|
|
|
|
|
|
by dane-pgp
1464 days ago
|
|
|
I think you're absolutely right to take that stance, especially as biometrics either allow you to be biologically tracked or require trusting some inscrutable hardware[0] to do some hashing for you (which can likely be reversed, or might not be doing hashing at all). On the issue of "federated login", though, I think that modern efforts to replace passwords do consider the threat model of adversaries trying to correlate your identity between sites, so the standards at least support you using unique keys between sites. If Apple wanted to track which sites you were visiting, it probably has simpler ways than subverting the login process, so I would need extra evidence to believe that was the danger/intent here. [0] I've argued elsewhere that the requirements for supporting "device attestation" mean that we are effectively building DRM for human identity, with all the scope for abuses that that entails. Here's a Twitter thread that makes this point very well: https://nitter.net/sleevi_/status/1392903827712512001 |
|
|