|
|
|
|
|
|
by derevaunseraun
1463 days ago
|
|
|
This is a red flag with regard to privacy. I have a feeling that they will push this sort of login the same way that they pushed 2FA, except the only difference being that for 2FA you can get different phone numbers and not compromise on privacy. In the case of biometrics, this makes it so that anonymity no longer exists But in what way does this do any better than 2FA security wise, aside from convenience? imo 2FA is already overkill. I think the real reason they want this is it makes it easier to push federated login, easier to connect data points to a single identity for advertising. My stance on this is that I refuse to use any sort of biometric login or service. I refuse to use any product that has it as a strict requirement |
|
|
On the issue of "federated login", though, I think that modern efforts to replace passwords do consider the threat model of adversaries trying to correlate your identity between sites, so the standards at least support you using unique keys between sites. If Apple wanted to track which sites you were visiting, it probably has simpler ways than subverting the login process, so I would need extra evidence to believe that was the danger/intent here.
[0] I've argued elsewhere that the requirements for supporting "device attestation" mean that we are effectively building DRM for human identity, with all the scope for abuses that that entails. Here's a Twitter thread that makes this point very well:
https://nitter.net/sleevi_/status/1392903827712512001