agree. But that is not what that proposal is about. It's about "web" authentication. 

Bad guys can and do use automated tools to hack passwords. That's a problem. 

And "on a secure system"? What's that? Equifax? Yahoo/Verizon? Uber? eBay?


----------



## qubit (Jun 8, 2018)

The OP also talks about his smartphone, so it's in context for that. It also applies to web authentication too though as apps can use a smartphone's biometric features for authentication too.

And yeah, "secure" passwords can be cracked on a non-secure system too when the company running it is sloppy. Nothing's perfect, unfortunately.


----------



## Aquinus (Jun 8, 2018)

It looks like some people didn't learn their lesson with SAML the first time.


----------



## moproblems99 (Jun 10, 2018)

Bill_Bright said:


> The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc.



I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?


----------



## Bill_Bright (Jun 11, 2018)

moproblems99 said:


> I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?


I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?

Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be. 

A neighborhood kid can often guess a password if they know you. You cannot guess a thumb print. 

I am also guessing you haven't seen how biometric technologies have improved significantly in the last couple years either?

Yes, finger prints can be stolen then manipulated and used to gain access. But not likely by the whizkid next door. And facial recondition scanners have been fooled hi-rez photos and even 3-D printers. But note I also said "retina scans" in my comment. Those are much more difficult to hack. 

Regardless, biometrics, when implemented properly, offer much better security than passwords. The problem is, we aren't there yet - at least when it comes down to consumer's every day computing devices.

Here's a good and current read on biometrics. I like it because it also spells out the potential pitfalls too.


----------



## Crusti (Aug 30, 2018)

I was wondered when Facebook asked me to end my new picture in order to prove it's me. When I think it over it turned out that we're totally controlled. All our pics are linked to our internet accounts. And now you tell about fingerprints, etc.. I feel like someone is watching me all the time.


----------



## StrayKAT (Aug 30, 2018)

I don't use biometrics anywhere. And I don't think anyone is cracking my passwords all that easily. So I'm cool.

I'm not exactly paranoid about the tech, but I don't think it's for me. It's for people who are too lazy and or have bad memories with passwords (good passwords).


----------



## dorsetknob (Aug 30, 2018)

Crusti said:


> I was wondered when Facebook asked me to end my new picture in order to prove it's me.



Please upload a Scan of your passport or SS ID and Notarized by a Court Official to Confirm Your ID ( Please note this info is shared with the NSA/FBI).
We value Your privacy and will ....................


----------



## DeathtoGnomes (Aug 30, 2018)

After biometrics the next step is your complete identity tatoo'd under your skin. Not sure if thats right before, or right after, the anti-christ makes an appearance.


----------



## newtekie1 (Aug 31, 2018)

Ahhzz said:


> The courts already have ruled that you can be required, without a warrant, to unlock devices with biometrics.



What ruling allows this without a warrant?


----------



## R-T-B (Aug 31, 2018)

Bill_Bright said:


> The much bigger picture is keeping the bad guys out of our stuff. Passwords, even long pass phrases, can more easily be hacked (or stolen!) than your finger print, retina scan, etc.



A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.



Bill_Bright said:


> I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?



The answer to this is education, not switching to an even more flawed and brainless standard.



Bill_Bright said:


> Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be.



No, it's simpler.  There's a mythbusters episode covering this.  It is RIDICULOUSLY easy.

That said...



Ahhzz said:


> Has anyone looked at this proposal, which basically wants to eliminate passwords in favor of biometrics?




This is simply a proposed method for accessing credentials via biometrics.  What makes you think it's supposed to replace anything?


----------



## Ahhzz (Aug 31, 2018)

newtekie1 said:


> What ruling allows this without a warrant?


https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/

lower court, appeals court, state supreme court. 

Haven't seen a SCOTUS on fingerprints yet, but they _did_ rule that a warrant was required in certain cases regarding law enforcement attempting to access location data from a phone.


----------



## DeathtoGnomes (Aug 31, 2018)

Ahhzz said:


> https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
> http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
> https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/
> 
> ...


It still a 4th amendment violation until the SCOTUS rules on it. If his lawyer argued only the 5th, he/she was worth shit as a lawyer.


