1p implementing biometric-based passkey

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Interesting. I personally don't like biometrics, because you can never change them. Facial recognition is notoriously inaccurate. If someone gets a hi resolution photo of your face, steals your fingerprint, steals your hand print, steals the biometrics database, or steals your finger, then they always have that. When I set up my last phone, it wanted to know if I wanted facial recognition to unlock. I said heck no and set it to require me to enter a pass code on the screen. I actually have the front camera of the phone covered up for privacy reasons. Same with my PC. I definitely don't want the camera on all the time and I never take selfies.

May your bits be stable and your interfaces be fast. :cool: Ron
 
If someone gets a hi resolution photo of your face, steals your fingerprint, steals your hand print, steals the biometrics database, or steals your finger, then they always have that. When I set up my last phone, it wanted to know if I wanted facial recognition to unlock. I
Have you tried using a photo with an iPhone? It will not work, as it uses IR to map your face in 3D.
 
Actually my device is Android. But, it's interesting to know that's how they do things. Perhaps @Steve could do a podcast some time on biometrics. I still don't think I want Apple or Google having a map of my face.

May your bits be stable and your interfaces be fast. :cool: Ron
 
I don't use any biometric info if I can avoid it. I guess the dislike came from it's early days where is was fairly unreliable and easy to spoof. Apparently that has changed with improved technology, but my dislike for it has remained.
 
Neither company sends that information to the cloud.
So they say anyway. Just like they say they don't censor certain speech they don't like. Just like Roomba says they don't send a map of your house to the cloud. Just like Amazon says Alexa isn't sending your speech to the cloud. Sorry, I'm afraid I remain skeptical. And, I don't trust any of these mega corporations any further than I have to in order to have basic services.

May your bits be stable and your interfaces be fast. :cool: Ron
 
Both Apple and Google store your biometric information securely on the device. Neither company sends that information to the cloud.
How do we know they won't change their mind in the future? Will they tell us if they do? And if they tell us, will we have the option to delete our biometric data? And if we can, will that be before or after the data has preemptively been scarfed up by the 3-letter government agencies?

Remember, Apple has made it clear that iPhone users don't functionally own their devices -- Apple does, and they just let customers pay a fee to borrow them subject to Apple's terms and conditions.

Furthermore, biometric data is much more permanent than your habits or search history -- there's no taking control back once we lose it. Consider the number of times tech has accidentally outed closeted gays or newly pregnant women who hadn't told anyone yet. "Oops, sorry," doesn't cut it. There's no taking that back.

I'm with Ron on this. The big tech data collection companies have proven time and time again that they can't be trusted carte blanc.


Have you tried using a photo with an iPhone? It will not work, as it uses IR to map your face in 3D.
... which is of little comfort. If it's not already, it will soon be possible to reconstruct a 3D likeness from photos.

ISTR one of those deepfake video companies recently bragged they could use as few as three photos of you to construct a 3D model of your face, with which they could swap your moving head into an existing video of someone else to make it look like you were the one doing and saying those things in the video. It didn't matter that the face is moving back and forth and side to side, because they have a 3D model of your face.

Remember Tom Cruise holding that guy's eyeball up to the iris scanner in Minority Report? Soon, he'll be able to instead take a few photos of you, 3D-print a bust of your head, and hold that up to the face scanner. On the up side, he won't need to bash you up and extricate your eyeball.

I fear the collection of biometric data is following the model of the frog in the pot of warming water: get people used to the idea of giving up their bio info, then slowly chip away at your control over it.

Facebook has already proven that model works extremely well for them. How many times in the last 18 years has Zuckerberg apologized profusely and stepped back over some privacy overreach, only to quietly reinstate the same overreach a year later? Sometimes it's taken two or three repeats, but in the end he always gets what he wants.
 
I posted the following on their forums https://1password.community/discussion/137942/passkey-and-the-privacy-implications#latest, and it wasn't a good response. But would like to see what people here thought of my thinking.

I am a new user of 1password, and for the most parts, it seems to have the right goals concerning privacy and its design of being no knowledge. That is why the new passkey announcement seems weird, and I can't seem to understand the reasoning behind it.


I AM NOT A LAWYER This is just my understanding from research.


Using a passkey as the main way to unlock your 1password account makes the security of that device and how it handles those keys the entire, complete security of everything in your digital life. From a technical perspective, we are being asked that whatever phone manufacturer we are using has not made any errors in the implementation on the passkey. If there is a bug, they will update before an exploit. We know that this is a very tall ask, and the main reason is that we like the security key solution from 1password.


Besides Technical, there are the real world and legal. I have thought of a few cases where passkey would expose all the vaults.


  1. Travel: there are customs where it is required to provide unlocked devices and biometric unlocking. 1password has travel mode for this reason, but if your phone is the passkey to the account, order agents can go to the website, unlock your full vault, and get every login.
  2. court orders: It is my understanding that passwords have been considered protected under the 5th amendment, but devices and biometrics are not and can be compelled ( https://www.lawfareblog.com/fifth-amendment-decryption-and-biometric-passcodes )
My main concern is that 1password has sold itself as users being able to control and protect our data securely from design, and using passkeys to login into 1passwords is a complete 180. Am I the only one feeling this?