[37]

>Passkeys use Touch ID or Face ID for biometric verification

I was under the impression it was very poor security to use something like a face or fingerprint as a password... Okay for a username, but should be avoided at all costs for passwords.

[BeefWellington]

There have been a few DEF CON talks about the security of biometrics but the most recent probably gives the best demos IMO.[1]

[1]: https://www.youtube.com/watch?v=hJ35ApLKpN4

[herbturbo]

Interesting but in the Apple case you'd need a cast of your intended victims face or finger to even attempt this attack.

It's easy to use a mask (or occlusion) to prevent a system from detecting your real face, but spoofing a specific person's face is a much bigger task. Any decent modern face rec system is going to use liveness detection as part of its analysis.

[paulryanrogers]

Yes for legal and practical reasons: you can be compelled to unlock biometrically and cannot change biometrics when the server side leaks.

[wahern]

At least for Apple's system, biometrics aren't used server-side. Biometrics are used to authenticate to the local system (e.g. your laptop or phone) and authorize use of a local private ECC key for further authentication to other services. The T2 secure enclave mediates all of this. The private ECC key never leaves the T2 chip. Biometric data is never stored unencrypted outside the T2, although like a password may be susceptible to capture when input. (The fingerprint scanner might be hooked up directly to the T2 chip, though, in which case attackers would need to resort to more direct methods for capturing fingerprints.)

[paulryanrogers]

Is the Apple key unchangeable or a one time key? Because if the former then it's still a problem once know publicly.

[wahern]

Do you mean the private ECC key? I don't know the specific details of the system, such as if or when a specific device key used for iCloud enrollment can be rotated. (I have no specific familiarity with Apple's iCloud or device management code, I'm just familiar with publicly known details of the T2, and also familiar with the macOS/iPhone Keychain APIs for generating and using T2 keys.)

But in case it wasn't clear: it's not an API key, but a public/private ECC P-256 key pair used for ECDSA signing. Apple only knows the public key (it doesn't much matter if the whole world knows the public key), whereas the private key never leaves the T2 chip. If any secrets have been exfiltrated from the T2 enclave there are bigger problems at hand, and generating a new key pair would be useless before fixing those problems.

[anonuser123456]

The biometric authorizes the use of a key stored in secure enclave. The biometric is not used as a key.

[isitmadeofglass]

It’s not using touch or Face ID as the password. That’s just to access your phone, and the proof of ownership of the private key is the “password”

If you prefer a pin or password to protect your phone you can use that instead.