----------



## Frick (Aug 31, 2018)

Bill_Bright said:


> I take it you haven't seen how trivial it is for just about any wannabe hacker to guess, or automate password hacking?
> 
> Of course biometrics can be by-passed, but it is not near as simple today you as pretend it to be.
> 
> ...



This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.



StrayKAT said:


> I'm not exactly paranoid about the tech, but I don't think it's for me. It's for people who are too lazy and or have bad memories with passwords (good passwords).



So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind bad password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.



R-T-B said:


> A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.



2FA is a pain in the butt though. It depends a bit on the implementation, but on the whole it is awful.


----------



## StrayKAT (Aug 31, 2018)

Frick said:


> This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.
> 
> 
> 
> So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind good password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.



I wouldn't call myself a savant by any means. Just a mix of capitals/lowercases/numbers and at least one symbol. I sometimes reuse them.. but not all. But once you type something dozens of times, it sticks.


----------



## DeathtoGnomes (Aug 31, 2018)

Frick said:


> This isn't the problem with passwords as such, this is a problem with password management. A good password is not weaker than biometrics. The downside is that it's impossible to have good password management without external tools, unless you're a savant of some sort.
> 
> 
> 
> So you have good passwords for everything, and you can keep them in your head? You're a savant then, unless you have a bad definition of "good". And in my experience it's not laziness that lies behind good password management, it's ignorance. Services like Lastpass is easy to use (even across devices) but a lot of people don't know it exists.


I use a password manager, Keepass, so I need to remember just 1 password. I use the password generator for every site and forum and game.  Nothing less than 12 characters, which is on the weak side, but I usually stick to 16.


----------



## StrayKAT (Aug 31, 2018)

All my security problems are mostly someone else's fault actually. Merchants getting my CC number stolen. It's happened multiple times. My fault is saving it on some sites. :\


----------



## Frick (Aug 31, 2018)

StrayKAT said:


> I wouldn't call myself a savant by any means. Just a mix of capitals/lowercases/numbers and at least one symbol. I sometimes reuse them.. but not all. But once you type something dozens of times, it sticks.



And you have a different string for everything? How many logins do you have to keep track off? Here are the ones I keep track off:

Bank pin
Bank authentication login, mobile. Luckily most of the "official" stuff (governments, loan applications, phone account, education) can use this
Bank authentication, physical
Main mail adress
Three work mail accounts
One semi-serious mail account
Wordpress blog
Five rental ques (apartments)
Steam
GOG
Humble Bundle
Paradox Studios (same account for the store and the forums)
Two battle.net accounts
Evernote
Like ten or so accounts to a work-related site (web portal for power management)
A bunch of work related VPN stuff
Work related virtual machine management
A host of online shops
My power provider
At least two grocery shops
Facebook
Tumblr
One or two forums which require complicated passwords
And most of them are being good citizens and requires at least eight characters, with a mix of capital letters and numbers and some even require symbols. And this is just my official stuff. I have two trash mail accounts to which is tied a bunch of forum accounts and store accounts for which I reuse a good password I've used for twenty years now, where I never really buy anything but no store would dream of letting you buy anyhing without an account.

Password managers are essential today. Everything's done online and every single thing require an account.



StrayKAT said:


> All my security problems are mostly someone else's fault actually. Merchants getting my CC number stolen. It's happened multiple times. My fault is saving it on some sites. :\



Excellent point and very true, and again: everything is done online and everything require accounts that can be compromised. The best you can do is mitigation.


----------



## StrayKAT (Aug 31, 2018)

Frick said:


> And you have a different string for everything? How many logins do you have to keep track off? Here are the ones I keep track off:
> 
> Bank pin
> Bank authentication login, mobile. Luckily most of the "official" stuff (governments, loan applications, phone account, education) can use this
> ...



I guess I juggle half as much. Less work related stuff.

I guess I could improve passwords.. The poster above said he used 16 characters. I don't go that far.


----------



## newtekie1 (Aug 31, 2018)

Ahhzz said:


> https://arstechnica.com/tech-policy...o-was-forced-to-fingerprint-unlock-his-phone/
> http://www.startribune.com/mn-appea...sn-t-violate-constitutional-rights/410991655/
> https://www.twincities.com/2018/01/...nlock-cell-phone-with-fingerprint-was-lawful/
> 
> ...



