miskMicrosoft’s Windows Hello fingerprint authentication has been bypassed
Flying SquidWho is surprised? Are you surprised?
n3m37hPikachu is surprised
Pikachu is always surprised. And he doesn’t even speak or read English. So I was discounting him.
Sad pikachu
stomThis is why I use Linux, the fingerprint device wouldn’t be supported so this wouldn’t be an issue /s
HubiThe one on my Thinkpad works just fine :)
smoothbrain coldtakesI got a T80s and the sensor doesn’t work.
I’ve got a T440p and I just set it up through the menu in the KDE settings, it worked right out of the box.
Mine’s not in libfprint, libfprint-tod, or libfprint-goodix.
Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.
Can’t hack a brick 🤷
But you can use a brick to hack windows.
demonswordBut you can use a brick to hack windows
yes indeed, the good ol’ broken windows fallacy!
When you could have said crack, but instead said hack.
agent_flounderAnd this is why I am typing this on a 1921 Royal No. 10 typewriter.
Found Tom Hanks’s Lemmy account.
Works for my webcam. Tbh I’d like someone to hack it, would mean they would’ve written drivers for it
Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn’t have security vulnerabilities.
It has vulnerabilities for sure. But they haven’t been found because no one cares about hacking you or the 1 other person on earth that use Arch and fingerprint security.
Security by obscurity lol
One of the major reasons I gave up on trying to run Linux on my laptop was lack of fingerprint reader support.
wouldn’t be supported so this wouldn’t be an issue
I did not expect that 😅
☂️-I have a Microsoft fingerprint reader that works fine on Linux lol
loutrThat’s funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.
Today I was fucking around with this shit. I can’t even update my distro, otherwise ecryptfs will go adios, and fingerprinting will be broken.
The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.
kaduremove the password from a Windows account
That used to be true, but no longer works
Regardless, you can just read what’s on the disk anyway, so you don’t need to be able to log in.
Unless bitlocker is enabled by default, which is becoming more and more common
unfortunately
Unfortunately? How is encryption by default a bad thing? It’s amazingly good at protecting data from people who wouldn’t even know what encryption is.
The number of lost laptops in coffee shops protected by BitLocker is insane.
Correct answer.
Using any form of biometric ‘login’ under the US’s “justice” system is supremely ill-advised.
RustmilianNo shit
atocciThe Surface Pro X has a fingerprint reader? Is it on the keyboard or something? Mine sure doesn't have one.
LuciStop using biometrics for authentication!!!
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.
You’re right. By most definitions of MFA biometrics would pass. A biometric is something you are, and the device is something you have. My comment is more for privacy zealous people, who are concerned that they could be compromised by governments without a “something you know” component.
You are not wrong, but you we should understand what class of attacks we are protecting against. Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
Now, you may say, an FBI raid is not what you worry about on a daily basis. Agree.
If you are trying to keep the photos on your device safe from snooping, your good. Attacker needs the device and your fingerprint.
When we talk online accounts, I’d count device+fingerprint as one factor. Sure, the maid from the example above can’t login into your gmail without your fingerprint, but most attacks are online. Your device sends a token to gmail, a cookie, a String; that’s like a password. One factor.
Technically, it’s slightly better than a password, because this token can be short-lived (although often it’s not), could be cryptographic signature to be used exactly once (although…), you cannot brute-force guess the token… But IF the token leaks, the attacker has full access (or enough to cause damage).
That’s why I would suggest an independent second factor, such as password. Yes, a password. Not for your daily routine (biometrics+device is much better), but maybe for high-risk operations.
No, wrong. Still two factor because your fingerprint plus your device.
These authentication methods aren’t as simple as the two factor Google Authenticator 6 digit number. They are cryptographically secure keys. Even if someone finds out what the token is, they still cannot send a valid request because they cannot generate a digitally signed request using the private key locked in your device’s hardware, unlocked by your biometrics.
Will biometrics stop your maid from using your device? Probably less. Will it stop the FBI? Not so sure.
A sufficiently motivated maid will be able to do it. The FBI eats that kind of stuff for breakfast.
Once upon a time, the then German minister of the interior wanted to collect all kinds of biometric data, in passports, in fully connected databases, whatnot. The CCC went ahead and swiped his print off a glass at a reception and published a DIY version to impersonate him in their magazine. Fingerprint authorisation is the security equivalent of a sticky note with your password on your coffee mug.
