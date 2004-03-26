from the Nicht-ihre-Papiere-bitte dept.
Web sites are increasingly trying to glean additional personally identifiable information from visitors in the name of authentication. Some nefarious interests actually do have a goal of tracking every minute interaction and communication tied to a real-world identity. However, if the goal is authentication and not just the collection of information, then all that is not necessary. Cryptographer and professor, Matthew Green, has a few thoughts on cryptographic engineering, specifically an illustrated primer on Anonymous credentials. He states the question as being, how do we live in a world with routine age-verification and human identification, without completely abandoning our privacy?
This post has been on my back burner for well over a year. This has bothered me, because every month that goes by I become more convinced that anonymous authentication the most important topic we could be talking about as cryptographers. This is because I’m very worried that we’re headed into a bit of a privacy dystopia, driven largely by bad legislation and the proliferation of AI.
But this is too much for a beginning. Let’s start from the basics.
One of the most important problems in computer security is user authentication. Often when you visit a website, log into a server, access a resource, you (and generally, your computer) needs to convince the provider that you’re authorized to access the resource. This authorization process can take many forms. Some sites require explicit user logins, which users complete using traditional username and passwords credentials, or (increasingly) advanced alternatives like MFA and passkeys. Some sites that don’t require explicit user credentials, or allow you to register a pseudonymous account; however even these sites often ask user agents to prove something. Typically this is some kind of basic “anti-bot” check, which can be done with a combination of long-lived cookies, CAPTCHAs, or whatever the heck Cloudflare does: [...]
Again that naively assumes that elimination of privacy is not a specific goal, which adds an additional barrier to gaining acceptance for anonymous approaches.
The draft publication features updates intended to help fight online crime, preserve privacy and promote equity and usability:
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has drafted updated guidelines to help the nation combat fraud and cybercrime while fostering equity and preserving fundamental human rights. The guidelines support risk-informed management of people's personas online — their "digital identities" — often required to engage in everyday digital transactions from banking to ordering groceries.
"These guidelines are intended to help organizations manage risks related to digital identity and get the right services to the right people while preventing fraud, preserving privacy, fostering equity and delivering high-quality, usable services to all," said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. "We are actively seeking feedback not only from technical specialists, but also from advocacy and community engagement groups that have insight into the potential impacts these technologies can have on members of underserved communities and marginalized groups."
[...] NIST is accepting comments on the multivolume draft until March 24, 2023. NIST will host a virtual workshop on Jan. 12, 2023, to provide details on the major changes to the guidelines and the comment process. Interested parties can register online to attend. This will be the first step in a robust engagement process to gain feedback from public and private sector organizations, technology and professional services providers, academia, civil society, advocacy groups and many others on how to improve the draft guidance and achieve a more competitive, secure, private and inclusive identity ecosystem. Among several topics that NIST intends to address, a significant portion of the organization's engagement efforts will be dedicated to exploring emerging and alternative methods of identity verification, including technologies that do not rely upon facial recognition.
Looks like VISA credit card has developed a way of storing biometric data on our cellphones, then use that as an authenticator.
https://reclaimthenet.org/visa-applies-for-biometric-authentication-patent
What could possibly go wrong here?
I guess I am really leery of cellphone security and app resilience. Is it so complex that it's too finicky to use? Does it require a good internet connection to work? ( Can you hear me now? ), or maybe it's based on QR codes?
I have been wrestling with a fast-food burger app over login issues. I am quite jaded over trusting anything I have to log on to to get a fresh timeout permission. For this, all I am risking is the cost of a trip to the restaurant vs. the liklihood the coupon offer will still work when I present at the register. ( The Wendy's Story already discussed here ).
How much impact would a denial-of-service cause for you? How robust is this technology. I've already seen the most expensive cars shut down for the most trivial crap. That's why I drive an old one made before their design became enshittified.
Cut n paste snippets below.
Andrew Eikum has updated his blog post on passkeys. The revised title, Passkeys are incompatible with open-source software (was: "Passkey marketing is lying to you"), says it all.
Update: After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom:
When required, the authenticator must perform user verification (PIN, biometric, or some other unlock mechanism). If this is not possible, the authenticator should not handle the request.
This implementation is not spec compliant and has the potential to be blocked by relying parties.
Then you should require its use when passkeys are enabled … [You may be blocked because] you have a passkey provider that is known to not be spec compliant.
I suspect we’ll see [biometrics] required by regulation in some geo-regions.
I’ll leave the rest of the blog post as it was below, but I no longer think Passkeys are an acceptable technology. The spec authors’ statements, refusal to have a public discussion about the issues, and Passkey’s marketing, have all shown this tech is intended to support lock-in to proprietary software. While open source implementations are allowed for now, attestation provides a backdoor to lock the protocol down only to blessed implementations.
So long as the Passkey spec provides the attestation anti-feature, Passkeys are not an acceptable authentication mechanism. As a result, I’ve deleted the Passkeys I set up below in order to avoid increasing their adoption statistics.
Passkeys are cryptographic credentials marketed as operating through locally executed programs to provide authentication for remote systems and services. They are sometimes additionally tied to biometrics or hardware tokens. The jury is still out as to whether they actually improve security, or will merely continue as another vehicle for vendor lock-in. It's looking more like the latter.
(Score: 2) by JoeMerchant on Thursday March 05, @01:00AM
Every single website (besides State agencies) which asks my birthday gets a different answer. I get "Happy Birthday" SPAM year round.
🌻🌻🌻🌻 [google.com]