None of those are rulings that allow law enforcement to force you to unlock your phone or use biometrics in anyway without a warrant.  The rulings were all that a judge can order you to do it, if you are at the stage of a judge ordering it, you are past the warrant stage of the investigation.



DeathtoGnomes said:


> It still a 4th amendment violation until the SCOTUS rules on it. If his lawyer argued only the 5th, he/she was worth shit as a lawyer.



It is not a 4th amendment violation, because a judge is ordering it.  So it is not an illegal search under the 4th amendment.

The 5th amendment, self incrimination, is really where the argument comes from.  So far the legal precedent has been it is not a violation of the 5th amendment, because your biometrics are not protected by the 5th amendment.  Giving your fingerprint to unlock your phone is no different than giving a hair sample for DNA or fingerprints for comparison to fingerprints found at the scene.  But that won't be solid law until we see case go to the SCOTUS.  For right now, it is really going to depend on what judge you get in the case, and how he feels that day...


----------



## Ahhzz (Aug 31, 2018)

newtekie1 said:


> None of those are rulings that allow law enforcement to force you to unlock your phone or use biometrics in anyway without a warrant.  The rulings were all that a judge can order you to do it, if you are at the stage of a judge ordering it, you are past the warrant stage of the investigation.
> 
> 
> ..


That's a good point; the rulings I've read do all refer to a warrant forcing that cooperation, not just police acting on their own. I stand corrected. I still think that if it arrives at the SC, they will rule blue, esp with the conservative shift. They allow police to obtain fingerprints (something you "are", but not something you "know") without a warrant, and I don't see the SC ruling any other way. But, I guess it's something we'll see when we get there. My only hope is that the phone manufacturers beat the cases in a timeline. If the OS allows easy changes to settings (change the 48 hour window to maybe 6), or better support for forcing a passkey, it will make it a completely different ball game...


----------



## Bill_Bright (Aug 31, 2018)

moproblems99 said:


> I am guessing you haven't seen how trivial it is to bypass many finger print scanners on phones?





R-T-B said:


> A proper password is actually much harder to hack than most biometric systems, especially if we factor in 2FA.


First, 2FA changes the scenario so IMO, invalidates the argument. 

And Mythbusters? Come on! That was 10 years ago! But not just that, it involved covertly stealing a copy of the fingerprint from the user, then making the copies. 

OF COURSE biometrics can be foiled. But it takes a tremendous amount of hands-on time to do it. Hacking a password requires a badguy click a mouse button then he or she can move on to something else while the program crunches. 

And again, a badguy would need physical access to a copy of your fingerprint. They don't with a password - reminding readers this thread is about "web authentication" and not stealing a person's phone then lifting a "viable" fingerprint from the phone, making a copy of the fingerprint and then using that to access the phone.

So I stand by what I said, 





Bill_Bright said:


> biometrics, when implemented properly, offer much better security than passwords. The problem is, we aren't there yet - at least when it comes down to consumer's every day computing devices.


----------



## newtekie1 (Aug 31, 2018)

Ahhzz said:


> That's a good point; the rulings I've read do all refer to a warrant forcing that cooperation, not just police acting on their own. I stand corrected. I still think that if it arrives at the SC, they will rule blue, esp with the conservative shift. They allow police to obtain fingerprints (something you "are", but not something you "know") without a warrant, and I don't see the SC ruling any other way. But, I guess it's something we'll see when we get there. My only hope is that the phone manufacturers beat the cases in a timeline. If the OS allows easy changes to settings (change the 48 hour window to maybe 6), or better support for forcing a passkey, it will make it a completely different ball game...



I don't see SCOTUS ruling any other way either.  However, I do see them following current legal precedent that apply to collecting biological evidence.  Police are not allowed to force you to give DNA samples or even fingerprints.  You are allowed to deny both until a court orders otherwise.  Most people assume that if you are arrested you must be fingerprinted, but this is not true.  You can refuse until you are seen by a judge and the judge orders fingerprints taken.  So I don't see them ever getting to the point where they can force you to use biometrics to unlock your phone without a judge ordering it.