The good news? You can use ordinary gloves, no need for tinfoil.
Name is OptionalIn Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints
Exactly the point I’m trying to make!!
Biometrics are perfectly fine! We probably don’t even live in the same country, I’m not going to get a hold of your fingerprints.
There seems to be a fundamental misunderstanding of what the biometrics actually do. The biometrics only unlock the device and give access to the security key. Once unlocked it’s exactly the same as using a yubikey, and far better than an authenticator app, as they use a crypto key, not a 6 digit number.
Well
The biometrics only unlock the device
Yes
and give access to the security key
This is the goal, sure, but what does this actually mean on device that’s mostly governed by software?
There’s a chip (like a yubikey) in the device that can hold cryptographic keys.
That’s good because the key cannot (easily) be extracted from the device.
That’s good as long as no one has physical access to your device.
With physical access, you hope that the device’s unlock mechanism is reasonably secure. That’s biometrics OR password/pin.
The ‘or’ is the problem. For practical reasons you don’t want exactly one method hard-wired. You have a fingerprint scanner (good enough), the secure element (good enough) and lots of hard- and software in between (tricky).
I’m not against biometrics (to unlock a device) because it’s convinient and much better than not locking the device at all. I’m also not against device trust (which you need if you want to store crypto keys sonewhere without separate hardware), but the convience of a single-device solution (laptop or phone) comes with a risk.
If an attacker can bypass the unlock method or trick you into unlocking or compromise the device, your secrets are at risk. Having the key stored in the secure enclave (and not in a regular file on the hard disk) prevents copying the key material, but it does not prevent using the key when the attacker has some control over the (unlocked) device.
A yubikey is more secure because it’s tiny and you can carry it on your keychain. The same chip inside your laptop is more likely to fall into the hands of an attacker.
If someone has physical access to you and your device, they are getting in
0xDA username is not something “you are”, it’s something “you know”. Biometrics not nearly the same as usernames.
A username is something you are. It’s you! You are 0xD.
A password is something you know.
A security key is something you have.
When we interview security analysts you don’t get past the first round if you disagree.
If your interview involves telling me a username is “something you are” rather than “something you know”, I’m running away from that job as fast as I can.
Other people know your username.
How hard is this?
I guarantee you I know thousands of people’s passwords as well, I just don’t know the username associated.
By this same logic, other people could know your fingerprint since it’s “something you are”. No, other people cannot know your fingerprint. It’s a complex mathematical equation to a computer. This is such a terrible take.
Source: CASP+ certified.
No, this username is one of the names I’ve chosen for the accounts I use on lemmy. It does not identify me, it identifies the lemmy accounts that I just so happen to know the password for. I was just about to create an account with your username on another instance but meh, that’s too much work. Just imagine me having done that and think about what you just wrote.
I would be vary of the people agreeing with you on something so basic yet so wrong.
An authentication factor is a unique identifier that shows that you possess something that others don’t. Biometrics are something you are because your fingerprints, your retinas, or your DNA are (mostly) unique to you. A security key is something you have because unique cryptographic material is saved on the hardware device that cannot be replicated somewhere else (which is why many mobile authenticators really aren’t). And a password is something you know because… Bla bla bla.
To be pedantic, a username is not a factor in this sense at all; It is an identifier for an account that you have to prove authorization for by presenting some kind of factor, sometimes multiple.
Not on my Lenovo. Fingerprint reader requires a swipe, no print left behind.
Mine does not work at all. I’d like to see the guy trying to take fingerprints for a few hours and realizing it won’t do shit lol.
I have a lot of questions about what this guy thinks the rest of your device is covered in. Because spoiler, it’s fingerprints.
ChaoticNeutralCzechIt stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft’s way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
Wtf. It shouldn’t even need those permissions. All it needs to do is scan if the fingerprint it stores matches you.
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it’s by design on Microsoft’s end. You can then use the Windows Hello credential as a passkey but if you don’t want that, you’d need another solution for biometric auth.
Still, that does not explain the Edge dependency. Lots of programs can communicate with their respective servers without browser technology.
It kinda does though, if you look at it from a speed/competency aspect. I'm more and more convinced that the people who build out features only have tangential ideas on how it integrates into the overall system, so just throwing a browser at every problem gets you a cookie cutter backend with APIs and let's you shove half baked features out the door without having to figure out how to wrap data in protocols since you just hand your payload so the browser and wait for a response.