And with most new phones, and OS upgrades on old phones, there is at least a 72 hour time limit on fingerprints now.  So after that expires, you have to enter your pin.  A smart lawyer, or even person, should be able to delay the judge's order to the point where that time limit will expire, and then they can't force you to enter the pin.  Though, like you said, I would like to see that time limit be adjustable, and allow it to be shortened to whatever the user decides.


----------



## R-T-B (Aug 31, 2018)

Bill_Bright said:


> it involved covertly stealing a copy of the fingerprint from the user


Do you realize how easy that is?

I suggest you brush up on some modern videos too.  Not much has changed since the mythbusters video sadly (which I only used as an example).

Anyways, I stand by what I said.  PROPERLY IMPLEMENTED passwords (even without 2FA) are always stronger than a properly implemented biometric system.  Most of the security community is in consensus on this point, btw.


----------



## moproblems99 (Aug 31, 2018)

Bill_Bright said:


> And again, a badguy would need physical access to a copy of your fingerprint. They don't with a password - reminding readers this thread is about "web authentication" and not stealing a person's phone then lifting a "viable" fingerprint from the phone, making a copy of the fingerprint and then using that to access the phone.
> 
> So I stand by what I said



Facial / eye recognition does not.

Edit: I would also like to say that a simple account lockout after 5 failed attempts, hell it can be 100, will immediately stop any brute force attempt.  So, as we are talking web authentication, a password with account lockout is superior to bio-metrics.  Reason: The user doesn't have to do anything different than they do now.  They don't have to upload PII to a site with whom they don't know.  Not to mention, once your bio-metrics have been compromised, then what?  You can't reset it.


----------



## DeathtoGnomes (Aug 31, 2018)

I for one will not ever use Touch ID or any biometric lock as long as the courts make a distinction between that and a pin code.


----------



## Bill_Bright (Sep 1, 2018)

Bill_Bright said:
			
		

> it involved covertly stealing a copy of the fingerprint from the user





R-T-B said:


> Do you realize how easy that is?


 Sure! All someone has to do is find out where exactly I live then get here, sneak by my security cameras and the nosy old lady across the street, disable my alarms, kick in my front door, get past my dogs and lift my fingerprints from my personal property without waking me and giving me time to get out my Glock. 


R-T-B said:


> Most of the security community is in consensus on this point, btw.


 Yeah right.

There is no consensus so stop trying to pretend you speak for the security community. The only good (I said good, not perfect) solution is a multifactor solution. The US military, for now, probably has an example of one of the best. (1) The user must have the proper security clearance plus (2) the "need to know". The user must (3) have the authorization to access the system (be allowed in the area), often via (4) biometrics to open the door. The user must have a (5) working CAC (common access card). And finally, the user must have a (6) strong password.



moproblems99 said:


> So, as we are talking web authentication, a password with account lockout is superior to bio-metrics.


That makes no sense. The same account lockout feature can easily be used with biometrics too. If the fake latex finger print does not register immediately, the account can be locked. 

What is being overlooked here is the fact there MUST be some sort of physical access by the badguy. Contrary to what R-T-B wants everyone to believe, that is not that easy unless the bad guy actually knows you personally and has physical access to your prints, face, eyes or your personal property. Hacking a password can be done from the other side of the world by someone who has no clue who you are, what you do, or where you live.

And for the record, I am NOT saying passwords are inadequate for most users. And for sure, a passphrase is typically better (harder to crack) than a password - even a strong password. For example, *The cat in the hat* is harder to crack (and easier to remember and type) than **Dle4&fg@8. *Why? Because 18 characters are harder to crack than 10. The bad guy does not know if special characters or numbers are used so has to check for all.


----------



## R-T-B (Sep 1, 2018)

Bill_Bright said:


> There is no consensus so stop trying to pretend you speak for the security community.



I'm not pretending anything.

Here's an article from a security expert supporting my claim (google will find you several more).  I challenge you to find one supporting yours.

BTW, it is possible to remotely steal fingerprint data, and that's diffilcult to fix without another strong security method.

https://www.zdnet.com/article/face-...-the-best-way-to-keep-your-smartphone-secure/

Bill, with all due respect to your expertise, this is mine.  Step aside.



> For Galloway, that means the most secure way to protect your phone is with a password -- but it has to be complex, even if that makes the device less convenient for its owner to immediately access.


----------



## Bill_Bright (Sep 2, 2018)

R-T-B said:


> I'm not pretending anything.


Sure you are. You are pretending opening a smartphone with biometrics represents the state-of-the-art for all biometrics. You are pretending opening that smartphone is the same thing as "web authentication". 

You are pretending deficiencies from the past are never addressed. 

You are pretending you know everything about security (the link in my sig shows I've been dealing with it for a few years myself - to include access to the most sensitive networks and facilities). 

You are pretending major financial institutions must be ignorant and naive in 20*18* when companies like Mastercard are implementing biometrics on a global scale. 


R-T-B said:


> BTW, it is possible to remotely steal fingerprint data


EMV card with fingerprint biometrics. Note how the biometrics data never leaves the card! That means it is never kept on the bank's or merchant's servers or sent across networks or over the air - unlike passwords! And such a card cannot be hacked or infected with malware like a smartphone can either. 

So by you pretending because some improperly stored fingerprints can be stolen, biometrics as a entire method of security is inferior is just that - pretending.

Passwords can be guessed (by humans and machines). Biometrics cannot. 

And FTR, there is absolutely nothing saying you must use your index finger. And there is nothing saying you cannot change fingers and the print tied to your access credentials if you believe yours has been compromised. 

Are biometrics perfect? Of course not! I never said they were. NO solution is! But password technologies reached its pinnacle years ago. Biometrics is still evolving and improving.

So yes, *IF PROPERLY IMPLEMENTED* biometrics can be more secure than passwords. 

I will say this, 2FA is still better than one - regardless if using a very strong complex passphrase, or the most sophisticated 3D biometrics.


----------



## R-T-B (Sep 2, 2018)

I'm standing by what I said.  I have never heard an expert on security endorse your claim.  That's really all there is to it for me until I see otherwise.



Bill_Bright said:


> EMV card with fingerprint biometrics. Note how the biometrics data never leaves the card! That means it is never kept on the bank's or merchant's servers or sent across networks or over the air - unlike passwords! And such a card cannot be hacked or infected with malware like a smartphone can either



This is probably the exception, but it's not the norm, and certainly not part of the standard being discussed.


----------



## Bill_Bright (Sep 2, 2018)

R-T-B said:


> This is probably the exception, but it's not the norm, and certainly not part of the standard being discussed.


Exception? Norm? Standard? 

Gee whiz. Come on now. Biometrics at the basic consumer level is still relatively new. Biometrics is the exception as passwords and PINs are still the primary way users gain access. There is no norm or standard - yet - when it comes to biometrics. As I noted above, 





Bill_Bright said:


> Biometrics is still evolving and improving.





R-T-B said:


> I have never heard an expert on security endorse your claim.



Actually, you have, you just refuse to accept it because you don't agree with what he says. 

As I also noted above, you are pretending you know everything about security, when clearly you don't. I DON'T EITHER! But I do know what I know to be true in my little world does not mean that is how it is in the overall big universe. Just because I have never personally seen something does not mean it does not exist.


----------



## R-T-B (Sep 2, 2018)

I make it my business to know what's going on in security.  It's been my principal business as of late.




Bill_Bright said:


> Standard?



Yes, the one we are discussing.

https://www.w3.org/TR/webauthn/


----------



## moproblems99 (Sep 3, 2018)

Bill_Bright said:


> Biometrics cannot.



How can you possibly believe this?  You do know how biometrics are created, right?

EDIT: In the case of finger prints, eye recognition, and facial recogition?


----------



## Bill_Bright (Sep 3, 2018)

moproblems99 said:


> How can you possibly believe this? You do know how biometrics are created, right?


Huh? How can I believe that biometric images cannot be "guessed"?

You tell us! How can a fingerprint can be guessed? And to this discussion, how can a fingerprint be guessed easier than a password?

And yes I know how biometrics was created. Do you? They sure were not "guessed" but actually precisely measured and recorded to track criminals via their fingerprints. Why? Because over 100 years ago we already knew fingerprints were unique and could not be guessed, but could be used to identify, or to eliminate from consideration individuals.



R-T-B said:


> Yes, the one we are discussing.


LOL Did you read it? Are you now pretending you can obfuscate the thread by tossing out references you hope no one will read?

https://www.w3.org/TR/2018/CR-webauthn-20180807/


> User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary].



Throughout the entire document (51 times to be specific) it explains the use of biometrics as it relates to web authentication. NO WHERE does it say biometrics are inferior to passwords. It does, however, call passwords a "legacy method" of authentication (see section 1.1.3 and 12.1).

Come on people!  This is supposed to be a mature, intelligent discussion. *Passwords are going away* - eventually. Sooner as more and more networks are hacked because of careless and lazy users picking easy to hack (and guess) passwords. 

And - for now (unless something much easier, very convenient, and more secure comes along) - it looks like biometrics are going to take over (because most humans are not willing to have an RFID chip implanted in their bodies). So whether you think passwords are more secure than biometrics or not is really a moot point. So why argue over it?

Let's agree on the following and move on. R-T-B is undeniably right about one thing - regardless the primary authentication method used, two-factor authentication (2FA) is still the best solution. So a fingerprint scan plus a PIN, or a password plus a PIN is much better than a fingerprint alone or a password alone.


----------



## R-T-B (Sep 3, 2018)

Bill_Bright said:


> LOL Did you read it?



Yes.




Bill_Bright said:


> Throughout the entire document (51 times to be specific) it explains the use of biometrics as it relates to web authentication.



Yes, and nowhere does it reference your smart biometric cards (unless I missed it it's admitedly a big doc) which was my point (actaully my point was to point out there is a standard context we are discussing within). 

No one (save you) said this document made any claims about what is better.  I already provided that, and have yet to see even one counter.

Honestly bill, you are moving goalposts and jumping around faster than a grasshopper on speed at this point.  I have no idea why you can't just admit you are in over your head.


----------



## StrayKAT (Sep 3, 2018)

Not entirely related.. but.. I'm curious, does anyone here use TPM for home use? Or Bitlocker? Is it worth taking advantage of some of the Windows Pro features I have.. just on a private machine?

edit: Heh.. I'm reminded when I was little and my brother got a 386. He had that thing locked with a damn key. But I think that was mostly to keep ME away.


----------



## R-T-B (Sep 3, 2018)

StrayKAT said:


> Not entirely related.. but.. I'm curious, does anyone here use TPM for home use? Or Bitlocker? Is it worth taking advantage of some of the Windows Pro features I have.. just on a private machine?



I mean if you can secure the machine physically and don't have to worry about the NSA honestly it should be fine.


----------



## Bill_Bright (Sep 3, 2018)

On the contrary, I am not over my head in this area at all. Accessing, supporting and protecting secure IS/IT systems has been a part of my business and personal life since the Air Force sent me to my first "permanent party" base in 1972. 

The point I was making is there is no norm or standard biometric method for authentication - yet. Which is why your position is inaccurate. Sorry if you didn't pick up on that.


StrayKAT said:


> but.. I'm curious, does anyone here use TPM for home use? Or Bitlocker?


Happily, I again agree with R-T-B on this one and if you can maintain sound "physical security", you don't need to worry about this. But if you use a mobile device, a notebook for example - that is, a computing device that can easily be stolen or accidentally left behind, then encrypting might be a good idea. 

That said, most people don't realize physical security involves protecting your computer (and all backups) from theft should a badguy looking for drug money break into your home and steal your computer!   Note this also applies to having a good backup of your important data in the invent of a flood, fire, tornado, lightning, etc.

But also, because of all the confusion and misinformation out there about wiping and SSDs that you might dispose of, encrypting a SSD might also be a good idea if you don't understand how "secure erase" works with SSDs.


----------



## Crusti (Sep 5, 2018)

dorsetknob said:


> Please upload a Scan of your passport or SS ID and Notarized by a Court Official to Confirm Your ID ( Please note this info is shared with the NSA/FBI).
> We value Your privacy and will ....................


You know, the scariest thing is that there are too many people who will send anything on request and will lose everything after this step.


----------

